|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-10-2005, 08:57 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2005
Posts: 19
OS: winXP
|
New to site-problems with Spyware, please help
Thanks in advance for those who can help! I believe my computer has been infested by some spyware.
After running Ad Aware, hijackthis and finally, the hijackthis analyzer, I have the following log: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 7:44:05 PM, on 7/10/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\windows\System32\xpjava.exe C:\windows\System32\mssetup32.exe C:\windows\system32\1.tmp c:\windows\system32\temp532.exe D:\Backupfiles\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.douglas.bc.ca/ R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\windows\EliteToolBar\EliteToolBar version 60.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\windows\EliteToolBar\EliteToolBar version 60.dll O4 - HKLM\..\Run: [Microsoft Auto Update Setup 32] mssetup32.exe O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\windows\system32\1.tmp O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitezhy32.exe O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\windows\System32\iexplore.exe O4 - HKLM\..\RunServices: [Network Access] winssh.exe O4 - HKLM\..\RunServices: [Microsoft Gaming Updater 32] msgame32.exe O4 - HKLM\..\RunServices: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe O4 - HKLM\..\RunServices: [Microsoft Auto Update Setup 32] mssetup32.exe O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe O4 - HKLM\..\RunServices: [Wind0ws Sharing] ssprotecter.exe O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...ridge-c139.cab O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
07-10-2005, 11:50 PM
|
#2 (permalink) |
|
1337 C0D3R
Join Date: Mar 2005
Location: Canada
Posts: 1,457
OS: Server 2K3/XP Pro/XP MCE/Win 98/Ubuntu Linux/BackTrack 2
|
And We're Back!
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Notes We will take this in stride, there is a rather dangerous entry present... If you do not have the time to leave your computer on for a while please wait until you you get one such chance, as I will need to check a fresh log before you can safely reboot... View Hidden Files and Folders Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Stop Runnning Process Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process': C:\windows\System32\xpjava.exe Start HijackThis Fix Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe Please remember to close all other windows, including browsers then click Fix checked. File/Folder Deletions Delete the following File indicated in RED C:\windows\System32\xpjava.exe Do another scan with HiJackThis & post it immediately. Please Do Not Reboot your Computer until We have checked your log and issued futher instructions Last edited by skate_punk_21; 07-11-2005 at 12:09 AM. |
|
|
|
|
07-11-2005, 07:39 AM
|
#3 (permalink) |
|
Registered User
Join Date: Jul 2005
Posts: 19
OS: winXP
|
here is the next log as instructed without reboot
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 6:35:41 AM, on 7/11/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\windows\System32\mssetup32.exe C:\windows\System32\iexplore.exe C:\windows\system32\1.tmp C:\windows\System32\wuamk032.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.douglas.bc.ca/ R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) O4 - HKLM\..\Run: [Microsoft Auto Update Setup 32] mssetup32.exe O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\windows\system32\1.tmp O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezhy32.exe O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\windows\System32\iexplore.exe O4 - HKLM\..\Run: [Microsoft Update] wuamk032.exe O4 - HKLM\..\RunServices: [Network Access] winssh.exe O4 - HKLM\..\RunServices: [Microsoft Gaming Updater 32] msgame32.exe O4 - HKLM\..\RunServices: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe O4 - HKLM\..\RunServices: [Microsoft Auto Update Setup 32] mssetup32.exe O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe O4 - HKLM\..\RunServices: [Wind0ws Sharing] ssprotecter.exe O4 - HKLM\..\RunServices: [Microsoft Update] wuamk032.exe O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...ridge-c139.cab O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
07-11-2005, 07:47 AM
|
#4 (permalink) |
|
1337 C0D3R
Join Date: Mar 2005
Location: Canada
Posts: 1,457
OS: Server 2K3/XP Pro/XP MCE/Win 98/Ubuntu Linux/BackTrack 2
|
And We're Back!
