Computers| Computers |
|
12-23-2004, 04:36 AM
| #1 (permalink) |
| Newb Techie Join Date: Dec 2004
Posts: 8
|  help needed please ( Spyware, Virus etc. ) Hi folks, I would urgently need your help as spyware and viruses are beyond my knowledge. I have searched thru this forum already for some help. ( About Buster, Spybot, Shredder, Panda Antivirus )Know I have come to the stage where I need advise from experts. I cant get rid of a toolbar ( fastwebsearch I think and some sex pages pop up some times ) and my computer says that 18% is still infected by spyware. I scaned thru with hijack this and this is the result. Can you please advise me what to do next . Thanks for your help ! Logfile of HijackThis v1.99.0 Scan saved at 21:54:06, on 22.12.2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Dokumente und Einstellungen\Andreas Auer\Eigene Dateien\Hijack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R3 - URLSearchHook: Richfind - {67E78BA4-E0C5-40F7-9000-86089795F590} - C:\WINDOWS\System32\Q713315.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcgf.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll O3 - Toolbar: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing) O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programme\Gemeinsame Dateien\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [MS lsassc Startup] lsass135c.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe O4 - HKLM\..\Run: [msinfo.exe] msinfo.exe O4 - HKLM\..\Run: [sp2chek.exe] sp2chek.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [DNSCacheBoost] C:\WINDOWS\System32\dnsping.exe O4 - HKLM\..\RunServices: [MS lsassc Startup] lsass135c.exe O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe O4 - HKLM\..\RunOnce: [netssh.exe] netssh.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: SpySubtract.lnk = C:\program files\InterMute\SpySubtract\SpySub.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O15 - Trusted Zone: http://*.63.219.181.7 O15 - Trusted Zone: http://*.search-soft.net O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - http://express.bilderservice.de/stat...dropupload.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1103056697268 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp05.photoprintit.de/microsi...eUploader3.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CCS\Services\Tcpip\..\{71683BEA-FE5D-4E68-AD7E-E368DDF674C6}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS1\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS2\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Programme\Norton Personal Firewall\ccPxySvc.exe O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Programme\Norton Personal Firewall\NISUM.EXE O23 - Service: Panda Process Protection Service - Unknown - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service - Unknown - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe |
|
|
12-23-2004, 05:09 AM
| #2 (permalink) |
| True Techie Join Date: Nov 2004
Posts: 177
|  Firstly, there is enuff advice in this section of the forum without asking for it all again! Use all the anti-malware software in my signature, which is generally what most others are recommending - no one piece of software detects all the problems. But, once it gets so bad, you will be better to reinstall OS and software etc. Advise elimination of Norton, which in my experience can't be done without reinstall, unless you're an expert.
__________________ Intel Pentium 4 3.0Ghz, Mobo: ASRock P4VM890 c/w onboard Graphics & Sound, 512MB DDR RAM, HDDs 320 (SLAVE) & 80Gb, PSU: ADT-400, Monitor 19" CRT Using: WinXPsp2 with Trend PC-cillin |
|
|
|
12-23-2004, 10:07 AM
| #3 (permalink) |
| Ultra Techie Join Date: Jun 2004
Posts: 973
 | catweazle, Okie, first turn off system restore http://www.pchell.com/virus/systemrestore.shtml Next open your HJT and fix the following, close all your windows except HJT ------------------ R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s R3 - URLSearchHook: Richfind - {67E78BA4-E0C5-40F7-9000-86089795F590} - C:\WINDOWS\System32\Q713315.dll (file missing) O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll O4 - HKLM\..\Run: [Microsoft Services] lssrv.exe O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe O4 - HKLM\..\Run: [msinfo.exe] msinfo.exe O4 - HKLM\..\Run: [sp2chek.exe] sp2chek.exe O4 - HKLM\..\Run: [DNSCacheBoost] C:\WINDOWS\System32\dnsping.exe [ If you dont know what this is, fix it] O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe O4 - HKLM\..\RunOnce: [netssh.exe] netssh.exe [ If you dont know what this is, fix it] O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] lfjtcdztu.exe O15 - Trusted Zone: http://*.63.219.181.7 O15 - Trusted Zone: http://*.search-soft.net ---------------------------- After fixing this, boot into safe mode by pressing F8 at boot time. Then clear Internet explorer cache,temorary internet files , cookies, and temp files in windows folders. In the safe mode, in folder options, check 'show hidden files' and 'show OS files' option. And if the following files are available , delete them lfjtcdztu.exe msinfo.exe iecust.dll lssrv.exe Finally download ad-aware se , install ,update and scan the system |
