Jump to content


Photo

Please Help!


  • Please log in to reply
3 replies to this topic

#1 Maggie3788

Maggie3788

    Member

  • New Member
  • Pip
  • 2 posts

Posted 25 May 2004 - 05:28 PM

I ran Hijack This and these are my results, I know that I probably shouldn't just erase all of these things, or "fix them", but I don't know which ones to get rid of, please help! These are my results...


Logfile of HijackThis v1.97.7
Scan saved at 12:35:09 AM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4AC22FF0-B6B7-2688-1011-1FEA6A45E7E5} - C:\WINDOWS\System32\ekwaopdi.dll
O2 - BHO: (no name) - {50DCBDD0-6905-B3CD-C42A-884D8129B7D0} - C:\WINDOWS\System32\hszsiqkp.dll
O2 - BHO: (no name) - {54F88AB9-9F7B-45F6-F2D9-B3E32501F2A0} - C:\WINDOWS\System32\hsozffwi.dll
O2 - BHO: (no name) - {9D986DAE-3BC1-208B-5D64-67AEE7DBF297} - C:\WINDOWS\System32\nyhjubdt.dll
O2 - BHO: (no name) - {AE2BCE0C-C358-849B-2EBF-0114ECAF3F0B} - C:\WINDOWS\System32\vmfodxjz.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet....ng/Coloring.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_01) - http://www.hayboonet...cf-j2re-win.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7922.5755439815
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...8.11/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2C66E67-2ED7-49D1-9143-21F01D5E3E35}: NameServer = 205.188.146.146



***This is all really confusing to me and hope someone can help, you can e-mail me back with any help! Thanks

Edited by Maggie3788, 25 May 2004 - 09:01 PM.


#2 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 27 May 2004 - 01:28 AM

Hello,

First, let me say it would be helpful to know what sort of problems you're having. However, a look at your HJT log did show several items that should be fixed.
Many will recommend placing HJT on the root drive (Usually C:\). When you run HijackThis from this folder and have it "Fix checked" it will create a backup file of modifications to use if restore is necessary. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New -> Folder and name it HJT. For illustrated instructions, click How to create a new folder on C: Drive.

With HJT in it's new location, run a new scan and check-mark the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {4AC22FF0-B6B7-2688-1011-1FEA6A45E7E5} - C:\WINDOWS\System32\ekwaopdi.dll

O2 - BHO: (no name) - {50DCBDD0-6905-B3CD-C42A-884D8129B7D0} - C:\WINDOWS\System32\hszsiqkp.dll

O2 - BHO: (no name) - {54F88AB9-9F7B-45F6-F2D9-B3E32501F2A0} - C:\WINDOWS\System32\hsozffwi.dll

O2 - BHO: (no name) - {9D986DAE-3BC1-208B-5D64-67AEE7DBF297} - C:\WINDOWS\System32\nyhjubdt.dll

O2 - BHO: (no name) - {AE2BCE0C-C358-849B-2EBF-0114ECAF3F0B} - C:\WINDOWS\System32\vmfodxjz.dll

O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe

O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab

The following entries are OPTIONAL, or known resource hogs, and can contribute to overall computer slowdown. Please read the description following each and check mark for "fixing" (or follow instructions for disabling) according to your needs.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime<---Available via Start->Programs

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background<---Available via Start->Programs

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl<---Available via Start->Programs

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

Please double check your list and WITH ALL OTHER WINDOWS CLOSED, fix checked, then reboot.

Restart in Safe Mode.
To start your computer in Safe Mode: please follow these instructions. (WinXP)

Wile in Safe Mode, please delete the following files/folders, if present:

C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe<---Delete DownloadPlus.exe only, not the "Application Data" folder.

You may need to have the "Show hidden files and folders" feature enabled.
To enable this feature:
1. On the Tools menu in Windows Explorer, click Folder Options.
2. Click the View tab.
3.. Under Hidden files and folders, click Show hidden files and folders.

Note: To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer

Reboot and run a new HJT scan. Please post results back here for me to check.

Note: P2P filesharing programs such as Kazaa Lite, while very popular, are also very dangerous. Some experts report that almost half of the files available contain malware of one kind or another.
Downloading copywrited material (music, video, software etc.) is also illegal.You may want to consider one of the pay-per-download sites instead.

Once your computer is free of malware I suggest you download
Ad-Aware and Spybot - Search & Destroy.

It is very important to UPDATE the reference files for BOTH of these programs before you run them the first time, then frequently thereafter to ensure the very latest in detection and removal.
Click here for instructions on updating and how to use these programs.

Running Ad-Aware and SpyBot S&D on a regular basis (I do it twice a week) will go a long way in keeping your computer malware free.

To help prevent further infections, I recommend, and use, SpywareBlaster, and IE-SPYAD. SpywareBlaster blocks bad ActiveX
and malevolent cookies. IE-SPYAD puts over 4000 sites in
your restricted zone so you'll be protected when you visit
innocent-looking sites that aren't actually innocent at all.

Both are very small free programs that you run once, then just
update frequently.

Many recommend (as I do) that a firewall should be installed
and used. Here are two popular free firewalls.
ZoneAlarm and
Sygate Personal Firewall.

Also, please see
So how did I get infected in the first place?

George

Edited by SpotCheckBilly, 27 May 2004 - 01:38 AM.

IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image

#3 Maggie3788

Maggie3788

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 May 2004 - 05:35 PM

George,
Thank you so much! I did the scan after "fixing" the things you told me to and doing everything else you asked. These are my results...
Logfile of HijackThis v1.97.7
Scan saved at 5:32:04 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet....ng/Coloring.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_01) - http://www.hayboonet...cf-j2re-win.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7922.5755439815
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...8.11/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2C66E67-2ED7-49D1-9143-21F01D5E3E35}: NameServer = 205.188.146.146

***Another problem, I have this computer networked with another one that is downstairs, I'm having the same problems downstairs and was wondering if by fixing them on this computer everything will be fixed down there, or what do I need to do. Thanks again for you help!

#4 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 28 May 2004 - 06:36 PM

Hello,

The new log looks good to me.

Another problem, I have this computer networked with another one that is downstairs, I'm having the same problems downstairs and was wondering if by fixing them on this computer everything will be fixed down there, or what do I need to do. Thanks again for you help!


You should run HJT on that computer, too, and post the results. Both machines should be clean, or the possibility of each reinfectibg the other could occur.

Good luck,=)

George

Edited by SpotCheckBilly, 29 May 2004 - 02:31 PM.

IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button