|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-27-2005, 12:26 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 11
OS: XP
|
Lost Network
Had a virus Win32:trojan.gen{other} - It was found using Avast. Followed directions in Networking section and seems to be deleted. Has not respawned after many reboots.
3 computer network 2 XP SP2 and 1 Win98 SE. 1 XP and Win98 cannot communicate with other XP but everyone can access all others on network for file sharing and NETWORK printer BUT NOT SHARED printer or shared files on XP. I have tried reinstalling network on all machines, checked firewall settings no help. Below is Hijack This log created by Higjack This Analyzer. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\a2\a2guard.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe" O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 2:13:26 PM, on 6/27/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\RunServices: [Kernall Default] Kernall.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O15 - Trusted Zone: *.musicmatch.com O15 - Trusted Zone: *.musicmatch.com (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0A50726E-51A2-42BB-8392-98F050C40A10} (SkillJamLoader Class) - http://aol.skilljam.com/ssp/SkillJamLoader.cab O16 - DPF: {483912CF-8995-4434-AD61-6163756E05DF} (AXTNS Control) - http://qs130.pair.com/webprim4/maths...ivex/axtns.php O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== Thanks for your help! |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-28-2005, 08:07 PM
|
#2 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
  |
Hi and Welcome to TSF
Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. Please go to at least two of these sites and run an online Virus Scan. Be sure to have the AutoFix box(es) checked. http://housecall.trendmicro.com/ http://www3.ca.com/virusinfo/virusscan.aspx http://www.pandasoftware.com/actives..._principal.htm http://www.bitdefender.com/scan/license.php http://us.mcafee.com/root/mfs/default.asp http://security.symantec.com/sscv6/d...d=ie&venid=sym http://www3.ca.com/virusinfo/virusscan.aspx Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\RunServices: [Kernall Default] Kernall.exe O15 - Trusted Zone: *.musicmatch.com O15 - Trusted Zone: *.musicmatch.com (HKLM) Kernall.exe <--locate and delete that file. Reboot the PC. Download, install, and update Ewido Security Suite
After the updates are installed, exit Ewido Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. [*]Run Ewido.[*]Click on scanner[*]Make sure the following boxes are checked before scanning:
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Please post the Ewido scan log, hijackthis log, and the log from the following tool... Download Silent runners.Vbs http://www.silentrunners.org/ 1. Make sure you have any script blocking software disabled 2. Run the program. It will take a few minutes to complete. 3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
06-29-2005, 12:20 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 11
OS: XP
|
Startup Programs
Ran the spyware removal and virus checkers as well as silentrunner. Below is log for StartupPrograms
Thanks for the help! "Silent Runners.vbs", revision 39, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "a-squared" = ""C:\Program Files\a2\a2guard.exe"" [null data] "AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "DwlClient" = "C:\Program Files\Common Files\Dell\EUSW\Support.exe" ["Dell"] "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "DriveLetterAccess" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"] {7c1ce531-09e9-4fc5-9803-1c2956615786}\(Default) = "Google Desktop Search Capture" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" ["Sonic Solutions"] "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" ["Qualcomm Inc."] "{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["TODO: <Company name>"] "{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice Property Sheet Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org1.1.4\program\shlxthdl.dll" ["Sun Microsystems, Inc."] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS] "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a˛ Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\a2\A2CONT~1.DLL" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" ["Qualcomm Inc."] INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] QuickFinderMenu\(Default) = "{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL" ["Novell, Inc., c/o Corel Corporation Limited"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\a2\A2CONT~1.DLL" [null data] avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Active Desktop web content: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ "FriendlyName" = "" "Source" = "http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/4/mail/mailcommonlib.js" "SubscribedURL" = "http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/4/mail/mailcommonlib.js" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\2\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS] Enabled Scheduled Tasks: ------------------------ "Data Repair Utility" -> launches: "C:\PROGRA~1\CHAOSS~1\dbtools\dbrepair.exe" [file not found] "Disk Cleanup" -> launches: "C:\WINDOWS\SYSTEM32\CLEANMGR.EXE" [MS] "{2A62E49A-58BD-48DA-B9EA-F2D35D164F1F}_COLLUSUS_Sound Management" -> launches: "C:\WINDOWS\system32\MOBSYNC.EXE /Schedule="{2A62E49A-58BD-48DA-B9EA-F2D35D164F1F}_COLLUSUS_Sound Management"" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 21 - 22 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [file not found] {4982D40A-C53B-4615-B15B-B5B5E98D167C}\ "ButtonText" = "AOL Toolbar" "MenuText" = "AOL Toolbar" "CLSIDExtension" = "{4982D40A-C53B-4615-B15B-B5B5E98D167C}" {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ "ButtonText" = "AIM" "Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."] {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ "ButtonText" = "Real.com" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["America Online"] AOL TopSpeed Monitor, AOL TopSpeedMonitor, "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" ["America Online, Inc"] avast! Antivirus, avast! Antivirus, "C:\Program Files\Alwil Software\Avast4\ashServ.exe" [null data] avast! iAVS4 Control Service, aswUpdSv, "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" [null data] avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"] BrSplService, Brother XP spl Service, "C:\WINDOWS\system32\brsvc01a.exe" ["brother Industries Ltd"] ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"] Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"] ScsiAccess, ScsiAccess, "C:\WINDOWS\system32\ScsiAccess.EXE" [null data] WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 260 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 11 seconds. ---------- (total run time: 302 seconds) |
|
|
|
|
06-29-2005, 07:32 PM
|
#4 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Were is the Ewido log and hijackthis log?
