Jump to content


Photo

Help clean a friend


  • This topic is locked This topic is locked
9 replies to this topic

#1 Kat

Kat

    Princess Kitty

  • Ambassador
  • PipPipPip
  • 204 posts

Posted 29 July 2004 - 07:04 PM

Ok, pomp. Here's the log you asked for:

Logfile of HijackThis v1.97.7
Scan saved at 7:03:50 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Aaron's Sales\My Documents\SPYWARE PROGRAMS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r31.insightbb.com:8000
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 5100 series) - 1.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.co.../cx_tgctlcm.jsp
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Express Viewer Control) - http://www.autodesk....ViewerSetup.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://download.macr...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx



SLOW boot times, and very poor running times.

#2 Kat

Kat

    Princess Kitty

  • Ambassador
  • PipPipPip
  • 204 posts

Posted 29 July 2004 - 07:05 PM

forgot:

SS&D been done, AAW been done...both removed a TON of junk. CWShredder done and removed two strains. Trojan Hunter done, and came out clean. Three separate virus scans done, and those instances are cleaned as well.

So..now what? LOL

Edited by Kat, 30 July 2004 - 10:17 AM.


#3 Kat

Kat

    Princess Kitty

  • Ambassador
  • PipPipPip
  • 204 posts

Posted 29 July 2004 - 08:38 PM

Following advice given in chat, I downloaded and ran RamCleaner. This is some of what it says now:

72MG free

Physical memory: 60% avail.

37% page file usage

Does that help any?

#4 Kat

Kat

    Princess Kitty

  • Ambassador
  • PipPipPip
  • 204 posts

Posted 29 July 2004 - 08:42 PM

I don't know if this tells us anything...but when I opened ONE IE broswer just now....NOTHING else running, just the RAMCleaner on taskbar....the RAMCleaner changed to "Critical usage..clean now" and it spiked to only having 31% available!

I hit the "Clean now" and it went back up to about 60% avail.

#5 Kat

Kat

    Princess Kitty

  • Ambassador
  • PipPipPip
  • 204 posts

Posted 29 July 2004 - 09:52 PM

did another virus scan. All 77,232 files are cleaned. I know something is running causing the memory to get eaten up every couple of minutes. (literally). But what?

#6 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 29 July 2004 - 11:00 PM

SLOW boot times, and very poor running times.

Greetings Kat -

Here's a nasty that should go.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

Red Sherrif applet. Infamous for bringing a CPU to it's knees.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#7 Kat

Kat

    Princess Kitty

  • Ambassador
  • PipPipPip
  • 204 posts

Posted 30 July 2004 - 06:56 AM

Thanks for the input. I had forgotten to post another HJT log after I had already removed that last night.

I *THOUGHT* this morning that I had found the culprits, but no such luck. She has NOrton on here, and I ran PandaScan last night as well as Trendmicro. All three found NOTHING.

I downloaded AVG last night, and it ran while I was sleeping. I get up this morning, and it had detected and removed ELEVEN viruses/Trojans.

Downloader.Lalus.A
Dialer.7.AI
Downloader.Keenval.N
Downloader.Rameh.C
Backdoor.Ruledor.C
PSW.Bispy.A
Downloader.Keenval.C
Downloader.Keenval.J
PSW.Bispy.B
Dropper.Small.4.P
Dropper.Liba.A

** all were Trojan Horses. 8 of them were successfullly cleaned by AVG, three had to be manually moved to the Virus Vault when I got up this morning.

Boot Time is a bit faster this morning. CRAP. When I tried to click on something just now to open and check, AVG sent up warnings. The Dropper.Liba.A and the Dropper.Small.4.P are both back in the folders they started in. Both of them in the C:\System Volume Information\_restore (Big CLSID # here).dll folder.

Help me get rid of them!

#8 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 30 July 2004 - 08:17 AM

I also noticed that you have C:\WINDOWS\System32\cisvc.exe as a running process. While a valid file, it can be a hungry resource hog. Might explain your performance problems. I have also seen a number of reports that it can be hijacked. Could explain your infection as well.

I would disable it in startup rerun your scans and see what shakes out.

Best of luck!
IC -
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#9 Kat

Kat

    Princess Kitty

  • Ambassador
  • PipPipPip
  • 204 posts

Posted 30 July 2004 - 09:10 AM

I will have her try that. I did a little research, and found a thread on Wilders' dealing with the exact same Trojans that kept reappearing. They were NOT in the C:\Sys Volume....they were actually in the System Restore. So, I turned off Sys. Restore, re-ran AVG and captured the viruses again, and then turned Sys Restore back on.
I had to leave at that point for work, so she's supposed to let me know here soon how things are running now.

#10 Kat

Kat

    Princess Kitty

  • Ambassador
  • PipPipPip
  • 204 posts

Posted 30 July 2004 - 10:11 AM

Seems to be running better, however the RAMCleaner still keeps popping up/down to only having 20-30% avail.

Per instructions on chat, she ran the port scanner from gnc. This is what it found:

Nina : but for common ports, solicited TCP packets and ping reply failes. uncolicited packets passed
Nina : open ports are 1025 host and 5000 UPnP

advised her to turn ON Zone Alarm *which wasn't on at the time of the scan*, and also was told to have her go to http://grc.com/unpnp/unpnp.htm
to close that 5000 port.

Will have her post me a new HJT log in a few minutes. She will post as "me", as I left myself logged in here on her computer. LOL




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button