|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
05-13-2005, 10:35 PM
|
#1 (permalink) |
|
I helped the forums.
Join Date: Mar 2005
Location: Long Island, NY
Posts: 21
OS: XP
|
help with HiJackThis please
My daughter is home from college for the year with a mess on her computer.
Would very much appreciate help with the below mess. - thanks, Ken ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:29:36 PM, on 5/13/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\Botnet.exe C:\WINDOWS\System32\Tnqxjr.exe C:\WINDOWS\System32\vmss\vmss.exe C:\WINDOWS\System32\winupdt.exe C:\WINDOWS\System32\wintask.exe C:\WINDOWS\System32\wowpbrd.exe C:\WINDOWS\a65d.exe C:\WINDOWS\system\lxqpuodw.exe C:\WINDOWS\System32\msxsma.exe C:\WINDOWS\System32\sysmonnt.exe C:\WINDOWS\System32\msxsma.exe c:\windows\system32\vdxregvu.exe C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe C:\WINDOWS\System32\ammzzr.exe C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe C:\WINDOWS\System32\qmgrt4.exe C:\WINDOWS\System32\qwienh.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\Program Files\CxtPls\CxtPls.exe C:\WINDOWS\System32\ffgsysi6.exe C:\Security\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\logon.exe O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing) O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe O4 - HKLM\..\Run: [Shell Logon] C:\logon.exe O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Tnqxjr.exe O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe O4 - HKLM\..\Run: [hkadkzoy] c:\windows\system32\hkadkzoy.exe O4 - HKLM\..\Run: [r5a57j7b] C:\Program Files\r5a57j7b\r5a57j7b.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [popuppers65] C:\WINDOWS\a65d.exe O4 - HKLM\..\Run: [NPKC17] C:\WINDOWS\wpasqow.exe O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefpm32.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe O4 - HKLM\..\Run: [ZStart] c:\windows\system32\vdxregvu.exe lee0105 O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ammzzr.exe O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [qFni39e] wowpbrd.exe O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\ffgsysi6.exe lee0105 O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\RunServices: [Microsoft Updates] Botnet.exe O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt O4 - HKCU\..\Run: [Ttmmumi] C:\WINDOWS\System32\m?dtc.exe O4 - HKCU\..\Run: [bo4sRVK9U] qmgrt4.exe O4 - HKCU\..\Run: [msxsma] C:\WINDOWS\System32\msxsma.exe O4 - HKCU\..\RunOnce: [msxsma] C:\WINDOWS\System32\msxsma.exe O4 - Startup: Paint.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O15 - Trusted Zone: *.media-motor.net O15 - Trusted Zone: *.popuppers.com O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\m4460ehseh460.dll O21 - SSODL: mtklef - {633915D7-EB88-4300-6DA2-E7241C69F36B} - C:\WINDOWS\System32\oktc32.dll (file missing) End of KRC HijackThis Analyzer Log. ==================================================================== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
05-15-2005, 12:36 AM
|
#2 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
  |
Hi and Welcome to TSF
You are severly infected!! Lets start by pointing out why your infected. You have no security on this PC.. Both XP and IE6 are out of date. Please visit microsofts update page and install the lastest service packs and security updates for both XP and IE6. Failing to to this...will waste both are times..in cleaning this PC. You have several MAJOR infections..and I will attack each one in a step. Please print these instructions out..and following them closely. STEP1............. Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Download and install CleanUp http://cleanup.stevengould.org/ Download DelDomains.inf Right-click and select..... Save Target As To use: Right-click and select....... Install (no need to restart) **Note** This will remove all entries in the "Trusted Zone" Download Winsock2Fix and unzip it. Then double-click on it to run it. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following if listed. E2Give WebSpecials Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\System32\Botnet.exe C:\WINDOWS\System32\Tnqxjr.exe C:\WINDOWS\System32\vmss\vmss.exe C:\WINDOWS\System32\winupdt.exe C:\WINDOWS\System32\wintask.exe C:\WINDOWS\System32\wowpbrd.exe C:\WINDOWS\a65d.exe C:\WINDOWS\system\lxqpuodw.exe C:\WINDOWS\System32\msxsma.exe C:\WINDOWS\System32\sysmonnt.exe C:\WINDOWS\System32\msxsma.exe c:\windows\system32\vdxregvu.exe C:\WINDOWS\System32\ammzzr.