|
Search Tech-Forums - link takes you to our Forum's search page. Note: The following is only a text archive! To view the actual forum discussion, please visit our website at http://www.tech-forums.net Pages:1 Hijack This log assistance(Click here to view the original thread with full colors/images)Posted by: EGM Hello people, I'm EGM, and have my own PC at home perfectly clear, so I can't stand my GF's PC being Spyware infested to the bone... Here's what I've tried: [list][*]Ran Ad-Aware (updated) [*]Ran Spybot S&D (updated) [*]Ran Hijack This and tried to get the bad things out when I reconziged them [*]Ran Hitman Pro (I'm quite sure you know this program) [*]Looked at the taskmanager to see some weird stuff [*]Ran the newest CWSshredder [/list] It's to no affail, cause it keeps comming back.. especially [url=http://home.deds.nl/~egm/toolbar.JPG]this[/url].. this toolbar is pretty annoying since you can't disable it, the "close button" is a link button and the whole bar decreases your desktop space and IE (yes, I know, tried to convince them) is pretty hard to see the bottom lines of a page. As far as I can see, I've done everything I can do, cept for booting in safemode and letting Hitman pro (and everything else) but I'm affraid it'll take an age... [url=http://home.deds.nl/~egm/hijackthis.log]Here's[/url] the complete Hijack this log.. Thanks for the help, tell me what I can should/must do........... UPDATE: Here's the Taskmanager from a freshboot [img]http://home.deds.nl/~egm/tskmngr1.JPG[/img] [img]http://home.deds.nl/~egm/tskmngr2.JPG[/img] [quote]Logfile of HijackThis v1.98.2 Logfile of HijackThis v1.99.0 Scan saved at 18:20:52, on 17-2-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Real\RealPlayer\RealPlay.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\12Ghosts\12popup.exe C:\WINDOWS\system32\drivers\KodakCCS.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Program Files\Messenger\msmsgs.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Geertsema\Bureaublad\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\GEERTS~1\LOCALS~1\Temp\se.dll/sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\GEERTS~1\LOCALS~1\Temp\se.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;localhost;<local> R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {376FA3AE-2CCF-4CE7-92E1-A2E6C41700D2} - C:\WINDOWS\system32\mpkoaaa.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Pile Option Does Dart] C:\Documents and Settings\All Users\Application Data\hope download pile option\web file.exe O4 - HKLM\..\Run: [pkd] C:\WINDOWS\pkd.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab[/url] O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} (VacPro.olanda_ver3) - [url]http://advnt01.com/dialer/olanda_ver3.CAB[/url] O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - [url]http://edapp01.saxion.nl/qp2.cab[/url] O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - [url]https://ebmsg02.saxion.nl/iNotes.cab[/url] O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab[/url] O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - [url]http://www.cult3d.com/download/cult.cab[/url] O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab[/url] O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url] O18 - Filter: text/html - {B15E7322-D066-4CCA-925B-7696DEFD9AFA} - C:\WINDOWS\system32\mpkoaaa.dll O18 - Filter: text/plain - {B15E7322-D066-4CCA-925B-7696DEFD9AFA} - C:\WINDOWS\system32\mpkoaaa.dll O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe [/quote] Posted by: Roshi229 Welcome to TF. I see that you have an out dated version of HijackThis. please visit [url]www.kbdigisol.com[/url] for the newes version, repost a fresh log and someone will be with you shortly. thanks ~KB Posted by: southernlady EGM, I'm going to go ahead and analyze what I have of your log while I wait for you to post your new one. I prefer you post them here tho, ok? All you need to do is copy and paste it here. Liz Posted by: EGM Yes Sir and Mam' I will get the newest Hijack this version on my GF's PC asap, I'll update and bump my post, don't worry about analyzing this one if you feel it's for no use... Thanks for the help anyway, sorry for my ignorance, Cheers, EGM btw. You're doin' a great job here, is there anyway I can help you guys cept for sticking around and answering to question that I know about? Posted by: EGM BUMP, I updated the stuff :) Thanks again in advance! Posted by: southernlady EGM, I got started on your log and then my motherboard died...had to replace it with one I had in another computer...which meant REFORMATTING!!! Lost everything on one hard drive cause I wasn't prepared. Thank goodness, I'm paranoid as all **** and back up my stuff on a second hard drive so nothing serious was lost except some bookmarks. In the meantime I had major downtime! But I have a copy of what I found so it won't take me long to get your log read, LOL...like I told you, I put stuff on back ups! Liz Posted by: southernlady You are currently using HijackThis from a temporary directory, this can cause problems. HijackThis creates backups, these are needed in case of any recovery issues. Please create a directory on your [b]C:\[/b] drive called [b]C:\HJT[/b], download and unzip HijackThis into that directory. Run the program from that directory from now on. [b][color=green][size=3]STEPS For Creating Folder[/size][/color][/b] [b]1.