Welcome To The Desert.
#1
Posted 08 December 2004 - 11:32 AM
Register to Remove
#2
Posted 08 December 2004 - 04:55 PM
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Download HijackThis into this folder.
If required a tutorial is here = Hijackthis Folder Tutorial
Links to Hijack This! v 1.98.2:
http://tools.radiosp.../HijackThis.exe
http://spywarewarrio.../HijackThis.exe
Run it from that folder.
Click "Scan".
DO NOT "FIX" ANYTHING WITH IT YET!!!
FIXING THE WRONG THING COULD RENDER YOUR SYSTEM INOPERABLE!!!
Click "Save log".
Reply to this thread, and "copy/paste" the ENTIRE CONTENTS of the log file into this thread.
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#3
Posted 08 December 2004 - 11:10 PM
Your instructions were much appreciated. Here is the the log file. I've heard of hijack but always been kind of leary bout it not knowing anything about it. I'm reading the tut. Your input is gratefully appreciated.
DO NOT "FIX" ANYTHING WITH IT YET!!!
FIXING THE WRONG THING COULD RENDER YOUR SYSTEM INOPERABLE!!!"
Duh!
No sweat. Wouldn't do it until I knew what I was doing anyway.
As my friends say I'm a barbarian not an idiot. took a guess at what I don't think belong highlighted below. I may be wrong, prob am. Maybe not, who knows.
Everything has been left intact on the server and no changes have been made.
Logfile of HijackThis v1.98.2
Scan saved at 8:49:03 PM, on 12/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\FS\FSService.exe
C:\Program Files\FS\fsp.exe This belongs
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SIDEWI~1\Common\SWTrayV4.exe
C:\Program Files\Creative\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN05.EXE
C:\Program Files\Shove-it\Shove-it.exe
C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
C:\Program Files\PowerDesk\PDExplo.exe
C:\Program Files\Common Files\ACD Systems\IDBSvr.exe
F:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php Not supposed to be
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com Not supposed to be
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O1 - Hosts: 64.91.255.87 www.dcsresearch.com Not supposed to be??
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: DSE WE Addon Class - {BF55256A-3B3B-11D2-B05B-000001145917} - C:\Program Files\Common Files\PFShared\weaddon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx Not sure
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll can go
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\SIDEWI~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [fspr] "C:\Program Files\FS\FolderShield.exe" CR this stays
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MPL32 Driver] lsasss.exe can never rem what this is
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [EPSON Stylus COLOR 760] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN05.EXE /A "C:\WINDOWS\System32\E_S1B7.tmp"
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: Shove-it.lnk = C:\Program Files\Shove-it\Shove-it.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Post-itŪ Software Notes.lnk = C:\Program Files\3M\psn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML Not supposed to be
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe Not supposed to be
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe Not supposed to be
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll suspect? yes/no
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab can go?
#4
Posted 09 December 2004 - 12:01 PM
Can be fixed ^
[quote]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com Not supposed to be[/quote]
Can be fixed^
[quote]O1 - Hosts: 64.91.255.87 www.dcsresearch.com Not supposed to be?? [/quote]
Can be fixed^
[quote]O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx Not sure[/quote]
NOT malware^
[quote]O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll can go[/quote]
Would be best removed via Start > Control Panel > Add/Remove programs, if you wish.
[quote]O4 - HKLM\..\Run: [MPL32 Driver] lsasss.exe can never rem what this is[/quote]
This is unusual. The "head" is part of one worm, the "tail" looks like another.
[quote]O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML Not supposed to be[/quote]
Would be best removed via Start > Control Panel > Add/Remove programs, if you wish.
[quote]O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe Not supposed to be
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe Not supposed to be[/quote]
You can remove ICQLite via Start > Control Panel > Add/Remove programs, then fix these if you want.
[quote]O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll suspect? yes/no[/quote]
NOT malware^
[quote]O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab can go?[/quote]
Can be fixed^
[quote]internet optimizer, suspected root cause
180 search assistant
&radio
xsczn.inf[/quote]
Don't see any of that anywhere, but Hijack This! doesn't look everywhere.
Personally, I'd suggest the "whole enchilada", which would be all of this:
[quote]Please download and run Spybot-Search&Destroy and Ad-Aware; they are the standard programs for finding and cleaning malware off your system. Here are links to both programs, and instructions for their use.
Get Spybot - Search & Destroy from http://security.kolla.de
(This is the NEW Version 1.3)
Get AdAware SE Personal from http://www.lavasoft....upport/download
(This is the NEW Build 1.05)
Download and install these programs if you don't already have them. If you do have them, make sure they are UPDATED AND CONFIGURED AS DESCRIBED here:
http://www.cjwd.demo...ot-adaware.html
Reboot after running each program.
Please try these free online virus scans of your system:
Trend-Micro Housecall
Panda Activescan
Etrust Security Advisor
Choose "fix" or "clean".
Let them remove any infections found. Reboot after each scan.[/quote]
Then post another log, and we'll see if the worm survived.
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#5
Posted 09 December 2004 - 08:57 PM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users