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe C:\WINDOWS\System32\qmgrt4.exe C:\WINDOWS\System32\qwienh.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\Program Files\CxtPls\CxtPls.exe C:\WINDOWS\System32\ffgsysi6.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\logon.exe O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing) O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe O4 - HKLM\..\Run: [Shell Logon] C:\logon.exe O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Tnqxjr.exe O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe O4 - HKLM\..\Run: [hkadkzoy] c:\windows\system32\hkadkzoy.exe O4 - HKLM\..\Run: [r5a57j7b] C:\Program Files\r5a57j7b\r5a57j7b.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [popuppers65] C:\WINDOWS\a65d.exe O4 - HKLM\..\Run: [NPKC17] C:\WINDOWS\wpasqow.exe O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefpm32.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe O4 - HKLM\..\Run: [ZStart] c:\windows\system32\vdxregvu.exe lee0105 O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ammzzr.exe O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [qFni39e] wowpbrd.exe O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\ffgsysi6.exe lee0105 O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\RunServices: [Microsoft Updates] Botnet.exe O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt O4 - HKCU\..\Run: [Ttmmumi] C:\WINDOWS\System32\m?dtc.exe O4 - HKCU\..\Run: [bo4sRVK9U] qmgrt4.exe O4 - HKCU\..\Run: [msxsma] C:\WINDOWS\System32\msxsma.exe O4 - HKCU\..\RunOnce: [msxsma] C:\WINDOWS\System32\msxsma.exe O4 - Startup: Paint.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll O15 - Trusted Zone: *.media-motor.net O15 - Trusted Zone: *.popuppers.com O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\m4460ehseh460.dll O21 - SSODL: mtklef - {633915D7-EB88-4300-6DA2-E7241C69F36B} - C:\WINDOWS\System32\oktc32.dll (file missing) Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) C:\WINDOWS\System32\Botnet.exe C:\WINDOWS\System32\Tnqxjr.exe C:\WINDOWS\System32\vmss\vmss.exe C:\WINDOWS\System32\winupdt.exe C:\WINDOWS\System32\wintask.exe C:\WINDOWS\System32\wowpbrd.exe C:\WINDOWS\a65d.exe C:\WINDOWS\system\lxqpuodw.exe C:\WINDOWS\System32\msxsma.exe C:\WINDOWS\System32\sysmonnt.exe C:\WINDOWS\System32\msxsma.exe c:\windows\system32\vdxregvu.exe C:\WINDOWS\System32\ammzzr.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe C:\WINDOWS\System32\qmgrt4.exe C:\WINDOWS\System32\qwienh.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\Program Files\CxtPls\CxtPls.exe C:\WINDOWS\System32\ffgsysi6.exe C:\logon.exe C:\Program Files\WebSpecials\webspec.dll C:\Program Files\r5a57j7b\r5a57j7b.exe C:\WINDOWS\System32\exp.exe C:\WINDOWS\wpasqow.exe C:\windows\system32\elitefpm32.exe C:\WINDOWS\VCMnet11.exe c:\windows\system32\vdxregvu.exe C:\WINDOWS\System32\ammzzr.exe C:\WINDOWS\cfgmgr52.dll C:\WINDOWS\System32\m?dtc.exe c:\windows\system32\winlspak.dll c:\windows\system32\dolsp.dll C:\WINDOWS\isrvs\mfiltis.dll C:\WINDOWS\system32\m4460ehseh460.dll C:\WINDOWS\System32\oktc32.dll AUNPS2.DLL D0CE0C16B1.dll <--locate and dlete these 2. Run the cleanup utility and reboot/logoff when prompted. Then proceed with the next step.. ================================================ STEP2. Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! ============================================ STEP3 Download Rkfiles.zip http://skads.org/special/rkfiles.zip UNZIP the contents to a permanent folder on your desktop. Download the following attachment remv3.zip http://forums.skads.org/index.php?showtopic=80 Make a folder on the root drive C:\ and unzip the files into it. Now run the Cleanup utility and reboot/logoff when prompted. REBOOT TO SAFE MODE… These tools MUST be run in safe mode!! Once in safe mode… Double click rkfiles.bat It will scan for a while, so please be patient. Wait till the dos window closes. Open the C:\log.txt it created and rename it log1.txt. Now Open the folder were you saved remv3.zip files and click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt **Note** Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tool before running the other as it will overwrite the file if you don’t. Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post. So..in your next post...I need the following logs.. Hijackthis log l2mfix log rkfiles log (log1.txt) remv3 log (log.txt)
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 05-15-2005 at 12:38 AM. |
|
|
|
