Tech Support banner

Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
i have a ton of viruses. i have antivir, and i've done a panda scan and also ran hijackthis. here are the logs.

Logfile of HijackThis v1.99.1
Scan saved at 10:16:20 PM, on 10/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\PROGRAM FILES\NIKON\NKVIEW5\NKVMON.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\CDA\GAMEDRVR.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [stratas] LOCKX.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NAV Premend OEM Utility] D:\0107301.SYM\PREMEND.EXE -silent
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [stratas] LOCKX.EXE
O4 - HKCU\..\Run: [stratas] LOCKX.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb13.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab




Incident Status Location

Hacktool:hacktool/rootkit.n No disinfected C:\WINDOWS\SYSTEM\msdirectx.sys
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\TEMP\A0020887.CPY
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\TEMP\A0020877.CPY
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\A0020878.CPY
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\A0020888.CPY
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\TEMP\A0020889.CPY
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\A0020890.CPY
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\TEMP\A0020910.CPY
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\A0020911.CPY
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\TEMP\A0021183.CPY
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\A0021184.CPY
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\TEMP\A0021189.CPY
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\A0021190.CPY
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\TEMP\A0021191.CPY
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\A0021192.CPY
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\TEMP\A0021193.CPY
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\A0021194.CPY
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\TEMP\A0021464.CPY
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\A0021465.CPY
Virus:W32/Sdbot.EFG.worm No disinfected C:\_RESTORE\ARCHIVE\FS150.CAB[A0020472.CPY]
Virus:Bck/IRCBot.MK No disinfected C:\_RESTORE\ARCHIVE\FS150.CAB[A0020473.CPY]
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\ARCHIVE\FS155.CAB[A0020830.CPY]
Virus:W32/Sdbot.EFG.worm No disinfected C:\_RESTORE\ARCHIVE\FS155.CAB[A0020831.CPY]
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\ARCHIVE\FS156.CAB[A0020832.CPY]
Virus:W32/Sdbot.EFG.worm No disinfected C:\_RESTORE\ARCHIVE\FS156.CAB[A0020833.CPY]
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\ARCHIVE\FS157.CAB[A0020853.CPY]
Virus:W32/Sdbot.EFG.worm No disinfected C:\_RESTORE\ARCHIVE\FS157.CAB[A0020854.CPY]
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\ARCHIVE\FS151.CAB[A0020504.CPY]
Virus:W32/Sdbot.EFG.worm No disinfected C:\_RESTORE\ARCHIVE\FS151.CAB[A0020505.CPY]
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\ARCHIVE\FS154.CAB[A0020791.CPY]
Virus:W32/Sdbot.EFG.worm No disinfected C:\_RESTORE\ARCHIVE\FS154.CAB[A0020792.CPY]
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\ARCHIVE\FS158.CAB[A0020858.CPY]
Virus:W32/Sdbot.EFG.worm No disinfected C:\_RESTORE\ARCHIVE\FS158.CAB[A0020859.CPY]
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\ARCHIVE\FS159.CAB[A0020860.CPY]
Virus:W32/Sdbot.EFG.worm No disinfected C:\_RESTORE\ARCHIVE\FS159.CAB[A0020861.CPY]
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\ARCHIVE\FS160.CAB[A0020862.CPY]
Virus:W32/Sdbot.EFG.worm No disinfected C:\_RESTORE\ARCHIVE\FS160.CAB[A0020863.CPY]
Hacktool:HackTool/Rootkit.C No disinfected C:\_RESTORE\ARCHIVE\FS161.CAB[A0020875.CPY]
Virus:W32/Sdbot.EFG.worm No disinfected C:\_RESTORE\ARCHIVE\FS161.CAB[A0020876.CPY]
Virus:Bck/IRCBot.MK Disinfected C:\WINDOWS\SYSTEM\lockx.exe
Hacktool:HackTool/Rootkit.C No disinfected C:\WINDOWS\SYSTEM\msdirectx.sys
Virus:Bck/IRCBot.MK Disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\6NANIPYF\pic0023[1].com
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\XNBP75FC\scots_gaelic[1].htm
Virus:W32/Sdbot.EFG.worm Disinfected C:\xz.bat
Hacktool:HackTool/Rootkit.C No disinfected C:\msdirectx.sys





Thanks a bunch!!!!
 

·
Registered
Joined
·
94 Posts
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.
 

·
Registered
Joined
·
94 Posts
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please go into Windows Explorer, click on C:\ then click on File > New > Folder and call it HJK , or another name of your choice. The program creates backup files that we may need to use later. If the program is in a Temporary folder, files may be deleted by you or automatically if your system is set to empty temp files.

Support.com - Spyware from SupportSoft provided to manufacturers, such as Sony (Vaio Support Agent) and Toshiba (Virtual Tech), and ISPs, such as Comcast, Cox and Charter (Pipeline Support Agent), that allows them to offer on-line support. This part ensures that software is installed correctly. Regarded as spyware as it has the ability to retrieve user information. I would ask your ISP on how to remove it and why they installed it in the first place. Please do not uninstall the program, since it looks like it is required for your internet connection. This especially applies to those who use SBC as their ISP (Internet Service Provider). If they can't/won't resolve this problem for you, then it's time to switch to another provider that don't embed this spyware in their program. You will most likely also have BroadJump installed. The same situation applies here also. Try to find out how to remove it from your ISP. Don't uninstall it yourself.

Please download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds.

Download Spybot. Install the program, update the definitions file and run a scan. Fix all the entries, which are indicated in RED.

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files option. Click Yes to confirm. Click OK.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\CDA\GAMEDRVR.EXE


Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

ViewMgr.exe is an advertising program by Viewpoint. This process monitors your browsing habits and distributes the data back to the author's.
WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't good at all. They collect information about you and your usage. We recommend uninstalling it.

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKLM\..\Run: [stratas] LOCKX.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup
C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL
O4 - HKLM\..\RunServices: [stratas] LOCKX.EXE
O4 - HKCU\..\Run: [stratas] LOCKX.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople


Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

LOCKX.EXE <<<<<<<<<<< You may need Start>Search to find this file.
C:\xz.bat
C:\WINDOWS\SYSTEM\msdirectx.sys
C:\msdirectx.sys
C:\Program Files\Viewpoint\
C:\Program Files\WildTangent\


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users
Click OK

Press the CleanUp! button to start the program. Reboot (in normal mode) when prompted.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

Please post the TrendMicro scan results and a fresh Hijack This log so that we can check if your system is clean.
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top