Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
255 Posts
Discussion Starter #1
Logfile of HijackThis v1.99.1
Scan saved at 00:09:05, on 06/11/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\Mixer.exe
C:\WINNT\loadqm.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\WINNT\System32\SVCHOSTE.EXE
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\BHSV.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\System32\BHSV.EXE

F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 209.190.4.218 www.halifax-online.co.uk
O1 - Hosts: 209.190.4.218 ibank.barclays.co.uk
O1 - Hosts: 209.190.4.218 online.lloydstsb.co.uk
O1 - Hosts: 209.190.4.218 online-business.lloydstsb.co.uk
O1 - Hosts: 209.190.4.218 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 209.190.4.218 www.nwolb.com
O1 - Hosts: 209.190.4.218 banesnet.banesto.es
O1 - Hosts: 209.190.4.218 extranet.banesto.es
O1 - Hosts: 209.190.4.218 ebanking.bccbrescia.it
O1 - Hosts: 209.190.4.218 www.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 209.190.4.218 www.rbsdigital.com
O1 - Hosts: 209.190.4.218 oi.cajamadrid.es
O1 - Hosts: 209.190.4.218 bancae.caixapenedes.com
O1 - Hosts: 209.190.4.218 banking.postbank.de
O1 - Hosts: 209.190.4.218 meine.deutsche-bank.de
O1 - Hosts: 209.190.4.218 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 209.190.4.218 ibank.cahoot.com
O1 - Hosts: 209.190.4.218 webbank.openplan.co.uk
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [Updaterd] SVCHOSTE.EXE
O4 - HKLM\..\Run: [Browser Help Svc] BHSV.EXE
O4 - HKLM\..\RunServices: [Updaterd] SVCHOSTE.EXE
O4 - HKLM\..\RunServices: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKLM\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SVCH Service] svch32.pif
O4 - HKCU\..\Run: [Updaterd] SVCHOSTE.EXE
O4 - HKCU\..\Run: [Browser Help Svc] BHSV.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunServices: [SVCH Service] svch32.pif
O4 - HKCU\..\RunServices: [Updaterd] SVCHOSTE.EXE
O4 - HKCU\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - Global Startup: Go!Zilla.lnk = C:\Program Files\Go!Zilla\gozilla.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{83B87314-1FEA-425F-97A2-FC48F74462A6}: NameServer = 213.120.62.101 213.120.62.100
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINNT\System32\dfrgfat32.exe
 

·
Registered
Joined
·
1,462 Posts
Please print out or save this page to your desktop in order to assist you when carrying out the following instructions.

Downloads
Download Killbox DO NOT RUN IT YET

Download Hoster
DO NOT USE IT YET


Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKLM\..\Run: [Updaterd] SVCHOSTE.EXE
O4 - HKLM\..\Run: [Browser Help Svc] BHSV.EXE
O4 - HKLM\..\RunServices: [Updaterd] SVCHOSTE.EXE
O4 - HKLM\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - HKCU\..\Run: [SVCH Service] svch32.pif
O4 - HKCU\..\Run: [Updaterd] SVCHOSTE.EXE
O4 - HKCU\..\Run: [Browser Help Svc] BHSV.EXE
O4 - HKCU\..\RunServices: [SVCH Service] svch32.pif
O4 - HKCU\..\RunServices: [Updaterd] SVCHOSTE.EXE
O4 - HKCU\..\RunServices: [Browser Help Svc] BHSV.EXE

Please remember to close all other windows, including browsers then click Fix checked.


Run Downloaded Programs
Open up the Host program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • then click the "make host Read Only?" button in the upper right corner.
  • close program

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot) Click Yes at the 'Pending Operations prompt'. if you see it:
C:\WINNT\System32\SVCHOSTE.EXE
C:\WINNT\System32\BHSV.EXE
C:\winnt\system32\svch32.pif

Reboot your system in Normal Mode.


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Please post a fresh HijackThis log & the Log from Panda so that we can check if your system is clean.


SIDENOTE: Please zip up the contents of either C:\!submit or C:\!killbox (whichever appears) and send me a PM through the messaging system of this site with that zip file attached.
 

·
Registered
Joined
·
255 Posts
Discussion Starter #3
I did all up to the Panda, for some reason i cant do the scan in Firefox and my IE says theres a error on the page and wont let me click the button 2 scan, also it seems to have knocked my IE from v. 6 down to v. 5

is there a alternete way?
 

·
Registered
Joined
·
1,462 Posts
Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido security suite it is a free version of the program.
  1. Install ewido security suite
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


Open Ewido and do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Reboot and post that log here as well as a Fresh HijackThis Log.
 

·
Registered
Joined
·
255 Posts
Discussion Starter #5
Results

Logfile of HijackThis v1.99.1
Scan saved at 00:09:17, on 09/11/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINNT\system32\syshost.exe
O4 - HKLM\..\RunServices: [Detect] C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINNT\System32\dfrgfat32.exe
 

Attachments

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Hi and Welcome to TSF

Please update to IE6!!

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.


Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: Defragmentation Management Handler (FAT Defragmentation)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.


Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O4 - HKLM\..\Run: [Microsoft IIS] C:\WINNT\system32\syshost.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINNT\System32\dfrgfat32.exe


C:\WINNT\System32\dfrgfat32.exe<--delete that file

C:\WINNT\system32\syshost.exe<--delete that file. CAREFUL and make sure you get the one with the "Y" in it and not the legit one.

Run Ewido again...and let it clean the PC.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows.....

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log".

I then need you to repeat the same procedure above again... using the TrendMicro scan tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

So I need these logs....

Trendmicro log
Hijackthis log
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top