[Hijack This Log / Panda Scan] -
Hijack This Log / Panda Scan
Discuss Hijack This Log / Panda Scan
Posted by: daddy_ray
Guys...Ive been hosed !!! My #&^% is tore up. Please review and assist in anyway possible. Win 98 SE, P4 2.8, 1 gb PC3200, Radeon 9200 Review and assist... Also having trouble booting up in safe mode. Also, I am running Iopus Starr PC Monitor so ignore that, however I have noticed that I have Ispynow running also...That is not by choice ! Thanks, Ray
Logfile of HijackThis v1.99.1
Scan saved at 07:30:32 PM, on 4/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WSYS.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\ANTI-SPYWARE BLOCKER\ANTI-VIRUS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ptktzkxk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine:// C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csea
rchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ptktzkxk.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDSG.DLL
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\GRISOFT\AVG7\AVGREGCL.EXE /BOOT
O4 - HKLM\..\RunServices: [windll] C:\WINDOWS\SYSTEM\wsys.exe
O4 - HKLM\..\RunServices: [avgamsvr.exe] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - Startup: Anti-Spyware Blocker.lnk = C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDPB.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - [url]http://www.webshots.com/samplers/WSDownloader.ocx[/url]
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - [url]http://www.live365.com/players/play365.cab[/url]
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - [url]http://messenger.yahoo.com/maintenance/patch.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
PANDA SCAN 04-23-05
Adware:Adware/Transponder No disinfected C:\WINDOWS\DLMAX.DLL Adware:Adware/SaveNow No disinfected
Windowsregistry
Adware:Adware/nCase No disinfected C:\Temp\FLEOK
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\All Users\Application Data\AdDestroyer
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/NavHelper No disinfected C:\Program Files\Ares
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\io2uns.exe
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Favorites\Casino & Carrers
Adware:Adware/HuntBar No disinfected C:\WINDOWS\SYSTEM\EDOW_AS2.EXE
Adware:Adware/Beginto No disinfected C:\WINDOWS\SYSTEM\NSM10D0.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\dlmax.dll
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\SYSTEM\pacis.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM\topsys.exe
Adware:Adware/Beginto No disinfected C:\WINDOWS\SYSTEM\nsm10D0.dll
Adware:Adware/HuntBar No disinfected C:\WINDOWS\SYSTEM\EDow_AS2.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\cxtpls_loader.exe
Adware:Adware/StartPage.DD No disinfected C:\WINDOWS\SYSTEM\temperror32.dat
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\PYNIX.INF
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\DLMAX.INF
Adware:Adware/Transponder No disinfected C:\WINDOWS\DLMAX.DLL
Adware:Adware/WUpd No disinfected C:\Program Files\Hijack This\backups\backup-20041014-203655-511.inf
Adware:Adware/Transponder No disinfected C:\Program Files\Hijack This\backups\backup-20050419-190921-532.dll
Adware:Adware/Transponder No disinfected C:\Program Files\Hijack This\backups\backup-20050420-192839-370.dll
Spyware:Spyware/pcAudit No disinfected C:\My Downloads\pcaudit.exe
Adware:Adware/HuntBar No disinfected C:\NULL
Posted by: Lobos
Run [b]HiJackThis[/b] then:
1. Click "[b][i]Config...[/i][/b]"
2. Click "[b][i]Misc Tools[/i][/b]"
3. Click "[b][i]Open Process manager[/i][/b]"
-
Next, while holding down the [b]CTRL[/b] key, locate ([i]if present[/i]) and click on ([i]highlight[/i]) each of the following:
[b][color=#000000]C:\WINDOWS\SYSTEM\[/color][color=#ff0000]WSYS.EXE[/color][/b]
Now double-check and make sure that only those item(s) above are highlighted, then click "[b][i]Kill process[/i][/b]". Now, click "[b][i]Refresh[/i][/b]", check again, and repeat this step if any remain.
===============
Now, let's open a [b]command prompt[/b] and unregister the dll(s) we're going to remove, by entering the following:
[b][color=#000099]regsvr32 /u[/color] [color=#ff0000]DLMAX.DLL[/color][/b]
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
===============
Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:
[color=#9933cc][b] O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\RunServices: [windll] C:\WINDOWS\SYSTEM\wsys.exe [/b][/color]
Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".
===============
When your done, rescan your system and make sure the [color=#ff0000]following[/color] isn't present:
[b][color=#9933cc]N3 - Netscape[/color] ... [color=#ff0000]5CSBWeb_01.src[/color][/b] ([i]or[/i]) [b][color=#ff0000]5CSBWeb_02.src[/color][/b]
If it is, then fix that entry again; sometimes it'll take more than one pass. The actual entry is ok, and won't be deleted, it's the java wrapper marked in [b][color=#ff0000]red[/color][/b] that needs to be removed.
===============
Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:
[i]files...[/i]
[b]C:\WINDOWS\SYSTEM\[color=#ff0000]WSYS.EXE[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]DLMAX.DLL[/color][/b]
C:\Program Files\Hijack This\backups\[b]backup-20050420-192839-370.dll[/b] << This file
C:\Program Files\Hijack This\backups\[b]backup-20050419-190921-532.dll[/b] << This file
C:\WINDOWS\[b]DLMAX.DLL[/b] << This file
C:\WINDOWS\SYSTEM\[b]cxtpls_loader.exe[/b] << This file
C:\WINDOWS\SYSTEM\[b]EDow_AS2.exe[/b] << This file
C:\WINDOWS\SYSTEM\[b]nsm10D0.dll[/b] << This file
C:\WINDOWS\SYSTEM\[b]topsys.exe[/b] << This file
C:\WINDOWS\SYSTEM\[b]pacis.exe[/b] << This file
C:\WINDOWS\[b]dlmax.dll[/b] << This file
C:\WINDOWS\SYSTEM\[b]NSM10D0.DLL[/b] << This file
C:\WINDOWS\SYSTEM\[b]EDOW_AS2.EXE[/b] << This file
C:\WINDOWS\[b]io2uns.exe[/b] << This file
[i]folders...[/i]
C:\Temp\FLEOK
C:\WINDOWS\bsx32
C:\WINDOWS\All Users\Application Data\AdDestroyer
C:\WINDOWS\Favorites\Casino & Carrers
C:\Program Files\Ares
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '[i]in use[/i]', try deleting them from "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]".
===============
Post back a new log, and let me know how everything goes.
-
Lobos.
Posted by: daddy_ray
I can't boot up in safe mode. I get this error:::: While initializing device VFBACKUP: VFBACKUP could not load VFD.VXD Please run setup again. What does that mean and have you seen this before ? It boots up fine in normal mode.
Thanks, Ray
Posted by: daddy_ray
Also, I can't delete DLMAX.DLL in normal mode because it says that program is running, which was probably obvious.
Posted by: Lobos
try this for your error
[url]http://support.microsoft.com/kb/q150164/[/url]
Posted by: daddy_ray
used the link u sent and used sfc to restore the vfbackup.vxd file into the windows\system folder i then rebooted and still get the same error when trying to go to safe mode. Question: I restored the file but do i have to do anything else after that before it will work...like enable it ??? Thanks, Ray
Posted by: Lobos
did you add the commands for it in this file
like it said
c:\msdos.sys
Posted by: Warez Monster
Remove entries at your own risk
C:\WINDOWS\SYSTEM\WSYS.EXE (WSYS.EXE)
STARR key logger. "It logs almost everything that goes through the box. It logs all key strokes, all passwords transacted even if they weren\'t keyed in, all web sites visited, every program launched including the path to that program, and more"
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url]
This entry is possibly nasty. Should be fixed.
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\io2uns.exe
Unknown running process. (io2uns.exe)
This is a unknown process.
Adware:Adware/HuntBar No disinfected C:\WINDOWS\SYSTEM\EDOW_AS2.EXE
Unknown running process. (EDOW_AS2.EXE)
This is a unknown process.
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\SYSTEM\pacis.exe
Unknown running process. (pacis.exe)
This is a unknown process.
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM\topsys.exe
Unknown running process. (topsys.exe)
This is a unknown process.
Adware:Adware/HuntBar No disinfected C:\WINDOWS\SYSTEM\EDow_AS2.exe
Unknown running process. (EDow_AS2.exe)
This is a unknown process.
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\cxtpls_loader.exe