chupzy Posted June 15, 2005 Report Share Posted June 15, 2005 Hi i have a computer thats infected. I scanned with SpyBot Search Destroy, Ad-aware, Norton Anti-virus but still get pop ups.Here's my Hijack This logfile.========================================================Logfile of HijackThis v1.99.1Scan saved at 10:51:45 AM, on 06/15/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\MsgSys.EXEC:\Program Files\NavNT\vptray.exeC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitenbt32.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dllO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe======================================================THanks in advance Link to post Share on other sites
insipid Posted June 15, 2005 Report Share Posted June 15, 2005 chupzy, I'm looking over your log now, I'll have a reply for you soon. Link to post Share on other sites
insipid Posted June 15, 2005 Report Share Posted June 15, 2005 chupzy,I see you're running Microsoft Anti-spyware, and this is good, but it may interfere with our fixes. Please disable it for the time-being by right-clicking it's icon in the System Tray and selecting 'Shut Down...'.Rescan with HijackThis and place a checkmark next to the following entries:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitenbt32.exeNow, close all windows including your browser and then click "Fix Checked" in Hijackthis.Please remove these entries from Add/Remove Programs in the Control Panel(if present):Elitebar Internet Explorer Toolbar (or similar)Oemji ToolbarPlease delete these files using Windows Explorer(if present):C:\winnt\system32\elitenbt32.exeNext, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.Reboot and post a fresh HJT log for review. Link to post Share on other sites
chupzy Posted June 15, 2005 Author Report Share Posted June 15, 2005 Hello. I removed the lines u mentioned from HijackThis except for the ones with http://203.125.138.181:83/sop/. I need this for work.I couldnt find any of these lines in the Add/Remove Programme Elitebar Internet Explorer Toolbar (or similar)Oemji ToolbarAnd also there was no elitenbt32.exe in the C:\winnt\system32\ folder.So after doing everything else i restarted the computer and ran HijackThis again. I still get pop ups and the computer is running unusually slow.Heres my new HJT logfile btw.======================================================Logfile of HijackThis v1.99.1Scan saved at 2:15:46 PM, on 06/15/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\MsgSys.EXEC:\Program Files\NavNT\vptray.exeC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\hijackthis\HijackThis.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINNT\System32\irftp.exeC:\WINNT\System32\irftp.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitenbt32.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dllO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe=====================================================THanks alot for your help... Link to post Share on other sites
chupzy Posted June 16, 2005 Author Report Share Posted June 16, 2005 ok ! i fixed it... Used WinPatrol, removed the elitebar service, ran ad-aware, spybot search & destroy, restarted in safe mode and went into the system32 folder, deleted folders with eliteblah blah...den the exe file and restarted and yayyy...its gone..*resolved* Link to post Share on other sites
insipid Posted June 17, 2005 Report Share Posted June 17, 2005 I apologize, I didn't get the email notification that you had replied. Please post one more HijackThis log to be sure you got it all . Link to post Share on other sites
chupzy Posted June 20, 2005 Author Report Share Posted June 20, 2005 Its ok man.. no need for apologies.... here's my new logfile======================================================Logfile of HijackThis v1.99.1Scan saved at 10:01:39 AM, on 06/20/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\WINNT\Explorer.EXEC:\Program Files\NavNT\vptray.exeC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\WINNT\system32\wuauclt.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Microsoft Office\Office\WINWORD.EXEC:\Program Files\Macromedia\Fireworks MX\Fireworks.exeC:\WINNT\System32\irftp.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dllO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe=====================================================hope i got everything... Link to post Share on other sites
insipid Posted June 23, 2005 Report Share Posted June 23, 2005 chupzy, there's still one bad process showing in your log. C:\WINNT\System32\irftp.exe is a variant of the W32/SDBOT worm.Please run both of these online virus scans: Trendmicro Housecall....Panda Active Scan For Housecall, select the 'Autoclean' option. Please tell me of any files it can't clean.For Panda, use the default settings and save the log it generates to post in your next reply.Reboot and post a fresh HijackThis log as well as the Active Scan report . Link to post Share on other sites
Recommended Posts