|
|
|
12-23-2004, 12:30 PM
| #5 (permalink) |
| Monster Techie Join Date: Nov 2004
Posts: 1,346
 | To help keep this in the proper place, and help Intercodes and Dave keep the advice ON TRACK, I am moving this to the HiJack This (Analyze) forum. Liz
__________________ Priority Computers | AdAware SE | SpyBot-Search & Destroy | SpywareBlaster | SpywareGuard | HijackThis | Stealing is illegal Powered by Emily!  |
|
|
|
12-23-2004, 01:13 PM
| #6 (permalink) |
| Newb Techie Join Date: Dec 2004
Posts: 8
| intercodes, please have a look at my hjt logfile now. Logfile of HijackThis v1.99.0 Scan saved at 19:52:07, on 23.12.2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Norton Personal Firewall\NISUM.EXE C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE C:\WINDOWS\System32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\alg.exe C:\Programme\Norton Personal Firewall\ccPxySvc.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\wuauclt.exe C:\Dokumente und Einstellungen\Andreas Auer\Eigene Dateien\Hijack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing) O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programme\Gemeinsame Dateien\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [MS lsassc Startup] lsass135c.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s O4 - HKLM\..\RunServices: [MS lsassc Startup] lsass135c.exe O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: SpySubtract.lnk = C:\program files\InterMute\SpySubtract\SpySub.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing) O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - http://express.bilderservice.de/stat...dropupload.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1103056697268 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp05.photoprintit.de/microsi...eUploader3.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CCS\Services\Tcpip\..\{71683BEA-FE5D-4E68-AD7E-E368DDF674C6}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS1\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS2\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Programme\Norton Personal Firewall\ccPxySvc.exe O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Programme\Norton Personal Firewall\NISUM.EXE O23 - Service: Panda Process Protection Service - Unknown - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service - Unknown - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe I have also run ad-aware se over my system as you proposed and it quarantined this. ArchiveData(catweazle.bckp) Referencefile : SE1R23 16.12.2004 ================================================== ==== POSSIBLE BROWSER HIJACK ATTEMPT »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»» obj[0]=Process : C:\WINDOWS\System32\odcfg.exe obj[22]=File : C:\Dokumente und Einstellungen\...... .....\Favoriten\Block Popups.url obj[23]=File : C:\Dokumente und Einstellungen\............\Favoriten\SPYWARE UNINSTALL.url ALEXA »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»» obj[1]=Regkey : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} obj[2]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuText" obj[3]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuStatusBar" obj[4]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Script" obj[5]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "clsid" obj[6]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Icon" obj[7]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "HotIcon" obj[8]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "ButtonText" obj[18]=RegValue : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" obj[19]=RegValue : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" obj[20]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" CLARIA »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»» obj[9]=Regkey : S-1-5-21-1177238915-1993962763-854245398-1003\software\microsoft\windows\currentversion\exp lorer\menuorder\start menu\programs\gain obj[10]=Regkey : S-1-5-21-1177238915-1993962763-854245398-1003\\software\microsoft\windows\currentversion\ex plorer\menuorder\start menu\programs\gain IEHIJACKER.RICHFIND »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»» obj[11]=Regkey : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids obj[12]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "1" obj[13]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "2" obj[14]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "3" obj[15]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "4" obj[16]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "5" obj[17]=RegValue : S-1-5-21-1177238915-1993962763-854245398-1003\software\lawga\local\clsids "x" obj[24]=Regkey : software\lawga TRACKING COOKIE »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»» obj[21]=IECache Entry : Cookie:...... .....@as1.falkag.de/ The toolbar has gone, but these strippoker pages still pop up nownagain........ Thanks for all your help ! |
