chupzy Posted July 15, 2005 Report Share Posted July 15, 2005 Looks like i have another infected pc. here's my logfile...thanks in advance.. Logfile of HijackThis v1.99.1Scan saved at 14:42:34, on 15/07/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\Program Files\Canon\VDC\AuVdc.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\MsgSys.EXEC:\Program Files\Java\j2re1.4.2_08\bin\jusched.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\BillP Studios\WinPatrol\winpatrol.exeC:\Program Files\Java\j2re1.4.2_08\bin\jucheck.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINNT\System32\svchost.exeC:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exeC:\WINNT\system32\wuauclt.exeC:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exeO4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteamm32.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quietO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dllO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dllO23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exeO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe Link to post Share on other sites
Rustymilo Posted July 15, 2005 Report Share Posted July 15, 2005 Hello chupzy, welcome to BestTechie! I’m Kristy and I will be helping you.You may wish to print out a copy of these instructions to follow while you complete this procedure.Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.Next please run HijackThis, click Scan, and check: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/ (If you know what this site is, you can leave it alone, otherwise, put a check by it.)O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteamm32.exeClose all open windows except for HijackThis and click Fix Checked.Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).Be sure you're able to view hidden files, and remove the following files/folders in bold (if found): C:\winnt\system32\eliteamm32.exeEmpty your recycle bin, and reboot normally.Please run a free online virus scan here (tick the "Auto Clean" checkbox):http://housecall.antivirus.com/And a free trojan scan here:http://www.moosoft.com/Reboot your PC.If you would please, rescan with HijackThis and post a fresh log in this same topic, and let me know how your system's working. ~Kristy Link to post Share on other sites
chupzy Posted July 15, 2005 Author Report Share Posted July 15, 2005 Hie kristy ! thanks for really fast reply ! That website is a site i use for my work. So il just leave it there.Here's my new logfile..Logfile of HijackThis v1.99.1Scan saved at 15:58:59, on 15/07/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\Program Files\Canon\VDC\AuVdc.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\MsgSys.EXEC:\Program Files\Java\j2re1.4.2_08\bin\jusched.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\Java\j2re1.4.2_08\bin\jucheck.exeC:\Program Files\BillP Studios\WinPatrol\winpatrol.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINNT\System32\svchost.exeC:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exeC:\Program Files\help\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exeO4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteamm32.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quietO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dllO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dllO23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exeO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe Link to post Share on other sites
Rustymilo Posted July 15, 2005 Report Share Posted July 15, 2005 (edited) No problem chupzy You may wish to print out a copy of these instructions to follow while you complete this procedure.Download LQfix Here http://users.pandora.be/bluepatchy/LQfix.zipsave it to your desktop, please do not use yetNext please run HijackThis, click Scan, and check: O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteamm32.exeClose all open windows except for HijackThis and click Fix Checked.Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).Be sure you're able to view hidden files, and remove the following files/folders in bold (if found):C:\winnt\system32\eliteamm32.exe Empty your recycle bin.Run LQFix from your desktop. After that, reboot normally.Please run a free online virus scan here (tick the "Auto Clean" checkbox):http://housecall.antivirus.com/And a free trojan scan here:http://www.moosoft.com/Reboot your PC.If you would please, rescan with HijackThis and post a fresh log in this same topic, and let me know how your system's working. ~Kristy Edited July 15, 2005 by Rustymilo Link to post Share on other sites
antispy Posted August 17, 2005 Report Share Posted August 17, 2005 spend whole day removing this piece of sh... elite toolbar Link to post Share on other sites
Matt Posted October 9, 2005 Report Share Posted October 9, 2005 This thread is being closed due to inactivity. If you would like it to be reopened, please contact one of the moderators.Thanks,Matt Link to post Share on other sites
Recommended Posts