Need assistance

Andy128 · 05-30-2005, 07:18 PM

Below is a analyzed file from hjt. Many problems. Have deleted what I could.
Thanks

Andy

===================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:03:02 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\2ht4tljp.exe
C:\aight.exe
C:\WINDOWS\system32\seccp32r.exe
c:\windows\system32\rsvikct.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://moneycentral.msn.com/home.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O4 - HKLM\..\Run: [X6HW] C:\windows\system32\X6HW.exe
O4 - HKLM\..\Run: [WinScMngr] C:\WINDOWS\winsmc.exe
O4 - HKLM\..\Run: [2ht4tljp] C:\WINDOWS\system32\2ht4tljp.exe
O4 - HKLM\..\Run: [Lsass] C:\aight.exe
O4 - HKLM\..\Run: [p4mX37l] seccp32r.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [vtgwxph] c:\windows\system32\rsvikct.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\AdwareFilter.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} (MarketTrader - ETrade v243a) - http://etrade.bridge.com/etgmt_prd/j...b_etrade_i.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1115034421271
O16 - DPF: {6F07CA40-1983-11D6-B8FA-00C04F5E375A} (Global MarketTrade - ETrade package) - http://etrade.bridge.com/etgmt/java/gmt_etrade_i.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {89EDFBA2-F623-11D4-BA72-00C04F753F09} (EtradeBridgeChannel) - http://etrade.bridge.com/bc24/java/etradeinstall.cab
O16 - DPF: {A0777FF1-23AC-11D5-BA9B-00C04F753F09} (BridgeBC24) - http://etrade.bridge.com/bc24/java/install.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {C0288443-26C2-11D6-B8FA-00C04F5E375A} (Global MarketTrader - Bridge package) - http://etrade.bridge.com/etgmt/java/gmt_bridge_i.cab
O16 - DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} (MarketTrader - Reuters v243b) - http://etrade.bridge.com/etgmt_prd/j...b_bridge_i.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E93FB94-CE2C-4E82-8DD1-E3504D29BC72}: NameServer = 68.87.66.196,68.87.64.196
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Herk · 05-30-2005, 08:20 PM

Hello Andy128

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

Please download nailfix at http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to the desktop but do NOT run it yet.

Download ewido security suite from here… http://www.ewido.net/en/download/

Update it’s database from here.. http://www.ewido.net/en/download/updates/

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time). (they shouldn't be - but double check):

C:\WINDOWS\system32\2ht4tljp.exe
C:\aight.exe
C:\WINDOWS\system32\seccp32r.exe
c:\windows\system32\rsvikct.exe
C:\Program Files\CxtPls\CxtPls.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

CxtPls

Please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Run Ewido and let it clean the PC.

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O4 - HKLM\..\Run: [X6HW] C:\windows\system32\X6HW.exe
O4 - HKLM\..\Run: [WinScMngr] C:\WINDOWS\winsmc.exe
O4 - HKLM\..\Run: [2ht4tljp] C:\WINDOWS\system32\2ht4tljp.exe
O4 - HKLM\..\Run: [Lsass] C:\aight.exe
O4 - HKLM\..\Run: [p4mX37l] seccp32r.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [vtgwxph] c:\windows\system32\rsvikct.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. (if no directory, just do a search for them)

C:\WINDOWS\Nail.exe
C:\WINDOWS\systb.dll
C:\windows\system32\X6HW.exe
C:\WINDOWS\winsmc.exe
C:\WINDOWS\system32\2ht4tljp.exe
C:\ aight.exe
C:\WINDOWS\system32\seccp32r.exe
C:\WINDOWS\wupdt.exe
c:\windows\system32\rsvikct.exe
C:\WINDOWS\svcproc.exe
C:\Program Files\CxtPls

Reboot your System in normal mode.

If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

Download FindIt’s to your desktop
Unzip/extract the files inside . Open the folder and run FindIt's.bat and wait for a text to open. It will take a while ... be patient ... then post the results here please, along with a fresh Hijack This log.

Andy128 · 06-01-2005, 08:25 PM

Herk-
Thanks so much for your help. I had several problems trying to do what you suggested. Some worked- some didn't. Ewisdo locked up and trendmicro would not load and run. This is the second infection with all sorts of bugs so I probably did not get them all out the first time. This is my friends computer and it is an XP Upgrade so I convinced him that it was time to buy the full XP Home version and start clean. I do appreciate your time and willingness to help.

