Logfile of HijackThis v1.99.1 Scan saved at 6:20:33 PM, on 26/10/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\SDKHJ.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\SYSTEM\DYQSOS.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\WINDOWS\SHICOME.EXE C:\WINDOWS\TEMP\3205.TMP.EXE C:\WINDOWS\TEMP\3242.TMP.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\CFGWIZ32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kmmlf.dll/sp.html#93256 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kmmlf.dll/sp.html#93256 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kmmlf.dll/sp.html#93256 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kmmlf.dll/sp.html#93256 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kmmlf.dll/sp.html#93256 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kmmlf.dll/sp.html#93256 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kmmlf.dll/sp.html#93256 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {93754D15-8CF7-FF25-843E-8C4DF6F17E92} - C:\WINDOWS\SYSTEM\QYG.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: Class - {37FCC35D-6EB9-E85F-8C50-2B258040FBB3} - C:\WINDOWS\SYSTEM\APIAF.DLL O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LexStart] lexstart.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundFusion] rundll32.exe hercplgs.cpl,BootEntryPoint O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [lexplore] LEXPLORE.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [dyqsos] c:\windows\system\dyqsos.exe O4 - HKLM\..\Run: [shicome] C:\WINDOWS\shicome.exe O4 - HKLM\..\Run: [winupdates] \winupdates\winupdates.exe /auto O4 - HKLM\..\Run: [IEZF32.EXE] C:\WINDOWS\SYSTEM\IEZF32.EXE O4 - HKLM\..\Run: [3205.TMP] C:\WINDOWS\TEMP\3205.TMP.exe O4 - HKLM\..\Run: [3242.TMP] C:\WINDOWS\TEMP\3242.TMP.exe O4 - HKLM\..\Run: [3242.TMP.EXE] C:\WINDOWS\TEMP\3242.TMP.EXE O4 - HKLM\..\Run: [3205.TMP.EXE] C:\WINDOWS\TEMP\3205.TMP.EXE O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [lexplore] LEXPLORE.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [SDKHJ.EXE] C:\WINDOWS\SYSTEM\SDKHJ.EXE /s O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [ares] "C:\PROGRAM FILES\ARES LITE EDITION\ARES.EXE" -h O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\Alex\partypokernet.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\Alex\partypokernet.exe (file missing) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
Trek Blue Error Nuker [RESOLVED]
Started by
sight unseen
, Oct 26 2005 05:44 PM
#1
Posted 26 October 2005 - 05:44 PM
#2
Posted 30 October 2005 - 07:08 PM
Sight unseen,
We are looking at your log and will have some instructions for you shortly, sorry for the wait
Lovethepirk
We are looking at your log and will have some instructions for you shortly, sorry for the wait
Lovethepirk
#3
Posted 30 October 2005 - 11:42 PM
Sight Unseen,
Welcome to G2G forums.
You are heavily infected so our instructions might seem overwhelming at first. Please take your time and do each step carefully, I really don't think it will take you too long
*Also you are going to need to transfer these downloads from a computer with internet access to the infected computer...as such you will not be able to update them, so just skip that small step Good luck...
Please print out this post so that you have a hard copy of these instructions. You will need to keep Internet Explorer and Windows Explorer (including My Computer) closed throughout the entire process.
Please download Intermute's CWShredder from here:
http://www.intermute...cwshredder.html
Save it to the desktop and then open the program up and update it, but do NOT run it yet.
Download Crap Cleaner from here:
http://www.majorgeek...wnload4191.html
Save it to the desktop and install the program but do not run it yet.
Then please download About:Buster from here:
http://www.malwareby...AboutBuster.zip
Unzip it to the desktop, run it, Check for Updates, and update the files, but do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
Once in Safe Mode, please run CWShredder, and click Fix.
Then please run About:Buster 2 times and click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved. I will want to see this logfile later.
Finally, please run HijackThis, click Scan, and check:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {93754D15-8CF7-FF25-843E-8C4DF6F17E92} - C:\WINDOWS\SYSTEM\QYG.DLL
O2 - BHO: Class - {37FCC35D-6EB9-E85F-8C50-2B258040FBB3} - C:\WINDOWS\SYSTEM\APIAF.DLL
O4 - HKLM\..\Run: [lexplore] LEXPLORE.EXE
O4 - HKLM\..\Run: [dyqsos] c:\windows\system\dyqsos.exe
O4 - HKLM\..\Run: [winupdates] \winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [IEZF32.EXE] C:\WINDOWS\SYSTEM\IEZF32.EXE
O4 - HKLM\..\Run: [3205.TMP] C:\WINDOWS\TEMP\3205.TMP.exe
O4 - HKLM\..\Run: [3242.TMP] C:\WINDOWS\TEMP\3242.TMP.exe
O4 - HKLM\..\Run: [3242.TMP.EXE] C:\WINDOWS\TEMP\3242.TMP.EXE
O4 - HKLM\..\Run: [3205.TMP.EXE] C:\WINDOWS\TEMP\3205.TMP.EXE
O4 - HKLM\..\RunServices: [lexplore] LEXPLORE.EXE
O4 - HKLM\..\RunServices: [SDKHJ.EXE] C:\WINDOWS\SYSTEM\SDKHJ.EXE /s
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\Alex\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\Alex\partypokernet.exe (file missing)
This next one is an optional fix, but recommended you check them:
-----------------------------------------------------------------
This process starts some Microsoft components, however it is not needed at start-up and it's a resource hog.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Close all open windows except for HijackThis and click Fix Checked.
Open up Crap Cleaner. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner.
We need to show your hidden folders/files now:
c:\windows\system\dyqsos.exe
C:\WINDOWS\SYSTEM\IEZF32.EXE
C:\WINDOWS\SYSTEM\SDKHJ.EXE
C:\Program Files\winupdates------>delete this folder
Look for this file in one of the following directories and delete it also:(it will only be in one of them and be careful other files look like this one but are spelled differently)
C:\WINDOWS\LEXPLORE.EXE
C:\WINDOWS\SYSTEM\LEXPLORE.EXE
Then please restart your computer in Normal Mode
Please run the Panda scan here:
http://www.pandasoft.../activescan.htm
Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and save a panda log for us.
Please run Bitdefender scan here:
http://www.bitdefend...m/scan8/ie.html
Scan your entrire computer and delete any bad files it finds and post any log it produces.
After this please post a new HijackThis log, as well as the logs from AboutBuster, Panda, and Bitdefender.
Welcome to G2G forums.
You are heavily infected so our instructions might seem overwhelming at first. Please take your time and do each step carefully, I really don't think it will take you too long
*Also you are going to need to transfer these downloads from a computer with internet access to the infected computer...as such you will not be able to update them, so just skip that small step Good luck...
Please print out this post so that you have a hard copy of these instructions. You will need to keep Internet Explorer and Windows Explorer (including My Computer) closed throughout the entire process.
Please download Intermute's CWShredder from here:
http://www.intermute...cwshredder.html
Save it to the desktop and then open the program up and update it, but do NOT run it yet.
Download Crap Cleaner from here:
http://www.majorgeek...wnload4191.html
Save it to the desktop and install the program but do not run it yet.
Then please download About:Buster from here:
http://www.malwareby...AboutBuster.zip
Unzip it to the desktop, run it, Check for Updates, and update the files, but do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
Once in Safe Mode, please run CWShredder, and click Fix.
Then please run About:Buster 2 times and click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved. I will want to see this logfile later.
Finally, please run HijackThis, click Scan, and check:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kmmlf.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {93754D15-8CF7-FF25-843E-8C4DF6F17E92} - C:\WINDOWS\SYSTEM\QYG.DLL
O2 - BHO: Class - {37FCC35D-6EB9-E85F-8C50-2B258040FBB3} - C:\WINDOWS\SYSTEM\APIAF.DLL
O4 - HKLM\..\Run: [lexplore] LEXPLORE.EXE
O4 - HKLM\..\Run: [dyqsos] c:\windows\system\dyqsos.exe
O4 - HKLM\..\Run: [winupdates] \winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [IEZF32.EXE] C:\WINDOWS\SYSTEM\IEZF32.EXE
O4 - HKLM\..\Run: [3205.TMP] C:\WINDOWS\TEMP\3205.TMP.exe
O4 - HKLM\..\Run: [3242.TMP] C:\WINDOWS\TEMP\3242.TMP.exe
O4 - HKLM\..\Run: [3242.TMP.EXE] C:\WINDOWS\TEMP\3242.TMP.EXE
O4 - HKLM\..\Run: [3205.TMP.EXE] C:\WINDOWS\TEMP\3205.TMP.EXE
O4 - HKLM\..\RunServices: [lexplore] LEXPLORE.EXE
O4 - HKLM\..\RunServices: [SDKHJ.EXE] C:\WINDOWS\SYSTEM\SDKHJ.EXE /s
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\Alex\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\Alex\partypokernet.exe (file missing)
This next one is an optional fix, but recommended you check them:
-----------------------------------------------------------------
This process starts some Microsoft components, however it is not needed at start-up and it's a resource hog.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Close all open windows except for HijackThis and click Fix Checked.
Open up Crap Cleaner. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner.
We need to show your hidden folders/files now:
- Open My Computer.
- Select the View menu and click Folder Options.
- Select the View Tab.
- In the Hidden files section select Show all files.
- Click OK.
c:\windows\system\dyqsos.exe
C:\WINDOWS\SYSTEM\IEZF32.EXE
C:\WINDOWS\SYSTEM\SDKHJ.EXE
C:\Program Files\winupdates------>delete this folder
Look for this file in one of the following directories and delete it also:(it will only be in one of them and be careful other files look like this one but are spelled differently)
C:\WINDOWS\LEXPLORE.EXE
C:\WINDOWS\SYSTEM\LEXPLORE.EXE
Then please restart your computer in Normal Mode
Please run the Panda scan here:
http://www.pandasoft.../activescan.htm
Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and save a panda log for us.
Please run Bitdefender scan here:
http://www.bitdefend...m/scan8/ie.html
Scan your entrire computer and delete any bad files it finds and post any log it produces.
After this please post a new HijackThis log, as well as the logs from AboutBuster, Panda, and Bitdefender.
Edited by lovethepirk, 30 October 2005 - 11:59 PM.
#4
Posted 01 November 2005 - 02:58 PM
OK, so I got all of that done with the exception of a the Panda ActiveScan, which I could not get to work. You asked me to post me logs, so here they are.
bitdefender.html 20.58KB 38 downloads
Logfile of HijackThis v1.99.1 Scan saved at 2:29:38 PM, on 01/11/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\PROGRAM FILES\MSN MESSENGER\MSGPLUS.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SOUNDMAN.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE C:\HJT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundFusion] rundll32.exe hercplgs.cpl,BootEntryPoint O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MSN Messenger\MsgPlus.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MSN Messenger\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
AboutBuster 5.1, reference file 32 Scan started on [31/10/05] at [12:26:59 PM] ------------------------------------------------ Streams(ADS) not scanned: System not NTFS ------------------------------------------------ Removed File! : C:\WINDOWS\onvyw.dat Removed File! : C:\WINDOWS\zczzqa.dat ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 12:27:41 PM AboutBuster 5.1, reference file 32 Scan started on [31/10/05] at [12:28:14 PM] ------------------------------------------------ Streams(ADS) not scanned: System not NTFS ------------------------------------------------ No Files Found! ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 12:28:54 PMThanks for all of your help so far, I really appreciate it.
bitdefender.html 20.58KB 38 downloads
Edited by sight unseen, 01 November 2005 - 03:00 PM.
#5
Posted 01 November 2005 - 07:56 PM
Sight Unseen,
You are looking much better now, just some housecleaning to do and one final scan
First try and delete this folder if it exists:
C:\winupdates
Please go to this website and submit the following files for viruses/trojans:
http://virusscan.jotti.org/
Submit this(this file should still be on your computer, but if you cannot find it don't worry):
C:\WINDOWS\shicome.exe
Let us know what the results were for the file(s).
Let's try one last online virus scan to make sure you are clean...
Please run the Housecall online virus scan located at:
http://housecall.tre.../start_corp.asp
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please try and save a log for us.
Restart your computer.
Post one last HJT log for us along with the Housecall Log. Let us also know about the file we had you submit.
Oh yea...How is everything runnin?
Regards,
Lovethepirk
You are looking much better now, just some housecleaning to do and one final scan
First try and delete this folder if it exists:
C:\winupdates
Please go to this website and submit the following files for viruses/trojans:
http://virusscan.jotti.org/
Submit this(this file should still be on your computer, but if you cannot find it don't worry):
C:\WINDOWS\shicome.exe
Let us know what the results were for the file(s).
