Jump to content


Photo

680180.net


  • Please log in to reply
5 replies to this topic

#1 TheMajor

TheMajor

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 17 July 2004 - 04:48 PM

Logfile of HijackThis v1.97.7
Scan saved at 2:44:37 PM, on 7/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cvss.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://byondhorizons...forum/index.php?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb029
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Handle with &Hot Keyboard - C:\Program Files\Hot Keyboard\IEScript.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

#2 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 17 July 2004 - 09:37 PM

TheMajor,

Please update your version to HJT to 1.98.
Download HijackThis to its own permanent folder.
http://www.spywarein.../HijackThis.exe
Here's how:
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder.

Please download CWShredder version 1.59.1:
http://www.merijn.or.../cwshredder.zip
http://www.spywarein.../cwshredder.zip
http://computercops....ads-cat-14.html

Extract CWShredder to its own folder.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safemode and press the <Enter> key.
Run the program.
Click the "Fix" button and follow the instructions you will receive.
Make sure you let it fix all CWS Remnants.
Close the program.
Reboot.

Download and run these two programs:
Ad-aware *
Download Ad-aware from here: http://www.computerc...s-file-292.html
Install by double-clicking on the downloaded file.
After installing but before running, update Ad-aware by using its Globe icon.
After updating, shutdown and restart Ad-aware.
Ad-aware is ready to scan and clean your system following these steps:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Press "Scan Now"
Check option "Use Custom scanning options"
Check option "Activate In-Depth Scan"
Press "Select drives\folders to scan"
Select the active partition which is usually C:
Press "Next" to let Ad-aware scan your drives...
If it finds "bad" files and registry keys, press "Next" again
Right-click in that pane and choose "select all"
Press "next"
When it asks to remove all checked items, Press "OK"
Close Ad-aware, reboot your system and go on to the next step below.

Spybot S&D*
Download Spybot S&D here: http://www.computerc...s-file-108.html
Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in RED by pressing "Fix selected problems".
Close Spybot S&D, reboot your system.

Do an online scan: Housecall: http://www.trendmicr.../enterprise.htm
Or Panda: http://www.pandasoft...n_principal.htm
Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.
Reboot.
Please run HJT (double-click on the .exe in the HJT folder) and post a fresh log so we can fix the remnants of the infection. Thanks.

Edited by Bugbatter, 17 July 2004 - 09:39 PM.

Microsoft MVP - Consumer Security

#3 TheMajor

TheMajor

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 17 July 2004 - 10:42 PM

Press "Search for updates" button to get list of updates available.
Press "Download updates" button.


it found 2 updates, I clickedon them, hit DOWNLOAD UPDATES and both came back "!Bad Checksum!!!"

Now what?

UPDATE: The updates have been downloaded from an alternate mirror - forgive the premature questions

Edited by TheMajor, 17 July 2004 - 10:51 PM.


#4 TheMajor

TheMajor

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 18 July 2004 - 06:21 AM

Logfile of HijackThis v1.98.0
Scan saved at 4:21:21 AM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cvss.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\!!!\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://byondhorizons...forum/index.php?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb029
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Handle with &Hot Keyboard - C:\Program Files\Hot Keyboard\IEScript.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab

#5 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 18 July 2004 - 11:15 AM

Regarding DAP and Weatherbug. Read these, and make the choice whether to remove them according to instructions for removal:
http://www.pestpatro...erator_plus.asp
http://www.pchell.co...eatherbug.shtml
** Note:If you decide to remove either or both DAP and Weatherbug, you might have to end the running process in Task Manager (Ctrl+Alt+Delete) before you can remove them.

If you have scanned with all of the above programs, and had them remove what they found,
please run HJT with all windows/browsers closed.
Check to fix these:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb029
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Here is what to check in HJT if you have chosen to remove DAP and/or Weatherbug:
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

Reboot into Safemode

Search for this and delete (At this point, you can also delete any files related to DAP and Weatherbug if you removed those programs.):
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

Reboot. Scan with Adaware and Spybot again.
Problems gone?
Microsoft MVP - Consumer Security

#6 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 22 July 2004 - 07:18 PM

This seems to be continued elsewhere, therefore, I will discontinue my replies.
http://forums.spywar...showtopic=16519
Microsoft MVP - Consumer Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button