Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I need help with my computer, it looks like it has a lot of viruses and spyware. Any help on what processes to fix would be greatly appreciated. Thanks!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winad Client\WinClt.exe
C:\WINDOWS\System32\dllhost.exe
C:\documents and settings\allison ross\local settings\temp\4gh.exe
C:\documents and settings\allison ross\local settings\temp\9FAOvM5R.exe
C:\WINDOWS\System32\msdtc.exe
C:\documents and settings\allison ross\local settings\temp\XXItDwfg.exe
C:\documents and settings\allison ross\local settings\temp\IOhosAlMd.exe
C:\documents and settings\allison ross\local settings\temp\F9qPi9.exe
C:\documents and settings\allison ross\local settings\temp\mxOwym.exe
C:\WINDOWS\System32\batt7229.exe
C:\WINDOWS\System32\rdscrt.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\Qbi53q.exe
C:\WINDOWS\System32\Wzx4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\NETMEE~1\conf.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Winad Client\Winad.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.exe
C:\Documents and Settings\Allison Ross\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.253.2.169:80
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IOVCIM] C:\WINDOWS\IOVCIM.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [oesmubhzlgefx] C:\WINDOWS\System32\lnkqzszw.exe
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O4 - HKLM\..\Run: [4gh] C:\documents and settings\allison ross\local settings\temp\4gh.exe
O4 - HKLM\..\Run: [Windows USB Driver] winusb32.exe
O4 - HKLM\..\Run: [9FAOvM5R] C:\documents and settings\allison ross\local settings\temp\9FAOvM5R.exe
O4 - HKLM\..\Run: [3539SQE3AKPEXB] C:\WINDOWS\System32\JsrZ.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.exe
O4 - HKLM\..\Run: [XXItDwfg] C:\documents and settings\allison ross\local settings\temp\XXItDwfg.exe
O4 - HKLM\..\Run: [IOhosAlMd] C:\documents and settings\allison ross\local settings\temp\IOhosAlMd.exe
O4 - HKLM\..\Run: [F9qPi9] C:\documents and settings\allison ross\local settings\temp\F9qPi9.exe
O4 - HKLM\..\Run: [mxOwym] C:\documents and settings\allison ross\local settings\temp\mxOwym.exe
O4 - HKLM\..\Run: [527d79831e5f] C:\WINDOWS\System32\batt7229.exe
O4 - HKLM\..\Run: [wFrT38R] rdscrt.exe
O4 - HKLM\..\Run: [gcasServ] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\RunServices: [Windows USB Driver] winusb32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows USB Driver] winusb32.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\System32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092948755920
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.7426736111
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_2us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
First tell us what you've already done & what makes you believe you have malware
Have you run updated AV?
Have you run updated AdAware, SpyBot S&D, CWShredder etc. etc.
Have you done an online free AV scan?All of the above should be run before HJT
Go for it
V...
0 
Before this post gets pulled....
You have at least one trojan, and I've got my eyes shut because I've just got up.
Disable system restore and do an online virus scan.
Also do an online Trojan scan.
Download, fully update and run both Ad-Aware SE Personal 1.05 and Spybot S&D 1.3, also download and run CWShredder 1.59.1.
Enter safe mode and go into add and remove programs and uninstall every single program that your unsure of. If you can't identify something exactly and don't know what it is, or does, then uninstall it.And saying that, uninstall the stuff that you've half doubted you should have installed in the first place.
Now look in your program files and do a quick head count of all programs in their and make sure they tally with what's in add and remove programs.
If you have any "spare" folders in your program files (that you don't know about -- delete them while your still in safe mode.
Reboot. Post new log file (don't bother posting one unless you've done all the above).
See the iDiOt walk
See the idiot TaLkWaLk IdIoT WaLk
0
After following the advise above finally paste your HJT Log into the analyzer here and tidy up the remainder:
http://www.hijackthis.de/index.php?langselect=english
M
0
hi jmg85,
you have at least 2 trojans, and the sdbot virus, plus the dyfuca spyware.
i would go to www.thepublicworks.com, scroll down to payware and link to trojan hunter and download free 30 day trial and get latest defs. do your anti-virus and anti-trojan and hijackthis work in safe mode.
you have a ton of other stuff that has to be deleted from your hijackthis log, so do as m says and visit that site.
all the best,
murve
0
This is the peper trojan, you need a
special removal tool.