|
|
|
12-23-2004, 01:45 PM
| #7 (permalink) |
| Monster Techie Join Date: Nov 2004
Posts: 1,346
| R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank These are part of your problem. Your home page has been hijacked. Go here and download all of these: CoolWeb Shredder, CWS Domains, CWS SmartKiller, and Killbox. Put those and your HiJack log in a folder on your c: drive so the folder may look something like this c:\Malware tools Just name it something YOU will remember. Next have your hidden files set so that you can see them: http://www.spyware911.net/forum/index.php?showtopic=27 Then reboot into safe mode: http://www.spyware911.net/safemode.htm and run the three CWS files, DO NOT TOUCH KILLBOX YET. Then run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked" R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about : Reboot Empty the Recycle Bin Then post another log. Liz
__________________ Priority Computers | AdAware SE | SpyBot-Search & Destroy | SpywareBlaster | SpywareGuard | HijackThis | Stealing is illegal Powered by Emily! |
|
|
|
12-23-2004, 04:52 PM
| #9 (permalink) |
| Newb Techie Join Date: Dec 2004
Posts: 8
| here we go liz unfortunatly could not download cws domains and smartkiller was downloaded but a message came up saying could not find smartkiller on your pc........ Logfile of HijackThis v1.99.0 Scan saved at 23:49:36, on 23.12.2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Norton Personal Firewall\NISUM.EXE C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE C:\WINDOWS\System32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\alg.exe C:\Programme\Norton Personal Firewall\ccPxySvc.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe C:\WINDOWS\System32\wuauclt.exe C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\pingnet.exe C:\WINDOWS\System32\odcfg.exe C:\WINDOWS\System32\getdns.exe C:\WINDOWS\System32\clfmon.exe C:\Programme\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\Dokumente und Einstellungen\Andreas Auer\Eigene Dateien\Hijack\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing) O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programme\Gemeinsame Dateien\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programme\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [MS lsassc Startup] lsass135c.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s O4 - HKLM\..\RunServices: [MS lsassc Startup] lsass135c.exe O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing) O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - http://express.bilderservice.de/stat...dropupload.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1103056697268 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp05.photoprintit.de/microsi...eUploader3.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CCS\Services\Tcpip\..\{71683BEA-FE5D-4E68-AD7E-E368DDF674C6}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS1\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS2\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Programme\Norton Personal Firewall\ccPxySvc.exe O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Programme\Norton Personal Firewall\NISUM.EXE O23 - Service: Panda Process Protection Service - Unknown - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service - Unknown - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe |
|
|
|
12-23-2004, 10:02 PM
| #10 (permalink) |
| Ultra Techie Join Date: Jun 2004
Posts: 973
| catweazle, Turn of system restore ,and fix the following C:\WINDOWS\System32\pingnet.exe C:\WINDOWS\System32\odcfg.exe C:\WINDOWS\System32\getdns.exe O3 - Toolbar: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing) O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe O9 - Extra button: Richfind - {63BFC15C-0A1B-4B44-9C3F-AC6CB2F8EFF8} - C:\WINDOWS\System32\Q713315.dll (file missing) O17 -HKLM\System\CCS\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CCS\Services\Tcpip\..\{71683BEA-FE5D-4E68-AD7E-E368DDF674C6}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS1\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS2\Services\Tcpip\..\{4B8CC041-99CE-4D44-9A57-EDEECF98DCCA}: NameServer = 69.50.166.94,69.31.80.244 Next, boot into safe mode, delete all the temporary windows files & internet files & cache Delete these files , if they are available [You have to enable hidden and Operating System files from folder options ] *pingnet.exe *odcfg.exe *getdns.exe You have a worm that spawns on a windows vulnerablity. Download and run this tool. http://www.paretologic.com/xoftspy/lp/14/ To stay secure from future attacks, you have to install service pack for your Internet explorer. [or install windows service pack files]. Good Luck |
|
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