[/b] Please go to My Computer, open your [b]C:\[/b] drive, Select: New >> Folder and name the folder [b]HJT[/b]. [b]2.[/b] Download HijackThis to the new folder: [b]3.[/b] Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder. First Click [url]http://forums.techguy.org/attachment.php?attachmentid=44318[/url] to download cwsserviceremove.zip and unzip it to your desktop and have it ready to run later. Click [URL=http://www.spyware911.net/downloads/CWShredder.exe]CWShredder[/URL] to download CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later. Click [URL=http://www.spyware911.net/downloads/AboutBuster.zip]About Buster 4.0[/URL] to download AboutBuster created by Rubber Ducky. Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode. Now go ahead and set your computer to [URL=http://www.spyware911.net/showhiddenfiles.htm]Show hidden files & folders[/URL] like so: Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it. Click Start > Run > and type in: services.msc Click OK. In the services window find Workstation NetLogon Service. Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility. Restart to [URL=http://www.spyware911.net/safemode.htm]Safe Mode[/URL]. How to start your computer in [url]http://www.spyware911.net/safemode.htm[/url] Perform the following steps in safe mode: Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry. Go to Start > Run and type Hijackthis. Press enter to start HijackThis. [B]DO NOT OPEN ANYTHING ELSE![/B] Put a check by these entries in Hijack This and click the [B]"Fix Checked"[/B] button: [B]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\GEERTS~1\LOCALS~1\Temp\se.dll/sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\GEERTS~1\LOCALS~1\Temp\se.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;localhost;<local> R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: (no name) - {88B5E8F3-8F2D-4F98-9F30-80598D837CD2} - C:\WINDOWS\system32\mpkoaaa.dll O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [Pile Option Does Dart] C:\Documents and Settings\All Users\Application Data\hope download pile option\web file.exe O4 - HKLM\..\Run: [pkd] C:\WINDOWS\pkd.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} (VacPro.olanda_ver3) - [url]http://advnt01.com/dialer/olanda_ver3.CAB[/url] O18 - Filter: text/html - {B15E7322-D066-4CCA-925B-7696DEFD9AFA} - C:\WINDOWS\system32\mpkoaaa.dll O18 - Filter: text/plain - {B15E7322-D066-4CCA-925B-7696DEFD9AFA} - C:\WINDOWS\system32\mpkoaaa.dll[/B] Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing. Boot out of safe mode back into Windows normally now. Download [URL=http://www.mvps.org/winhelp2002/DelDomains.inf]DelDomains.inf[/URL] from here: Rightclick DelDomains.inf and choose install. Click [URL=http://www.cexx.org/LSPFix.exe]LspFix[/URL] to download LspFix Launch the application, and click the "I know what I'm doing" checkbox. Check all instances of osmim.dll (and nothing else) , and move them to the [B]"Remove"[/B] pane. Then click [B]Finish.[/B] Turn off System Restore: [URL=http://www.spyware911.net/systemrestore.htm]Disable System Restore[/URL] On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. Restart your computer. Go [URL=http://housecall.trendmicro.com/]Trend Micro - Free online virus Scan[/URL] and do an online virus scan. Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker. This hijacker is known to alter or delete certain files so check this out please: Download the [URL=http://www.spyware911.net/downloads/hoster.zip]Hoster.zip[/URL] . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program. If you have Spybot S&D installed you will also need to replace one file. Go [URL=http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper]SDHelper.dll[/URL] and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy) Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder. Find shell.dll and right click on it. Choose Copy from the menu. Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu. control.exe may have been deleted. See if control.exe is present in C:\windows\system32 If control.exe isn't there, go [url]http://www.spywareinfo.com/~merijn/winfiles.html,[/url] and download control.exe per the instructions at the site. IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here. When you are sure you are clean turn System Restore back on and create a restore point. To create a restore point: Single-click Start and point to All Programs. Mouse over Accessories, then System Tools, and select System Restore. In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button. Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done. Reboot, Empty the Recycle Bin, And go get the newest HiJack This log. You need to go to here: [URL=http://www.majorgeeks.com/download3155.html]HijackThis[/URL] and download version 1.99.1, please. Then post another log. Liz Posted by: EGM :O that's something very big :) Thanks for the help, I'll do it when I get to my GF again ;) vBulletin Copyright ©2000 - 2003, Jelsoft Enterprises Limited. PPC Management vB Easy Archive Final - Created by Xenon |