O4 - HKLM\..\Run: [3539SQE3AKPEXB] C:\WINDOWS\System32\JsrZ.exeDownload and run this Peper trojan uninstaller, making sure you're online while running it!
Peper-uninstaller http://downloads.subratam.org/PeperFix.exe
Reboot after and run again to make
sure its gone.
0
All the spyware and virus scanners were updated and scnned in safemode to delete items. Spyhunter found 30+ items and they all got deleted. The peper virus was not found on the computer even though I still see it in the log. Here is the updated log, after spybot, adware, symantec, peper, GIANT, shredder were run. Thanks for all the quick posts!
Logfile of HijackThis v1.97.7
Scan saved at 10:47:32 PM, on 9/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\documents and settings\allison ross\local settings\temp\4gh.exe
C:\documents and settings\allison ross\local settings\temp\9FAOvM5R.exe
C:\documents and settings\allison ross\local settings\temp\XXItDwfg.exe
C:\documents and settings\allison ross\local settings\temp\F9qPi9.exe
C:\documents and settings\allison ross\local settings\temp\mxOwym.exe
C:\WINDOWS\System32\batt7229.exe
C:\WINDOWS\System32\vpc32.exe
C:\Program Files\Lexmark X1100 Series\Lexmarkut.exe
C:\documents and settings\allison ross\local settings\temp\g.exe
C:\documents and settings\allison ross\local settings\temp\ANFMe.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\robid.exe
C:\documents and settings\allison ross\local settings\temp\m.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\Evtmgr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\NETMEE~1\conf.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rsvp.exe
C:\Documents and Settings\Allison Ross\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.253.2.169:80
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Allison Ross\Local Settings\Temp\3G0OpTjZZ.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IOVCIM] C:\WINDOWS\IOVCIM.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [oesmubhzlgefx] C:\WINDOWS\System32\lnkqzszw.exe
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O4 - HKLM\..\Run: [4gh] C:\documents and settings\allison ross\local settings\temp\4gh.exe
O4 - HKLM\..\Run: [Windows USB Driver] winusb32.exe
O4 - HKLM\..\Run: [9FAOvM5R] C:\documents and settings\allison ross\local settings\temp\9FAOvM5R.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.exe
O4 - HKLM\..\Run: [XXItDwfg] C:\documents and settings\allison ross\local settings\temp\XXItDwfg.exe
O4 - HKLM\..\Run: [IOhosAlMd] C:\documents and settings\allison ross\local settings\temp\IOhosAlMd.exe
O4 - HKLM\..\Run: [F9qPi9] C:\documents and settings\allison ross\local settings\temp\F9qPi9.exe
O4 - HKLM\..\Run: [mxOwym] C:\documents and settings\allison ross\local settings\temp\mxOwym.exe
O4 - HKLM\..\Run: [527d79831e5f] C:\WINDOWS\System32\batt7229.exe
O4 - HKLM\..\Run: [gcasServ] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [3539SQE3AKPEXB] C:\WINDOWS\System32\JsrZ.exe
O4 - HKLM\..\Run: [Lexmarkut.exe] C:\Program Files\Lexmark X1100 Series\Lexmarkut.exe
O4 - HKLM\..\Run: [g] C:\documents and settings\allison ross\local settings\temp\g.exe
O4 - HKLM\..\Run: [ANFMe] C:\documents and settings\allison ross\local settings\temp\ANFMe.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [wFrT38R] robid.exe
O4 - HKLM\..\Run: [m] C:\documents and settings\allison ross\local settings\temp\m.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\RunServices: [Windows USB Driver] winusb32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows USB Driver] winusb32.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [ho03RUdtj] dllrhook.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\System32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092948755920
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.7426736111
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_2us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
0
It's a mess ;)
Lets start again and get down and dirty in safe mode first. Start re-doing that head count again, I can see at least one thing you've missed -- Web Offer. If it's not there in add and remove programs to uninstall then your going to have to go into program files and delete the folder. So make sure you know exactly what you have in add and remove programs is legitimate.