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Notes Few things to take care of here... Downloads The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it. DO NOT RUN IT YET Download EliteBar Removal Tool . DO NOT RUN IT YET Download Killbox View Hidden Files and Folders Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Stop NT Service Part1
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\windows\System32\mssetup32.exe C:\windows\system32\1.tmp c:\windows\system32\temp532.exe C:\windows\System32\iexplore.exe c:\windows\system32\elitezhy32.exe C:\WINDOWS\System32\mousehs.exe Boot Into Safe Mode Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Potential Uninstallations Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: EliteToolBar Start HijackThis Fix Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) O4 - HKLM\..\Run: [Microsoft Auto Update Setup 32] mssetup32.exe O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\windows\system32\1.tmp O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitezhy32.exe O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\windows\System32\iexplore.exe O4 - HKLM\..\RunServices: [Network Access] winssh.exe O4 - HKLM\..\RunServices: [Microsoft Gaming Updater 32] msgame32.exe O4 - HKLM\..\RunServices: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe O4 - HKLM\..\RunServices: [Microsoft Auto Update Setup 32] mssetup32.exe O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe O4 - HKLM\..\RunServices: [Wind0ws Sharing] ssprotecter.exe O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...Bridge-c139.cab O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe Please remember to close all other windows, including browsers then click Fix checked. Run Downloaded Programs Extract the EliteBar Removal Tool zip file into the suggested folder and run the file ETRemover_V130.exe. Click "Kill Elite Toobar" button. File/Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\windows\EliteToolBar\ These need to be searched for via Start|Search.. winssh.exe msgame32.exe phqghume.exe ssprotecter.exe msconfig32.exe <--Be sure to get this one, and not msconfig.exe Run CleanUp! Set the program up as follows:
Press the CleanUp! button to start the program. Reboot/logoff when prompted. Reboot your system in Normal Mode. Further Scanning Please run a Scan at any 2 of the Following sites Symantec/Norton Trend Micro BitDefender On-Line Virus Scan Panda ActiveScan F-Secure Kaspersky Make sure that you choose the "fix" or "clean" option when available Please post a fresh Hijack This log so that we can check if your system is clean. |
|
|
|
|
07-11-2005, 09:45 AM
|
#5 (permalink) |
|
Registered User
Join Date: Jul 2005
Posts: 19
OS: winXP
|
latest log
Here's the latest log as requested after following all instructions:)
Just to note: the step to remove the elitetoolbar from the add/remove programs did not work because I could not find it on the list there. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 8:40:42 AM, on 7/11/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\windows\System32\wuamk032.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.douglas.bc.ca/ O4 - HKLM\..\Run: [Microsoft Update] wuamk032.exe O4 - HKLM\..\RunServices: [Microsoft Update] wuamk032.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
07-11-2005, 10:10 AM
|
#6 (permalink) |
|
1337 C0D3R
Join Date: Mar 2005
Location: Canada
Posts: 1,457
OS: Server 2K3/XP Pro/XP MCE/Win 98/Ubuntu Linux/BackTrack 2
|
And We're Back!
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Notes Whoops, i think we missed one! Downloads Download Killbox View Hidden Files and Folders Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose YES when it asks if you want to reboot): C:\windows\System32\wuamk032.exe Reboot your computer now Start HijackThis Fix Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O4 - HKLM\..\Run: [Microsoft Update] wuamk032.exe O4 - HKLM\..\RunServices: [Microsoft Update] wuamk032.exe Please remember to close all other windows, including browsers then click Fix checked. Further Scanning Please run a Scan at the Following site Panda ActiveScan Make sure that you choose the "fix" or "clean" option when available you will be given the option to save a log at the end of the scan,SAVE THAT LOG and post it here Last edited by skate_punk_21; 07-11-2005 at 10:13 AM. |
|
|
|
|
07-11-2005, 11:20 AM
|
#7 (permalink) |
|
Registered User
Join Date: Jul 2005
Posts: 19
OS: winXP
|
latest log after scan
log from panda:
Incident Status Location Virus:W32/Gaobot.ITN.worm Disinfected Operating system Spyware:Spyware/BargainBuddy No disinfected C:\windows\msxct1.ini Adware:Adware/nCase No disinfected C:\Program Files\180searchassistant Spyware:Spyware/ISTbar No disinfected Windows Registry Adware:Adware/SAHAgent No disinfected C:\windows\System32\SahImages Adware:Adware/CWS No disinfected C:\Documents and Settings\raym\Favorites\Fun & Games Adware:Adware/EliteBar No disinfected C:\windows\System32\elite???32.exe Spyware:Spyware/Lowzones No disinfected C:\UNMT.EXE Possible Virus. No disinfected C:\WINDOWS\SYSTEM\wsop32.exe Virus:Trj/Zapchast.AB Disinfected C:\WINDOWS\autoexeip.cmd Adware:Adware/MediaTickets No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IBL0789B\BoOtIoS2[2].exe[2366.reg] Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IBL0789B\BoOtIoS2[2].exe[yahooredirect.html] Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IBL0789B\BoOtIoS2[2].exe[msnredirect.html] Virus:Trj/Zapchast.AB No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IBL0789B\BoOtIoS2[2].exe[autoexeip.cmd] Virus:W32/Oddbob.D.worm Disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89YRO927\stuff[1].exe Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89YRO927\***[1].exe Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\SYSTEM32\c.bat Virus:W32/Oddbob.D.worm Disinfected C:\WINDOWS\SYSTEM32\zzzxnw2.