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
06-30-2005, 12:09 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 11
OS: XP
|
Hijack This & ewide files
HijackThis
Logfile of HijackThis v1.99.1 Scan saved at 12:15:43 PM, on 6/29/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\RunServices: [Kernall Default] Kernall.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.musicmatch.com (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0A50726E-51A2-42BB-8392-98F050C40A10} (SkillJamLoader Class) - http://aol.skilljam.com/ssp/SkillJamLoader.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {483912CF-8995-4434-AD61-6163756E05DF} (AXTNS Control) - http://qs130.pair.com/webprim4/maths...ivex/axtns.php O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe ================================== ewido log --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 1:26:47 PM, 6/29/2005 + Report-Checksum: C1E81719 + Date of database: 6/29/2005 + Version of scan engine: v3.0 + Duration: 37 min + Scanned Files: 132831 + Speed: 59.83 Files/Second + Infected files: 42 + Removed files: 42 + Files put in quarantine: 42 + Files that could not be opened: 0 + Files that could not be cleaned: 0 + Binder: Yes + Crypter: Yes + Archives: Yes + Scanned items: C:\ + Scan result: C:\Documents and Settings\Administrator\Cookies\administrator@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\casey\Cookies\casey@myway[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\casey\Cookies\casey@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@5355539[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@79710284[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@87853283[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@a.tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@ads26.hyperbanner[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@adsremote.scripps[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@a[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@bannerspace[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@c3.gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@dcsajnkbj11e5hmi283hr30a8_2c7p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@dcsew60m1oifwznbkznc6j9ix_5x7j[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@dcsi8dupuerp17vzhd59b2lwc_8u5u[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@dcskoovmr01e5h6qlnsvvv4ea_2m5h[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@dcskqeg2voifwznnd6alhtnei_8f3u[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@dcst8x41poifwzzk3iihgm3xb_9p4w[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@exitfuel[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@forum[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@handbag[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@handbag[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@myway[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@network[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@orbitz.rpts[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@S119579[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@S149285[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@servedby.adscpm[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@specificpop[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@www.newtopsites[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Mom\Cookies\mom@www.xzoomy[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup ::Report End |
|
|
|
|
06-30-2005, 06:01 PM
|
#6 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Hummmm...
You did run hijackthis and fix those items correct? Seams something else is at work here... Please run this virus scan.. http://www.pandasoftware.com/actives..._principal.htm Save the activescan log and post it in this thread. I also need the logs from the following tools.. Download Silent runners.Vbs http://www.silentrunners.org/ 1. Make sure you have any script blocking software disabled 2. Run the program. It will take a few minutes to complete. 3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post. Download Rkfiles.zip http://skads.org/special/rkfiles.zip UNZIP the contents to a permanent folder on your desktop. Download the following attachment remv3.zip http://forums.skads.org/index.php?showtopic=80 Make a folder on the root drive C:\ and unzip the files into it. REBOOT TO SAFE MODE… These tools MUST be run in safe mode!! Once in safe mode… Double click rkfiles.bat It will scan for a while, so please be patient. Wait till the dos window closes. Open the C:\log.txt it created and rename it log1.txt. Now Open the folder were you saved remv3.zip files and click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt **Note** Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tool before running the other as it will overwrite the file if you don’t. Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post. So I need the following logs... Panda Activescan log Rkfiles (log1.txt) log Remv3 (log.txt) log Silentrunners log
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
07-06-2005, 06:15 PM
|
#8 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Please post those log's I asked for. These are the current lines we are addressing in your last hijackthis log...
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\RunServices: [Kernall Default] Kernall.exe O15 - Trusted Zone: *.musicmatch.com (HKLM)
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
07-11-2005, 02:40 PM
|
#9 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 11
OS: XP
|
Hijackthis fix
Followed your guidlines and removed lines. I am pretty certain that all viruses have been removed. I downloaded Windows Server 2003 Resource Kit Tools and used it to make the required rights assignments. The computers are recognizing each other again.
Thanks for your help and I consider it closed. |
|
|
|
| Thread Tools | |
|
|