If you don't know. Then start asking yourself why you don't know.
In safe mode, open up HJT and scan, and then go find and delete these files if they don't show up and can't be removed via add and remove. (most / all, won't / can't be - so don't worry) ....
C:\documents and settings\allison ross\local settings\temp\4gh.exe
C:\documents and settings\allison ross\local settings\temp\9FAOvM5R.exe
C:\documents and settings\allison ross\local settings\temp\XXItDwfg.exe
C:\documents and settings\allison ross\local settings\temp\F9qPi9.exe
C:\documents and settings\allison ross\local settings\temp\mxOwym.exeC:\WINDOWS\System32\batt7229.exe
C:\WINDOWS\System32\vpc32.exe
C:\WINDOWS\System32\robid.exeC:\documents and settings\allison ross\local settings\temp\m.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\System32\alg.exe
*********************************************
After you've deleted, check mark these in the already opened HJT ....
R3 - Default URLSearchHook is missing
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Allison Ross\Local Settings\Temp\3G0OpTjZZ.dll
O4 - HKLM\..\Run: [oesmubhzlgefx] C:\WINDOWS\System32\lnkqzszw.exeO4 - HKLM\..\Run: [4gh] C:\documents and settings\local settings\temp\4gh.exe
O4 - HKLM\..\Run: [9FAOvM5R] C:\documents and settings\allison ross\local settings\temp\9FAOvM5R.exe
O4 - HKLM\..\Run: [XXItDwfg] C:\documents and settings\allison ross\local settings\temp\XXItDwfg.exe
O4 - HKLM\..\Run: [F9qPi9] C:\documents and settings\allison ross\local settings\temp\F9qPi9.exe
O4 - HKLM\..\Run: [mxOwym] C:\documents and settings\allison ross\local settings\temp\mxOwym.exe
O4 - HKLM\..\Run: [g] C:\documents and settings\allison ross\local settings\temp\g.exe
O4 - HKLM\..\Run: [ANFMe] C:\documents and settings\allison ross\local settings\temp\ANFMe.exe
O4 - HKLM\..\Run: [m] C:\documents and settings\allison ross\local settings\temp\m.exeO4 - HKLM\..\Run: [wFrT38R] robid.exe
O4 - HKCU\..\Run: [ho03RUdtj] dllrhook.exe
Remove.
Run the peper remover again and if it's still there in HJT checkmark ....
O4 - HKLM\..\Run: [3539SQE3AKPEXB] C:\WINDOWS\System32\JsrZ.exe
Remove.
Repost log file.
See the iDiOt walk
See the idiot TaLkWaLk IdIoT WaLk
0
Found a name to go with the peper looking
files.
Ads234, Netspry and Midaddle removal instructionsPeper may have been removed, follow advice
from Viking.
0
Also when you've finished up doing that, BEFORE you rescan and post another log file.
Reboot and get the latest version of HJT -- HijackThis 1.98.2. Use that to rescan with and then post that follow up log files.
See the iDiOt walk
See the idiot TaLkWaLk IdIoT WaLk
0
Have you checked out c:\windows\system32\Evtmgr.exe ? (This is NOT the Win2k Event Manager which it is pretending to be).
Had this on a web server this morning, it is trying to send packets out to an IRC server (I found this by using a freeware utility called AllPorts from downloads.com). Booted in safe mode, deleted the file and the associated entries; it installs itself as a service in the registry file under HKLM, System, ControlSet001, Services, Evtmgr - delete the whole tree - and also on our suspect server installed a group called MSSQLServices (not MSSQLServer which is the real deal) so we deleted this tree also. It appears to be a variant of some other trojan (possibly HostControl) which unfortunately Norton AV Corporate Edition didn't recognise.
0
Thanks for the info Mike. I did wonder about that at the time and was going to revise/sort it after in the next log file, but as you can see, she never came back.
See the iDiOt walk
See the idiot TaLkWaLk IdIoT WaLk
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