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\qdtwfp.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\ozpgumm.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\rymfl.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\ivihucl.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\igcla.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\wxjimt.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\bfro.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\gytdt.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\nopgh.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\jcth.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\kgvj.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\snyt.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\eelnkz.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\vqvnhxcs.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\nxhs.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\jaxz.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\svfwpcgg.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\mhytqr.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\kmodbm.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\mspznofj.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\rrdvujp.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\vfvecj.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\fdodiadu.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\licqzfvb.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\absp.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\psqr.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\nfko.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\zctkjq.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\wjzc.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\xrqi.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\hkodo.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\yvngg.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\sufvtb.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\whmeu.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\jzbiij.exe Virus:Bck/Poebot.Q Disinfected C:\WINDOWS\SYSTEM32\TFTP1232 Virus:Bck/PoeBot.B Disinfected C:\WINDOWS\SYSTEM32\TFTP3272 Virus:W32/Parite.B Disinfected C:\WINDOWS\SYSTEM32\lssas.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\xzbizl.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\aenhzewv.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\swtv.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\dgasmifw.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\kgowpl.exe Virus:Bck/PoeBot.B Disinfected C:\WINDOWS\SYSTEM32\Isass.exe Virus:Trj/Ranky.DR Disinfected C:\WINDOWS\SYSTEM32\xfeomts.exe Virus:W32/Gaobot.ISH.worm Disinfected C:\WINDOWS\SYSTEM32\winssh.exe Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i Virus:W32/Sdbot.EED.worm Disinfected C:\WINDOWS\SYSTEM32\eraseme_88327.exe Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM32\elitezwu32.exe Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM32\temperror32.dat Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\kimo.exe Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM32\eliterfi32.exe Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\SYSTEM32\msgame32.exe Virus:W32/Codbot.AV.worm Disinfected C:\WINDOWS\SYSTEM32\Netlib.exe Virus:W32/Sdbot.EGZ.worm Disinfected C:\WINDOWS\SYSTEM32\phqghume.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\djl0qakp.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\93ouddi5.dll Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\SYSTEM32\xS.exe Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\SYSTEM32\winlogin.exe Virus:W32/Sdbot.EED.worm Disinfected C:\WINDOWS\SYSTEM32\eraseme_44087.exe Virus:W32/Sdbot.EED.worm Disinfected C:\WINDOWS\SYSTEM32\eraseme_24232.exe Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM32\elitezhy32.exe Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\SYSTEM32\mssetup32.exe Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaGatewayX.dll Virus:W32/Sdbot.EED.worm Disinfected C:\WINDOWS\winmon.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\d51i04sp.exe Adware:Adware/MediaTickets No disinfected C:\WINDOWS\2366.reg Adware:Adware/WUpd No disinfected C:\WINDOWS\yahooredirect.html Adware:Adware/WUpd No disinfected C:\WINDOWS\msnredirect.html Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\msxct1.ini Adware:Adware/Lop No disinfected C:\My Documents\RESCUE\new_uninstall.exe Adware:Adware/WUpd No disinfected C:\Program Files\Media Gateway\MediaGateway.exe Adware:Adware/nCase No disinfected C:\Program Files\180searchassistant\salmhook.dll Adware:Adware/nCase No disinfected C:\Program Files\180searchassistant\sais.exe Adware:Adware/nCase No disinfected C:\Program Files\180searchassistant\saishook.dll Possible Virus. No disinfected C:\Program Files\SurfAccuracy\SAccU.exe Spyware:Spyware/XXXToolbar No disinfected C:\FOUND.000\FILE0000.CHK Adware:Adware/EliteBar No disinfected C:\FOUND.002\FILE0004.CHK Virus:Trj/LowZones.BB No disinfected C:\l9uk7fh.exe[kansup.reg] Spyware:Spyware/ISTbar No disinfected C:\l9uk7fh.exe[update.html] Virus:Trj/LowZones.BB No disinfected C:\l9uk7fh.exe[kans.reg] Spyware:Spyware/Lowzones No disinfected C:\UNMT.exe Adware:Adware/MediaTickets No disinfected C:\UNMT.exe[2366.reg] Adware:Adware/WUpd No disinfected C:\UNMT.exe[yahooredirect.html] Adware:Adware/WUpd No disinfected C:\UNMT.exe[msnredirect.html] Virus:Trj/Zapchast.AB No disinfected C:\UNMT.exe[autoexeip.cmd] |
|
|
|
|
07-11-2005, 11:55 AM
|
#8 (permalink) |
|
1337 C0D3R
Join Date: Mar 2005
Location: Canada
Posts: 1,457
OS: Server 2K3/XP Pro/XP MCE/Win 98/Ubuntu Linux/BackTrack 2
|
And We're Back!
