|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-22-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry Hjt Log Help!!Go to the Tech-Forums Discussion Home PagePosted by: Jus10 i've picked up some spyware somewhere while searching the internet. I keep getting a searh me up pop up and a DOA pop up. I've installed search and detroy and it seem to delete some of it but it seem to always come back...anyways here is my log. Logfile of HijackThis v1.99.1 Scan saved at 8:02:09 PM, on 4/6/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\System32\open32.exe C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\system32\gearsec.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\kbdkyr.exe C:\WINDOWS\System32\svhost.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AIM\aim.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Justin\LOCALS~1\Temp\Rar$EX00.452\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://69.42.87.219/sidesearch.html[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://daosearch.com/index.php?id=36762[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.makemesearch.com/?said=137[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [ipijet] C:\WINDOWS\ipijet.exe O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe O4 - HKLM\..\Run: [_Cat2] C:\WINDOWS\nmstt.exe O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Shell] open32.exe O4 - HKLM\..\Run: [swcroot] c:\windows\system32\swcroot.exe O4 - HKLM\..\Run: [qgxxnasjyah] C:\WINDOWS\iyoizdbf.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{71A08C28-3FF4-4F7A-9923-93252F4201DF}\SVCHOST.EXE O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" O4 - HKCU\..\Run: [kbdkyr] C:\WINDOWS\System32\kbdkyr.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Microsoft AntiSpyware helper - {042E5EFE-D074-4C7B-82E6-998C10AE070B} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {042E5EFE-D074-4C7B-82E6-998C10AE070B} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {1FAB7E6D-5FD1-40CF-AA71-7C04A6333737} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1FAB7E6D-5FD1-40CF-AA71-7C04A6333737} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {49CE5669-C256-43A5-9054-8F62BDDBDFB6} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {49CE5669-C256-43A5-9054-8F62BDDBDFB6} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {4A4DD985-6648-404C-91A9-2065E9A9EF4B} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4A4DD985-6648-404C-91A9-2065E9A9EF4B} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {6ECBE3D7-3C0E-490C-86B3-E3C36C94F1FB} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6ECBE3D7-3C0E-490C-86B3-E3C36C94F1FB} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {934009CE-F7B1-48D9-9F32-494A3F56D4E5} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {934009CE-F7B1-48D9-9F32-494A3F56D4E5} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {9E69D45B-2EAE-447C-AB8A-C9A6AD604914} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9E69D45B-2EAE-447C-AB8A-C9A6AD604914} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {D6882FB1-8338-4106-82D1-0E388B68C52C} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D6882FB1-8338-4106-82D1-0E388B68C52C} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {E4BEF4D0-77B4-46E3-A82D-D5B6509CABBE} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E4BEF4D0-77B4-46E3-A82D-D5B6509CABBE} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {F10FB2EB-FDB1-41C2-82CE-FC7EF008D4BE} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F10FB2EB-FDB1-41C2-82CE-FC7EF008D4BE} - (no file) (HKCU) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O15 - Trusted Zone: *.iframedollars.biz O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted IP range: 213.159.117.202 O16 - DPF: Yahoo! Chat - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab[/url] O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab[/url] O17 - HKLM\System\CCS\Services\Tcpip\..\{8C7D5B3E-1AB7-41D2-9C7F-E91D2A565CC1}: NameServer = 166.102.165.13,166.102.165.11 O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file) O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll O21 - SSODL: System - {A380D234-A7EE-4FBC-92E6-FC508B09720C} - zlop.dll (file missing) O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\System32\winsvc.exe Posted by: Lobos Hi welcome to tech forums Right click on this link [url]http://www.greyknight17.com/spy/DelO15Domains.inf[/url] and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. If you don't already have it, download, install and run [url=http://www.lavasoft.de/support/download/]AdAware SE Personal[/url]. - Next, check for, and download any available updates: 1. click "[b][i]Check for updates now[/i][/b]". 