Andy

05-30-2005, 07:18 PM	#1 (permalink)
Andy128 Registered User Join Date: Nov 2004 Location: Michigan Posts: 380 OS: xp	Need assistance Below is a analyzed file from hjt. Many problems. Have deleted what I could. Thanks Andy =================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:03:02 PM, on 5/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\system32\2ht4tljp.exe C:\aight.exe C:\WINDOWS\system32\seccp32r.exe c:\windows\system32\rsvikct.exe C:\Program Files\CxtPls\CxtPls.exe C:\Documents and Settings\Dad\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://moneycentral.msn.com/home.asp R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll O4 - HKLM\..\Run: [X6HW] C:\windows\system32\X6HW.exe O4 - HKLM\..\Run: [WinScMngr] C:\WINDOWS\winsmc.exe O4 - HKLM\..\Run: [2ht4tljp] C:\WINDOWS\system32\2ht4tljp.exe O4 - HKLM\..\Run: [Lsass] C:\aight.exe O4 - HKLM\..\Run: [p4mX37l] seccp32r.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O4 - HKLM\..\Run: [vtgwxph] c:\windows\system32\rsvikct.exe O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\AdwareFilter.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU) O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab O16 - DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} (MarketTrader - ETrade v243a) - http://etrade.bridge.com/etgmt_prd/j...b_etrade_i.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1115034421271 O16 - DPF: {6F07CA40-1983-11D6-B8FA-00C04F5E375A} (Global MarketTrade - ETrade package) - http://etrade.bridge.com/etgmt/java/gmt_etrade_i.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {89EDFBA2-F623-11D4-BA72-00C04F753F09} (EtradeBridgeChannel) - http://etrade.bridge.com/bc24/java/etradeinstall.cab O16 - DPF: {A0777FF1-23AC-11D5-BA9B-00C04F753F09} (BridgeBC24) - http://etrade.bridge.com/bc24/java/install.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {C0288443-26C2-11D6-B8FA-00C04F5E375A} (Global MarketTrader - Bridge package) - http://etrade.bridge.com/etgmt/java/gmt_bridge_i.cab O16 - DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} (MarketTrader - Reuters v243b) - http://etrade.bridge.com/etgmt_prd/j...b_bridge_i.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7E93FB94-CE2C-4E82-8DD1-E3504D29BC72}: NameServer = 68.87.66.196,68.87.64.196 O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ====================================================================

05-30-2005, 08:20 PM	#2 (permalink)
Herk Registered User Join Date: Feb 2005 Location: Georgia Posts: 584 OS: XP	Hello Andy128 Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. Please download nailfix at http://users.pandora.be/bluepatchy/nailfix.zip Unzip it to the desktop but do NOT run it yet. Download ewido security suite from here… http://www.ewido.net/en/download/ Update it’s database from here.. http://www.ewido.net/en/download/updates/ Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time). (they shouldn't be - but double check): C:\WINDOWS\system32\2ht4tljp.exe C:\aight.exe C:\WINDOWS\system32\seccp32r.exe c:\windows\system32\rsvikct.exe C:\Program Files\CxtPls\CxtPls.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: CxtPls Please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Run Ewido and let it clean the PC. Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll O4 - HKLM\..\Run: [X6HW] C:\windows\system32\X6HW.exe O4 - HKLM\..\Run: [WinScMngr] C:\WINDOWS\winsmc.exe O4 - HKLM\..\Run: [2ht4tljp] C:\WINDOWS\system32\2ht4tljp.exe O4 - HKLM\..\Run: [Lsass] C:\aight.exe O4 - HKLM\..\Run: [p4mX37l] seccp32r.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O4 - HKLM\..\Run: [vtgwxph] c:\windows\system32\rsvikct.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. (if no directory, just do a search for them) C:\WINDOWS\Nail.exe C:\WINDOWS\systb.dll C:\windows\system32\X6HW.exe C:\WINDOWS\winsmc.exe C:\WINDOWS\system32\2ht4tljp.exe C:\ aight.exe C:\WINDOWS\system32\seccp32r.exe C:\WINDOWS\wupdt.exe c:\windows\system32\rsvikct.exe C:\WINDOWS\svcproc.exe C:\Program Files\CxtPls Reboot your System in normal mode. If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. Download FindIt’s to your desktop Unzip/extract the files inside . Open the folder and run FindIt's.bat and wait for a text to open. It will take a while ... be patient ... then post the results here please, along with a fresh Hijack This log. __________________ Spybot S&D\| Adaware SE\|Spyware Prevention

06-01-2005, 08:25 PM	#3 (permalink)
Andy128 Registered User Join Date: Nov 2004 Location: Michigan Posts: 380 OS: xp	Herk- Thanks so much for your help. I had several problems trying to do what you suggested. Some worked- some didn't. Ewisdo locked up and trendmicro would not load and run. This is the second infection with all sorts of bugs so I probably did not get them all out the first time. This is my friends computer and it is an XP Upgrade so I convinced him that it was time to buy the full XP Home version and start clean. I do appreciate your time and willingness to help. Andy