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Notes To make sure we get these files lets hit them manually ok?? Downloads Download EliteBar Removal Tool Extract the files and run the program, Select "About" from the menu and then "Check for updates". CLOSE THIS PROGRAM NOW View Hidden Files and Folders Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Boot Into Safe Mode Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Potential Uninstallations Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: 180 Search assistant Run Downloaded Programs... Run ETRemover_v130.exe and click "kill elite toolbar" File/Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\windows\msxct1.ini C:\Program Files\180searchassistant C:\windows\System32\SahImages C:\Documents and Settings\raym\Favorites\Fun & Games C:\WINDOWS\SYSTEM\wsop32.exe C:\WINDOWS\SYSTEM32\temperror32.dat C:\WINDOWS\SYSTEM32\kimo.exe C:\WINDOWS\SYSTEM32\msgame32.exe C:\WINDOWS\SYSTEM32\djl0qakp.exe C:\WINDOWS\SYSTEM32\93ouddi5.dll C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaGatewayX.dll C:\WINDOWS\d51i04sp.exe C:\WINDOWS\2366.reg C:\WINDOWS\yahooredirect.html C:\WINDOWS\msnredirect.html C:\WINDOWS\msxct1.ini C:\My Documents\RESCUE\new_uninstall.exe C:\Program Files\Media Gateway\MediaGateway.exe C:\Program Files\SurfAccuracy\SAccU.exe C:\FOUND.000\FILE0000.CHK C:\FOUND.002\FILE0004.CHK C:\l9uk7fh.exe C:\UNMT.exe Reboot your system in Normal Mode. Further Scanning Please run a Scan at any 2 of the Following sites Symantec/Norton Trend Micro BitDefender On-Line Virus Scan Panda ActiveScan F-Secure Kaspersky Make sure that you choose the "fix" or "clean" option when available Please post a fresh Hijack This log so that we can check if your system is clean. How are things feeling now? |
|
|
|
|
07-11-2005, 03:11 PM
|
#9 (permalink) |
|
Registered User
Join Date: Jul 2005
Posts: 19
OS: winXP
|
latest log
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 2:08:57 PM, on 7/11/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.douglas.bc.ca/ O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe End of KRC HijackThis Analyzer Log. =============================================== |
|
|
|
|
07-11-2005, 04:26 PM
|
#10 (permalink) |
|
1337 C0D3R
Join Date: Mar 2005
Location: Canada
Posts: 1,457
OS: Server 2K3/XP Pro/XP MCE/Win 98/Ubuntu Linux/BackTrack 2
|
Congratulations Your Log is Clean!!
 If anything still seems amiss tell me NOW!! System Restore Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK. Reboot your System. Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. Windows Updates I Highly reccomend making the upgrade to Windows XP Service Pack 2 Since you're junkware free, the time to get it is NOW. Service Pack 2 is a MAJOR upgrade for XP. It is chalk full of security patches and such, as well it comes with a Free Popup Blocker!!!!! Preventative Measures This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. Also Consider...
You should also have a good firewall. Here are 3 free ones available for personal use: How is she running now? Any further problems? If not, Good work, and Happy Computing! |
|
|
|
| Thread Tools | |
|
|
