Jump to content


Photo

plz analyze: my modified log


  • Please log in to reply
3 replies to this topic

#1 BigBlueFish

BigBlueFish

    Member

  • New Member
  • Pip
  • 2 posts

Posted 25 May 2004 - 08:03 AM

I was us using Spybot and Registry Mechanic to remove the spyware infection I was having on my PC but now my Internet is all screwed up. It got much slower (using cables), and some of the web pages just doesn't work anymore (using traceroute I found out the request is being timed out after a few hops). IE is all a mass, stop working all the time, critical errors, etc.

PLEASE HELP ME OUT. Here's my HT log file (with all IE windows closed):


-----------------

Logfile of HijackThis v1.97.7
Scan saved at 16:04:45, on 25/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\System32.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Roi Avinoam\Start Menu\Programs\Accessories\System Tools\Registry\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kolyom.co.il/index.html
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Registry\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7589.1107175926
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - http://active.macrom...abs/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

---------------------------

Many thanks in advance.

Edited by BigBlueFish, 25 May 2004 - 08:06 AM.


#2 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 08:55 AM

Its not spybot that caused the problem. Its all the malware you have still.


Please close all windows and internet explorers. Check mark the following items only in Hijackthis.
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32



Click the fix button. Close hijackthis.

Reboot and show hidden files and folders per the link in my signature.
Please delete the following files or folders.

Files:
C:\WINDOWS\System32\System32.exe
C:\WINDOWS\System32\wm41a398.dll
C:\WINDOWS\System32\iel2cde8.dll
C:\WINDOWS\System32\icdd7ee6.dll
Folders:



Run a new log and post it here



#3 BigBlueFish

BigBlueFish

    Member

  • New Member
  • Pip
  • 2 posts

Posted 25 May 2004 - 01:07 PM

about a day ago I posted my HT log because my PC is extremely slow all of a sudden, and i had many malefunctions while trying to surf the web. Anyway, shadowwar has help me out and asked me to re-post my log after performing the suggested corrections.

Another thing is that I can't get rid of the DSO Exploit malware. I've used Spybot a hundred of times and it's still there. Ideas?


Anyway, here is my new log. Please analyze and help me out here. Thx ;)

--------------------


Logfile of HijackThis v1.97.7
Scan saved at 18:49:37, on 25/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Roi Avinoam\Start Menu\Programs\Accessories\System Tools\Registry\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kolyom.co.il/index.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7589.1107175926
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - http://active.macrom...abs/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab



--------------------


Thanks again.

#4 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 01:58 PM

well the dso exploit isnt much to worry about.

Follow these tips:
Please run your windows updates to help prevent being reinfected.

internet explorer/tools(at top of screen)/windows updates
Install all critical at least. After you reboot Recheck again as there may be more!

Also see the link in my signature:

how did I get infected in the first place?

Here is some software that will help with prevention:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Also a good firewall if you do not have one like Zonealarm in my signature will help protect you and monitor what is accessing the internet.

Also an antivirus if you do not have one already : http://www.grisoft.c...s_dwnl_free.php

All free programs.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button