evilangel12788 Posted January 3, 2006 Report Share Posted January 3, 2006 im having problems with viruses...n dont kno wat to do.....Logfile of HijackThis v1.99.1Scan saved at 8:23:32 PM, on 1/2/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\PROGRA~1\NORTON~1\navapw32.exeC:\toshiba\ivp\ism\pinger.exeC:\toshiba\sysstability\tsyssmon.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exeC:\Program Files\TOSHIBA\TouchED\TouchED.ExeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\WINDOWS\mfcod32.exeC:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exeC:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exeC:\Program Files\Lexmark 2200 Series\lxbvbmgr.exeC:\WINDOWS\system32\TPWRTRAY.EXEC:\WINDOWS\system32\TFNF5.exeC:\WINDOWS\system32\s3hotkey.exeC:\WINDOWS\system32\paytime.exeC:\WINDOWS\System32\00THotkey.exeC:\Program Files\Messenger\msmsgs.exeC:\winstall.exeC:\Program Files\Lexmark 2200 Series\lxbvbmon.exeC:\Program Files\Apoint2K\Apntex.exeC:\WINDOWS\sysxi32.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.htmlR3 - Default URLSearchHook is missingO2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLLO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: Class - {12560FD0-2D24-CE5F-05C1-805E95B9124E} - C:\WINDOWS\system32\addom.dllO2 - BHO: Class - {2F9B49D5-798A-2D7C-7B1B-AC149C906ABC} - C:\WINDOWS\system32\addom.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLLO4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exeO4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /runO4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detectO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.ExeO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [mfcod32.exe] C:\WINDOWS\mfcod32.exeO4 - HKLM\..\Run: [bB.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exeO4 - HKLM\..\Run: [bC.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exeO4 - HKLM\..\Run: [bB.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exeO4 - HKLM\..\Run: [bC.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exeO4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXEO4 - HKLM\..\Run: [TFNF5] TFNF5.exeO4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exeO4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exeO4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exeO4 - HKLM\..\Run: [000StTHK] 000StTHK.exeO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Windows installer] C:\winstall.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.comO16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cabO23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysxi32.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Link to post Share on other sites
jwbirdsong Posted January 3, 2006 Report Share Posted January 3, 2006 (edited) First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix.First off please put HijackThis in it's own, permanent folder. It's needed for backups.Help with unzipping files is HERE Download AboutBuster 6.0:http://www.besttechie.net/tools/AboutBuster.ziphttp://www.malwarebytes.org/AboutBuster.zipOnce downloaded, unzip it, and put the folder on your desktopDon't run it yet, well do it later in safe mode.You may have previously ran some of the following programs, please run through the fix and run all programs listed, in order, and make sure to update all Please download Ewido Security Suite, it is a free version of the program. Install ewido security suite When installing the program, under "Additonal Options" uncheck... Install background guard Install scan via context menu[*] Launch ewido, there should now be an icon on your desktop, double-click it.[*] The program will now open to the main screen.[*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.[*] You will need to update ewido to the latest definition files: On the left hand side of the main screen click update. Then click on Start Update.[*] The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display "Update successful")[*] Close Ewido Security SuiteIf you are having problems with the updater, you can use this link to manually update ewido.Ewido manual updatesNext, please reboot your computer in SafeMode by doing the following:Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, press F8.Instead of Windows loading as normal, a menu should appearSelect the first option, to run Windows in Safe Mode.Now scan with HJT and place a checkmark next to the following items [R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.netR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.htmlR3 - Default URLSearchHook is missing O2 - BHO: Class - {12560FD0-2D24-CE5F-05C1-805E95B9124E} - C:\WINDOWS\system32\addom.dllO2 - BHO: Class - {2F9B49D5-798A-2D7C-7B1B-AC149C906ABC} - C:\WINDOWS\system32\addom.dllO3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLLO4 - HKLM\..\Run: [mfcod32.exe] C:\WINDOWS\mfcod32.exeO4 - HKLM\..\Run: [bB.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exeO4 - HKLM\..\Run: [bC.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exeO4 - HKLM\..\Run: [bB.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exeO4 - HKLM\..\Run: [bC.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe O4 - HKLM\..\Run: [mfcod32.exe] C:\WINDOWS\mfcod32.exeO4 - HKLM\..\Run: [bB.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exeO4 - HKLM\..\Run: [bC.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exeO4 - HKLM\..\Run: [bB.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exeO4 - HKLM\..\Run: [bC.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exeO4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exeO4 - HKCU\..\Run: [Windows installer] C:\winstall.exeClose all other windows and browsers and click FIX CHECKEDClose HiJackThis.Open the folder where you put AboutBuster. Double click on the AboutBuster icon>Click Begin Removal> Click YES> when it's done running click OK to close it.Run Ewido:Click on scanner Click on Complete System Scan, the scan will now begin. While the scan is in progress you will be prompted to clean files, click OK. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report. Click Save Report. Now save the report .txt file to your desktop. Close Ewido Security SuiteReboot back into Windows and scan your system with Ad-aware:Ad-aware SE - Download - Home PageIf you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".Once the definitions have been updated:Reconfigure Ad-Aware for Full Scan as per the following instructions:Launch the program, and click on the Gear at the top of the start screen.Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)"Automatically save logfile"Automatically quarantine objects prior to removal"Safe Mode (always request confirmation)Prompt to update outdated confirmation) - Change to 7 days.[*]Click the "Scanning" button (On the left side).[*]Under Drives & Folders, select "Scan within Archives"[*]Click "Click here to select Drives + folders" and select your installed hard drives.[*]Under Memory & Registry, select all options.[*]Click the "Advanced" button (On the left hand side).[*]Under "Shell Integration", select "Move deleted files to Recycle Bin".[*]Under "Log-file detail", select all options.[*]Click on the "Defaults" button on the left.[*]Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.[*]Click the "Tweak" button (Again, on the left hand side).[*]Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:"Unload recognized processes during scanning.""Obtain command line of scanned processes""Scan registry for all users instead of current user only"[*]Under "Cleaning Engine", select the following:"Automatically try to unregister objects prior to deletion.""During removal, unload explorer and IE if necessary""Let Windows remove files in use at next reboot.""Delete quarantined objects after restoring"[*]Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"[*]Click on "Proceed" to save these Preferences.[*]Click on the "Scan Now" button on the left.[*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".Close all programs except ad-aware.Click on "Next" in the bottom right corner to start the scan.Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish. Then run this online virus scan: ActiveScan Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button- Enter your Country- Enter your State/Province- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)- Select either Home User or Company Click the big Scan Now buttonIf/when you get a notice that Panda wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on Local Disks to start the scanWhen the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.Post the contents of the Panda scan report a new HijackThis Log Log from AboutBuster Ewido Log in a reply to this thread. Edited January 3, 2006 by jwbirdsong Link to post Share on other sites
Matt Posted January 16, 2006 Report Share Posted January 16, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts