Tech Support banner

Status
Not open for further replies.
1 - 2 of 2 Posts

·
Registered
Joined
·
208 Posts
Discussion Starter #1 (Edited)
Logfile of HijackThis v1.99.1
Scan saved at 7:37:48 PM, on 10/26/2005
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\msole32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\WINDOWS\system32\intmonp.exe
C:\WINDOWS\system32\intmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\kawooshi\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.flxzmzmruyyrtpukcojsp.ne...Zq7lr3LFAwPnbNH/q8JdeT8qfIOIeemEwgm_fJ4l9.asp
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpEFD6.tmp
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [DefyCloseMapiBags] C:\Documents and Settings\All Users\Application Data\BALL ATOM DEFY CLOSE\SIZEBIN.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InsideGreat] C:\DOCUME~1\kawooshi\APPLIC~1\DOESTI~1\Rect Plan.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: sdkebnws29ucx.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.


Please create a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

smitRem.exe - extract it to it's own folder.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

CleanUp!.exe - Install

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.
If you have not already installed Ad-Aware SE 1.06, download and update aawsepersonal.exe


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Go to Windows Control Panel>Add/Remove Programs
  • Uninstall Messenger Plus! 3
  • The "Messenger Plus! - Setup" is now displayed.
  • Click on the Uninstall button. (options displayed on the first screen isn't related to the sponsor program)
  • The sponsor screen is now displayed (if not seen, search for it in your Task Bar).
  • To prove that someone is currently reading the screen, you have to type the code that is displayed.
  • Once you enter the code, press "Uninstall".
  • Answer Yes when prompted to uninstall.
  • Complete the uninstallation by following the instructions that are displayed


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

With HiJackThis & place a check next to these items and select "Fix checked":

IR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.flxzmzmruyyrtpukcojsp.ne...mEwgm_fJ4l9.asp
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [DefyCloseMapiBags] C:\Documents and Settings\All Users\Application Data\BALL ATOM DEFY CLOSE\SIZEBIN.exe
O4 - HKCU\..\Run: [InsideGreat] C:\DOCUME~1\kawooshi\APPLIC~1\DOESTI~1\Rect Plan.exe
O20 - AppInit_DLLs: sdkebnws29ucx.dll



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\popuper.exe
    C:\Windows\system32\sdkebnws29ucx.dll
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Next, reboot your computer in SafeMode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\MessengerPlus! 3\
    C:\Documents and Settings\All Users\Application Data\BALL ATOM DEFY CLOSE\
    C:\DOCUME~1\kawooshi\APPLIC~1\DOESTI~1\

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Open Ad-aware and close ALL other windows.

1. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
  • In the General window make sure the following are selected in green:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
    • Prompt to update outdated definitions - set the number of days = 7

  • Click on the Scanning button on the left and select in green:
    • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file

  • Click on the Advanced button on the left and select in green:
    • Move deleted files to recycle bin
    • include addtional object information
    • DeSelect - include negligible objects information
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT

  • Click the Tweak button:
    • Under Scanning Engine:
      • Unload recognized processes during scanning
      • Ignore spanned files when scanning cab archives
      • Scan registry for all users instead of current user only
    • Under Cleaning Engine:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Include computer & username in logfile
      • Please DeSelect: Include Module list in logfile
2. Click on Proceed to save the settings.
3. Click Start
4. Choose - Perform Full System Scan
5. DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
6. Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
7. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
8. Right-click on the list and choose Select All
9. Click Next to finish removing the items that were found


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download fl.zip.
Extract the contents to a new folder on Desktop. (do NOT run it from within the zip file)
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply


In your next post, please include fresh copies of:
  • HiJackThis log
    [*] Online scan
    [*] Smitfiles.txt
    [*] Ewido's log
    [*] Findlop.txt
Let us know if any problems persist.
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top