cynlix Posted January 20, 2006 Report Share Posted January 20, 2006 (edited) Hi, I'm actually fixing this computer for a friend, and it seems that he has alot of spyware/trojans on this computer. I've already ran adaware and spybot on this, but theres still a bunch more. Thanks in advance. Here's my log:Logfile of HijackThis v1.99.1Scan saved at 5:50:13 PM, on 1/19/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\ruxstrru\dMACHkxN.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\System32\PackethSvc.exeC:\WINDOWS\system32\drivers\dcfssvc.exeC:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\WINDOWS\System32\HPConfig.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\System32\Winkcic.exeC:\WINDOWS\System32\Winkeuu.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\MS\My Documents\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.attbi.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.companion.yahoo.com/slv/ycheck/a...com/search?p=%sR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband InternetO2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_5.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_50.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_5.dllO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.attbi.comO16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cabO16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2918.cabO16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_5.cabO23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exeO23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeO23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeO23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exeO23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Navnt\AdvTools\NPROTECT.EXE (file missing)O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeO23 - Service: Winkcic - Unknown owner - C:\WINDOWS\System32\Winkcic.exeO23 - Service: Winkeuu - Unknown owner - C:\WINDOWS\System32\Winkeuu.exeO23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing) Edited January 20, 2006 by cynlix Link to post Share on other sites
Matt Posted January 20, 2006 Report Share Posted January 20, 2006 First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.To Get rid of NewDotNet, go to:Start > Control Panel > Add or Remove Programs and remove the following:New.Net Applications or New.Net Domains (anything that says New.Net)If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.Then, we need to check some files.Jotti File Submission:Please go to Jotti's malware scanCopy and paste the following file path into the "File to upload & scan"box on the top of the page:C:\WINDOWS\System32\Winkcic.exe[*] Click on the submit button[*] Follw the same directions for the following file: C:\WINDOWS\System32\Winkeuu.exe[*] Please post the results of both in your next reply, along with a new HJT log. Link to post Share on other sites
cynlix Posted January 20, 2006 Author Report Share Posted January 20, 2006 (edited) I could not find the C:\WINDOWS\System32\Winkcic.exe and C:\WINDOWS\System32\Winkeuu.exe that you told me to scan using Jotti File Submission, but here is my log after I got rid of New.Net.Logfile of HijackThis v1.99.1Scan saved at 9:52:06 PM, on 1/19/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\ruxstrru\dMACHkxN.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\System32\PackethSvc.exeC:\WINDOWS\system32\drivers\dcfssvc.exeC:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\WINDOWS\System32\HPConfig.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\MS\My Documents\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.attbi.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.companion.yahoo.com/slv/ycheck/a...com/search?p=%sR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband InternetO2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_5.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_5.dllO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.attbi.comO16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cabO16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2918.cabO16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_5.cabO23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exeO23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeO23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeO23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exeO23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Navnt\AdvTools\NPROTECT.EXE (file missing)O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeO23 - Service: Winkcic - Unknown owner - C:\WINDOWS\System32\Winkcic.exe (file missing)O23 - Service: Winkeuu - Unknown owner - C:\WINDOWS\System32\Winkeuu.exe (file missing) Edited January 20, 2006 by cynlix Link to post Share on other sites
Matt Posted January 20, 2006 Report Share Posted January 20, 2006 Congrats! Your log is clean! How is your system running?The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.SpywareBlaster - Great prevention tool to keep malware from installing on your system.SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.ATF Cleaner - Cleans temporary files from web browsers, and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein Link to post Share on other sites
cynlix Posted January 20, 2006 Author Report Share Posted January 20, 2006 Hey thanks for your help . Everything seems to be working fine except this problem. Everytime I start up Hijackthis, it stops scanning at 015- Trusted Zone enumeration, then it shuts down Hijackthis and deletes the program. Should I be concerned? Thanks. Link to post Share on other sites
Matt Posted January 20, 2006 Report Share Posted January 20, 2006 Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.Tell me how HJT runs after that. Link to post Share on other sites
cynlix Posted January 21, 2006 Author Report Share Posted January 21, 2006 Hi, now Hijack does go through a complete scan, but closes after about 4 seconds after. Link to post Share on other sites
Matt Posted January 23, 2006 Report Share Posted January 23, 2006 Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.Save it to the desktop.Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.You will receive a prompt:Do you want to skip supplementary searches?click NO[*]If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.[*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.*NOTE* If you receive any warning message about scripts, please choose to allow the script to run. Link to post Share on other sites
Matt Posted February 6, 2006 Report Share Posted February 6, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts