Jump to content


Photo

Need help


  • Please log in to reply
3 replies to this topic

#1 mvrmvr

mvrmvr

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 June 2004 - 08:07 PM

Log file from Hijack this:

Logfile of HijackThis v1.98.0
Scan saved at 8:29:54 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\d3zl32.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\ntza.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\mvr\Desktop\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {3FEBB1DF-ABB0-A520-78A4-80EFFCE85078} - C:\WINDOWS\system32\javaqw32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ntza.exe] C:\WINDOWS\ntza.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\RunOnce: [d3zl32.exe] C:\WINDOWS\d3zl32.exe
O4 - HKLM\..\RunOnce: [sdkiw.exe] C:\WINDOWS\sdkiw.exe
O4 - HKLM\..\RunOnce: [wingf32.exe] C:\WINDOWS\wingf32.exe
O4 - HKLM\..\RunOnce: [appby32.exe] C:\WINDOWS\appby32.exe
O4 - HKLM\..\RunOnce: [addpf.exe] C:\WINDOWS\system32\addpf.exe
O4 - HKLM\..\RunOnce: [syssa.exe] C:\WINDOWS\syssa.exe
O4 - HKLM\..\RunOnce: [ntps32.exe] C:\WINDOWS\system32\ntps32.exe
O4 - HKLM\..\RunOnce: [mfcfm32.exe] C:\WINDOWS\mfcfm32.exe
O4 - HKLM\..\RunOnce: [d3yh32.exe] C:\WINDOWS\d3yh32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp....SWebManager.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aperturesi.com
O17 - HKLM\Software\..\Telephony: DomainName = aperturesi.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8635DAC4-D7BE-4EB2-8135-97923381927A}: NameServer = 63.240.76.19,204.127.198.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aperturesi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aperturesi.com
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

#2 Atribune

Atribune

    SWI Junkie

  • Developer
  • PipPipPipPip
  • 302 posts

Posted 29 June 2004 - 08:16 PM

Hi please download About:Buster from one of the following locations:

http://www.atribune....AboutBuster.zip

or
http://tools.zerosre...AboutBuster.zip

Please close all windows

Now please run HijackThis and put a check beside the following items. Once done close all other windows and click fix checked.

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {3FEBB1DF-ABB0-A520-78A4-80EFFCE85078} - C:\WINDOWS\system32\javaqw32.dll

O4 - HKLM\..\Run: [ntza.exe] C:\WINDOWS\ntza.exe
O4 - HKLM\..\RunOnce: [d3zl32.exe] C:\WINDOWS\d3zl32.exe
O4 - HKLM\..\RunOnce: [sdkiw.exe] C:\WINDOWS\sdkiw.exe
O4 - HKLM\..\RunOnce: [wingf32.exe] C:\WINDOWS\wingf32.exe
O4 - HKLM\..\RunOnce: [appby32.exe] C:\WINDOWS\appby32.exe
O4 - HKLM\..\RunOnce: [addpf.exe] C:\WINDOWS\system32\addpf.exe
O4 - HKLM\..\RunOnce: [syssa.exe] C:\WINDOWS\syssa.exe
O4 - HKLM\..\RunOnce: [ntps32.exe] C:\WINDOWS\system32\ntps32.exe
O4 - HKLM\..\RunOnce: [mfcfm32.exe] C:\WINDOWS\mfcfm32.exe
O4 - HKLM\..\RunOnce: [d3yh32.exe] C:\WINDOWS\d3yh32.exe


Unzip AboutBuster.zip and doubleclick the exe.

Next click ok and allow the program to run. (it may take a few minutes)

Make a copy of the log it creates for posting later.

Then run the About:Buster a second time just to be sure it got everything.

Make a copy of the log it creates again.

Reboot and post the 2 about buster logs and a fresh HijackThis log.

#3 mvrmvr

mvrmvr

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 June 2004 - 09:02 PM

1st About logfile:

About:Buster Version 1.23
Removed! : C:\WINDOWS\System32\syslv.dll
Removed! : C:\WINDOWS\System32\tkxqc.dll
Removed! : C:\WINDOWS\System32\trsky.dll
Removed! : C:\WINDOWS\System32\tudmk.dll
Removed! : C:\WINDOWS\System32\vpitu.dll
Removed! : C:\WINDOWS\System32\yqrgz.dll
Removed! : C:\WINDOWS\System32\cqgmp.dat
Removed! : C:\WINDOWS\System32\crlgs.dat
Removed! : C:\WINDOWS\System32\ebrjc.dat
Removed! : C:\WINDOWS\System32\ehwzl.dat
Removed! : C:\WINDOWS\System32\hsgab.dat
Removed! : C:\WINDOWS\System32\jborb.dat
Removed! : C:\WINDOWS\System32\jippx.dat
Removed! : C:\WINDOWS\System32\jyxjw.dat
Removed! : C:\WINDOWS\System32\kofdw.dat
Removed! : C:\WINDOWS\System32\lplqf.dat
Removed! : C:\WINDOWS\System32\ltqor.dat
Removed! : C:\WINDOWS\System32\lyyxy.dat
Removed! : C:\WINDOWS\System32\mgbuc.dat
Removed! : C:\WINDOWS\System32\nfnke.dat
Removed! : C:\WINDOWS\System32\nzdcy.dat
Removed! : C:\WINDOWS\System32\qbfxl.dat
Removed! : C:\WINDOWS\System32\qznji.dat
Removed! : C:\WINDOWS\System32\rvuta.dat
Removed! : C:\WINDOWS\System32\seauk.dat
Removed! : C:\WINDOWS\System32\sssws.dat
Removed! : C:\WINDOWS\System32\tllsd.dat
Removed! : C:\WINDOWS\System32\tudmk.dat
Removed! : C:\WINDOWS\System32\udymn.dat
Removed! : C:\WINDOWS\System32\ugtvm.dat
Removed! : C:\WINDOWS\System32\vslud.dat
Removed! : C:\WINDOWS\System32\vtvct.dat
Removed! : C:\WINDOWS\System32\xdouv.dat
Removed! : C:\WINDOWS\System32\xnykn.dat
Removed! : C:\WINDOWS\System32\xouia.dat
Removed! : C:\WINDOWS\System32\xvdus.dat
Removed! : C:\WINDOWS\System32\yhzqi.dat
Removed! : C:\WINDOWS\System32\yzckk.dat
Removed! : C:\WINDOWS\System32\zcmzu.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

2nd About logfile:

About:Buster Version 1.23
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

Hijack logfile post about:

Logfile of HijackThis v1.98.0
Scan saved at 9:57:02 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\mvr\Local Settings\Temp\Temporary Directory 1 for AboutBuster.zip\AboutBuster.exe
C:\Documents and Settings\mvr\Desktop\HJT\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp....SWebManager.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aperturesi.com
O17 - HKLM\Software\..\Telephony: DomainName = aperturesi.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8635DAC4-D7BE-4EB2-8135-97923381927A}: NameServer = 63.240.76.19,204.127.198.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aperturesi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aperturesi.com
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Thanks

#4 Atribune

Atribune

    SWI Junkie

  • Developer
  • PipPipPipPip
  • 302 posts

Posted 29 June 2004 - 09:08 PM

Looks good. Hope it stays that way.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button