|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
05-27-2005, 09:34 AM
|
#1 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 38
OS: Windows XP
|
Please help! Computer infected!
Logfile of HijackThis v1.99.1
Scan saved at 17:58:20, on 24/05/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\msole32.exe C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\popuper.exe C:\WINDOWS\System32\intmonp.exe C:\WINDOWS\System32\intmon.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\WINDOWS\System32\hpoipm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Alwil Software\Avast4\ashSimp2.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Davies\Desktop\Mark\HijackThis\HijackThis .exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/ F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpB803.tmp O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1865.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38 O17 - HKLM\System\CS1\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe Any suggestions on getting rid of this???? |
|
     |
| Sponsored Links |
|
05-27-2005, 11:54 AM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
 |
AMD802,
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Do Not turn off System Restore unless you are told to do so! Once your HijackThis log is confirmed as clean, further instructions will be given. Right click on this link -> http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK. Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found: Security iGuard Virtual Maid Search Maid Exit Add/Remove Programs. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. You may need to modify the default Windows XP search settings (if you haven’t already). When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. *Click Here to download Killbox by Option^Explicit. *Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program. *In the killbox program, select the Delete on Reboot option. *For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. *Copy all the file names below to the clipboard by highlighting them all and pressing Control-C: Code:
C:\wp.exe C:\wp.bmp C:\bsw.exe C:\Windows\sites.ini C:\Windows\popuper.exe C:\Windows\system32\hhk.dll C:\Windows\System32\wldr.dll C:\Windows\System32\helper.exe C:\Windows\System32\intmon.exe C:\Windows\System32\shnlog.exe C:\Windows\System32\intmonp.exe C:\Windows\System32\msmsgs.exe C:\Windows\system32\msole32.exe C:\Windows\system32\ole32vbs.exe C:\WINDOWS\System32\hpB803.tmp *Return to Killbox, go to the File menu, and choose "Paste from Clipboard". *Click the "Delete File" button (red circle with a white X). *Click "Yes" at the Delete on Reboot prompt. *Click "No" at the Pending Operations prompt. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Delete these folders if they exist (in blue): C:\Program Files\Search Maid\ C:\Program Files\Virtual Maid\ C:\Windows\System32\LogFiles\ C:\Program Files\Security iGuard\ Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/ F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpB803.tmp O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1865.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38 <-- Do you know if these are from your ISP, if they’re not delete O17 - HKLM\System\CS1\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38<-- Do you know if these are from your ISP, if they’re not delete Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis. Restart your computer. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link doesn't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Please download Adaware SE and install it (if you don't have it already). - Make sure it's the newest version and check for any updates before running it. - Go to this Site to get the plug-in for fixing VX2 variants. - Also make sure to Customize the settings in Adaware for better scan results. - Run the scan now and fix everything that it finds. Download Spybot 1.3 and install it (if you don't have it already). - update the definitions file and run a scan now. Fix all the entries, which are indicated in RED. Download CWShredder (If you already have CWShredder on your PC – Open it and click the update button first) Click on Fix now (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Run an online scan at http://www.pandasoftware.com/activescan/ and save the results from the scan! Restart and post a new HijackThis log along with the results from ActiveScan. 4SG |
|
|
|
|
06-01-2005, 09:37 AM
|
#3 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 38
OS: Windows XP
|
Logfile of HijackThis v1.99.1
Scan saved at 17:29:37, on 01/06/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\winnook.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\WINDOWS\System32\hpoipm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\Documents and Settings\Davies\Desktop\Mark\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\System32\LogFiles\A5281300.so O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe My PC is better, but it still has a red circle with a white cross on in the taskbar icons, which pops up with "Your computer is infected". Could I run the Ad-Aware, Sbybot and CWShredder again to make sure i deleted everything? I look forward to your reply I use Avast as my Anti Virus, does that explain lines O23??? |
|
|
|
|
06-01-2005, 10:50 AM
|
#4 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
amd802,
yes,that Avast O23 entry is OK Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Reboot your system in Safe Mode (By continually tapping the F8 key, until the menu appears). Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time). C:\WINDOWS\System32\winnook.exe Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\System32\LogFiles\A5281300.so O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: Please remember to close all other windows, including browsers then click Fix checked. Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\System32\winnook.exe C:\WINDOWS\System32\LogFiles Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode Run an online scan at http://www.pandasoftware.com/activescan/ and save the results from the scan! Include this log in your next post. Run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply. 4SG |
|
|
|
|
06-01-2005, 03:31 PM
|
#5 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 38
OS: Windows XP
|
Hi again! Here's everything you requested:
Logfile of HijackThis v1.99.1 Scan saved at 23:27:13, on 01/06/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\WINDOWS\System32\hpoipm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Davies\Desktop\Mark\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38 O17 - HKLM\System\CS1\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe ActiveScan Report: Virus:Trj/Cloak.A Disinfected Operating system Adware:Adware/WildTangent No disinfected C:\WINDOWS\wt Adware:Adware/Popuper No disinfected C:\Documents and Settings\Davies\My Documents\Your Scanner.url Adware:Adware/Virmaid No disinfected Windows Registry ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 23:27:13, on 01/06/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\Documents and Settings\Davies\Desktop\Mark\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38 O17 - HKLM\System\CS1\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38 O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe End of KRC HijackThis Analyzer Log. ==================================================================== Hope al this makes sense?!! |
|
|
|
|
06-01-2005, 05:15 PM
|
#6 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
Your logs getting there. How are things running?
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it. Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Documents and Settings\Davies\My Documents\Your Scanner.url C:\WINDOWS\wt Click Start-> Control Panel-> Internet Options Click on the Programs Tab and then click Reset Web Settings, then Yes, then OK Run a new HijackThis scan. Save the log file and post it. 4SG |
|
|
|
|
06-02-2005, 09:47 AM
|
#7 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 38
OS: Windows XP
|
Thanks very much for your help mate!! Things are running much smoother, I cannot see anything obviously wrong at the moment.
But still can't get rid of the: O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: ,what do these mean? Here's the latest log: Logfile of HijackThis v1.99.1 Scan saved at 17:39:41, on 02/06/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\WINDOWS\System32\hpoipm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\Documents and Settings\Davies\Desktop\Mark\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe |
|
|
|
|
06-02-2005, 12:09 PM
|
#8 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
I was hoping that resetting the Web settings would help, but it didn't.
Do the following: Click Start >>Run and then type regedit - Click OK Go to File->Export Type in a file name and at the bottom of the window it should say Export Range, you need to select ALL and then save the registry somewhere as a backup. Now navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults Once you click on ProtocolDefaults the folder will be highlighted. Right click it and click export. In the “Save In” box – change it to desktop In the “File Name” box – type in dp.txt (make sure you include the .txt) At the bottom of the window it should say Export Range, make sure “selected branch” is selected. Click save Close the registry editor. Now on your desktop should be a file named dp.txt Double click it to open it Copy and paste all the text in that document here (won’t be too much). 4SG |
|
|
|
|
06-03-2005, 09:53 AM
|
#9 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 38
OS: Windows XP
|
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] @="" "http"=dword:00000003 "https"=dword:00000003 "ftp"=dword:00000003 "file"=dword:00000003 "@ivt"=dword:00000001 |
|
|
|
|
06-03-2005, 02:40 PM
|
#10 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
Hate to do this to you…. but can you do the same thing again but this time you are going to be using the HKEY_CURRENT_USER key below.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults You don’t need to do the full back up again. When you export the ProtocolDefaults to your Desktop give it a different name. 4SG |
|
|
|
|
06-03-2005, 03:37 PM
|
#11 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 38
OS: Windows XP
|
Here you go:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] @="" "http"=dword:00000003 "https"=dword:00000003 "ftp"=dword:00000003 "file"=dword:00000003 "@ivt"=dword:00000001 |
|
|
|
|
06-03-2005, 04:57 PM
|
#12 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
Can you do the same for these two.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes |
|
|
|
|
06-06-2005, 09:23 AM
|
#16 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 38
OS: Windows XP
|
No it didn't seem to shift them 13's! Here's the log:
Logfile of HijackThis v1.99.1 Scan saved at 17:21:51, on 06/06/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\WINDOWS\System32\hpoipm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Davies\Desktop\Mark\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe |
|
|
|
|
06-06-2005, 11:22 AM
|
#17 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
I was able to duplicate your problem by deleting my HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\URL key. I deleted it and ran a scan in HijackThis and I had the same empty O13 entries that you have and HijackThis was unable to fix them. I reinstalled the URL key and the entries were gone from HJT.
Click Start >>Run and then type regedit - Click OK Go to File->Export Type in a file name and at the bottom of the window it should say Export Range, you need to select ALL and then save the registry somewhere as a backup. Right-click the url.txt attachment below and click ‘Save Target As’ Change the name to url.txt (by default it wants to call it attachment.txt) Save it to your desktop. Once it's on your desktop: You need to rename the url.txt file. Change it to url.reg You’ll get a warning asking if you really want to change it – click YES Double click the url.reg and it will ask you if you want to add the information to the registry – Click YES Then another box will pop up saying the information has sucessfully been added to the registry. Click OK Run a scan in HijackThis and let us know how you made out. 4SG Last edited by Scorpex; 06-06-2005 at 11:40 AM. |
|
|
|
|
06-07-2005, 10:23 AM
|
#18 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 38
OS: Windows XP
|
Jackpot!!! Seems to have worked! Is there anything else required?
Logfile of HijackThis v1.99.1 Scan saved at 18:22:32, on 07/06/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\WINDOWS\System32\hpoipm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Davies\Desktop\Mark\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38 O17 - HKLM\System\CS1\Services\Tcpip\..\{6E1F8C33-89E4-42E7-BAF4-752FFF197BA4}: NameServer = 212.135.1.36 212.135.1.38 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe |
|
|
|
|
06-07-2005, 10:48 AM
|
#19 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
AMD802,
Your log is clean. Are there any problems now? If not, you should be set to go. The System Restore Points on your computer most likely contain traces of the recent Infections/Malware. Please clear your System Restore Points by doing the following: To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK. Reboot your System. Now create a new Restore Point by doing the following: To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Please respond to this thread one more time so we can mark this thread as resolved. 4SG |
|
|
|
| Thread Tools | |
|
|