Let's try one last online virus scan to make sure you are clean...
Please run the Housecall online virus scan located at:
http://housecall.tre.../start_corp.asp
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please try and save a log for us.
Restart your computer.
Post one last HJT log for us along with the Housecall Log. Let us also know about the file we had you submit.
Oh yea...How is everything runnin?
Regards,
Lovethepirk
#6
Posted 04 November 2005 - 11:31 PM
I couldn't get the housecall scan to work, i have tried several times but a notice pops up saying that the server is busy or there is a bad connection. I will keep trying however. The file shicome.exe came up clean on that online scan which I assume is good The system is running great! The increase in speed is phenomenal. There is less junk running in the background and hopefully I can keep it like this for a while. More precautions have already been made. Here is the last HJT log that you asked for:
Thank you for all your help, this was excellent
Logfile of HijackThis v1.99.1 Scan saved at 11:19:29 PM, on 04/11/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\PROGRAM FILES\MSN MESSENGER\MSGPLUS.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SOUNDMAN.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\WINAMP\WINAMP.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\AUPDATE.EXE C:\HJT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundFusion] rundll32.exe hercplgs.cpl,BootEntryPoint O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MSN Messenger\MsgPlus.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MSN Messenger\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
Thank you for all your help, this was excellent
#7
Posted 05 November 2005 - 08:26 AM
Sight Unseen,
I am glad to hear your computer is running much faster. You had a nasty little CoolWebsearch infection.
Don't worry about that online scan...you can try it later and report back if you would like to, but I think you are in the clear.
Also that file we had you submit is okay so do not worry about it either....
We need to rehide your hidden folders/files now:
Please look carefully at this post for some excellent preventative measures to take so you do not get infected again.
Prevention is good
To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:
1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupd...t.aspx?ln=en-us
http://www.microsoft.../ie/default.asp
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com...ast_4_home.html
3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
Adaware SE: http://www.download....ubj=dl&tag=top5
Spybot S&D: http://www.download....tml?tag=lst-0-1
MS Antispyware beta: http://www.microsoft...re/default.mspx
4. Consider using a free firewall if you are not already using one. Some good free ones are:
Sygate: http://smb.sygate.co...pf_standard.htm
Zone Alarm: http://www.zonelabs....n.jsp?lid=ho_za
5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: http://www.mozilla.o...oducts/firefox/
6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacools...ywareguard.html
SpywareBlaster will increase browser protection by blocking hundreds of known malware sites by adding them to IE's restricted sites zone. Download it here: http://www.javacools...areblaster.html
If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiu...ww/resource.htm
*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis.
Good luck!!!
I am glad to hear your computer is running much faster. You had a nasty little CoolWebsearch infection.
Don't worry about that online scan...you can try it later and report back if you would like to, but I think you are in the clear.
Also that file we had you submit is okay so do not worry about it either....
We need to rehide your hidden folders/files now:
- Open My Computer.
- Select the View menu and click Folder Options.
- Select the View Tab.
- In the Hidden files section unselect Show all files.
- Click OK.
Please look carefully at this post for some excellent preventative measures to take so you do not get infected again.
Prevention is good
To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:
1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupd...t.aspx?ln=en-us
http://www.microsoft.../ie/default.asp
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com...ast_4_home.html
3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
Adaware SE: http://www.download....ubj=dl&tag=top5
Spybot S&D: http://www.download....tml?tag=lst-0-1
MS Antispyware beta: http://www.microsoft...re/default.mspx
4. Consider using a free firewall if you are not already using one. Some good free ones are:
Sygate: http://smb.sygate.co...pf_standard.htm
Zone Alarm: http://www.zonelabs....n.jsp?lid=ho_za
5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: http://www.mozilla.o...oducts/firefox/
6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacools...ywareguard.html
SpywareBlaster will increase browser protection by blocking hundreds of known malware sites by adding them to IE's restricted sites zone. Download it here: http://www.javacools...areblaster.html
If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiu...ww/resource.htm
*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis.
Good luck!!!
Edited by lovethepirk, 05 November 2005 - 08:29 AM.
#8
Posted 09 November 2005 - 08:11 PM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users