Jump to content


Photo

My Log


  • Please log in to reply
3 replies to this topic

#1 plague

plague

    Member

  • New Member
  • Pip
  • 2 posts

Posted 10 July 2004 - 05:30 PM

This is a wierd one. Usually I would be the type to help people with their problems but this one stumps me. I received this program from another computer on my home network. Now I need to remove this problem two times. The log below shows some executable files being ran at start and currently running now. The problem is that I can't look up what the executable file does cause it names itself in random. Kinda like 23lkj4jh.exe. I ran spybot, adaware, and NAV but to no help. Thanks Alot for your help!

Logfile of HijackThis v1.98.0
Scan saved at 6:29:18 PM, on 7/10/2004
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\documents and settings\administrator\local settings\temp\F5IBSOIM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Qyh9iNP.exe
C:\WINDOWS\system32\EghX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32/left.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [F5IBSOIM.exe] C:\documents and settings\administrator\local settings\temp\F5IBSOIM.exe
O4 - HKLM\..\Run: [3XZBXEX36MXK74] C:\WINDOWS\system32\Frua7x0.exe
O4 - HKLM\..\Run: [439P3tU] ckcask.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isear...general/drm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1085970424298
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab

#2 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 11 July 2004 - 04:56 AM

Hi there,




First, run this Peper trojan uninstaller,
Download it Here Click on the peperfix link, and download the program. Then go off line, and run the program. It will remove the files, leaving one entry to be cleaned up with Hijack this.



Next,

You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.

When you have done that, then make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';




R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32/left.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [F5IBSOIM.exe] C:\documents and settings\administrator\local settings\temp\F5IBSOIM.exe
O4 - HKLM\..\Run: [3XZBXEX36MXK74] C:\WINDOWS\system32\Frua7x0.exe
O4 - HKLM\..\Run: [439P3tU] ckcask.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isear...general/drm.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab



Restart your computer in
Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,



C:\documents and settings\administrator\local settings\temp\F5IBSOIM.exe<<<<File
C:\WINDOWS\system32\Qyh9iNP.exe<<<<File
C:\WINDOWS\system32\EghX.exe<<<<File
C:\WINDOWS\system32\Frua7x0.exe<<<<File

Reboot, then post a fresh logfile so that I can check to see if it is clean.

#3 plague

plague

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 July 2004 - 10:49 AM

Hey Thanks! It seemed to remove everything. Great! Oh and you might next time want to include removing the C:\!peperfix dir also?

:D :D :D :D :D :D :D :D :D :D :D

#4 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 11 July 2004 - 11:01 AM

Hey Thanks! It seemed to remove everything. Great! Oh and you might next time want to include removing the C:\!peperfix dir also?

:D :D :D :D :D :D :D :D :D :D :D

Hi there,

You mean these two that I advised you to remove and delete??



O4 - HKLM\..\Run: [3XZBXEX36MXK74] C:\WINDOWS\system32\Frua7x0.exe

C:\WINDOWS\system32\Frua7x0.exe<<<<File


:wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button