2. Click "[b][i]Connect[/i][/b]". 3. If updates(definitions) are available click "[b][i]Ok[/i][/b]", otherwise, click "[b][i]Ok[/i][/b]". 4. Click "[b][i]Finish[/i][/b]". - Next, configure [b]AdAware[/b] to be as effective as possible: 1. Click the '[i]gear[/i]' in the upper-right hand corner of the [b]AdAware[/b] Window. 2. Click Scanning, and check(tick) the following: [color=#336600]Scan within archives Scan active processes Scan registry Deep-scan registry Scan my IE Favorites for banned URLs Scan my Hosts file[/color] 3. Click "[b][i]Tweak[/i][/b]". 4. Click "[b][i]Scanning Engine[/i][/b]", then check(tick) the following: [color=#336600]Unload recognized proceses & modules during scan[/color] 5. Click "[b][i]Cleaning Engine[/i][/b]", then check(tick) then following: >[color=#336600]Always try to unload modules before deletion During removal, unload Explorer and IE if necessary Let Winodws remove files in use at next reboot Delete quarantined objects after retoring[/color] 6. Then click "[b][i]Proceed[/i][/b]" - Now, let [b]AdAware[/b] locate and remove anything it finds, by: 1. Click "[b][i]Start[/i][/b]". 2. Check(tick) "[b][i]perform full system scan[/i][/b]". 3. Click "[b][i]Next[/i][/b]". - Exit the program. =============== If you don't already have it, download, install and run [url=http://www.safer-networking.org/en/download/index.html]Spybot S & D[/url]. Next, update the current definitions by: - Next, check for, and download any available updates: 1. Click "[b][i]Search for Updates[/i][/b]". 2. Check(tick) all available updates. 3. Click "[b][i]Download Updates[/i][/b]". 4. Click "[b][i]Search & Destroy[/i][/b]". 5. Click "[b][i]Check for Problems[/i][/b]". - When the scan is completed: 1. Check(tick) everything that was found. 2. Click "[b][i]Fix selected problems[/i][/b]". - Click "[b][i]Ok[/i][/b]", then exit the program. =============== After all the [i]scans are completed[/i], post back the results, along with a new [b]HiJackThis[/b] log. - Lobos Posted by: NewCents05 i have many of the same problems as you when i compare hijackthis logs but everytime i try to get rid of it it just keeps coming back hopefully someone can help Posted by: Warez Monster Remove entries at your own risk C:\WINDOWS\System32\open32.exe This is a unknown process. C:\WINDOWS\System32\svhost.exe running process. (svhost.exe) Added as result of a RBOT.QG worm infection This is a nasty process! You should fix it and try to delete it manually! C:\WINDOWS\System32\kbdkyr.exe This is a unknown process R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm This entry should be fixed by HijackThis! R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://daosearch.com/index.php?id=36762[/url] This entry should be fixed by HijackThis! R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) Should be fixed. O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll Entries found in this registry zone are potentially nasty. This application ([5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993] - Result: 5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993) has been checked Must be fixed! O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe Trojan-Downloader.Win32.Ieser.a Must be fixed! O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM..Run: [ffis] C:WINNTisrvsffisearch.exe Must be fixed! O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{71A08C28-3FF4-4F7A-9923-93252F4201DF}\SVCHOST.EXE Added as a result of the HITON VIRUS! This is not the valid svchost.exe as described here. Located in a Windows directory, and not in Windows\System32 Must be fixed! O15 - Trusted Zone: *.skoobidoo.com If you did not add these pages to your trusted pages, they should be fixed O15 - Trusted Zone: *.windupdates.com If you did not add these pages to your trusted pages, they should be fixed. O15 - Trusted Zone: *.windupdates.com (HKLM) If you did not add these pages to your trusted pages, they should be fixed. If you didn't add '213.159.117.202' to your trusted pages, it should be fixed. O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab This entry is possibly nasty. Should be fixed. O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file) Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed. O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\System32\winsvc.exe These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (winsvc.exe) seems to be nasty. Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |