Jump to content


Photo

Rid myself of HackerDefender100, outhost


  • Please log in to reply
9 replies to this topic

#1 saul

saul

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 26 May 2004 - 12:00 PM

Managed to get rid of HackerDefender100/outhost by following directions from another post. However now the pages that were redirected to outhost now say can't be displayed. Ran adware and it keeps catching this MS security issue in NT Winlogin. Searched in registry and found there's a couple suspicious entries one is vxdmgr32.exe. Wasn't sure so I didn't delete anything. Ran CWS said I was clean. Ran free virus search at TrendMicro and it found various bkdr and troj viruses, 21 to be exact, and I deleted all of those. Restarted and ran HJT here is the log file.

Logfile of HijackThis v1.97.7
Scan saved at 12:52:27 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\vxdmgr32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\vcchost.exe
C:\WINDOWS\vhchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchosd.exe
C:\Program Files\Washer\washer.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\vxdmgr32.exe
F1 - win.ini: run=C:\WINDOWS\dllreg.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\vxdmgr32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Program Files\SurfAssistant.com\saiemod.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Deafult configuration] C:\WINDOWS\vcchost.exe
O4 - HKLM\..\Run: [Default Operation] C:\WINDOWS\vhchost.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\load32.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Configuration Service] C:\WINDOWS\System32\suchost.exe
O4 - HKLM\..\Run: [ZEXPANDL] C:\WINDOWS\System32\ZEXPANDL.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - Startup: rundllw.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O19 - User stylesheet: C:\WINDOWS\system32\mklsyt.3wd

#2 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 27 May 2004 - 06:12 AM

Saul

There are still lots of viruses and trojans in your log.

Go to Task Manager and finish these processes if you see them:
- C:\WINDOWS\System32\vxdmgr32.exe
- C:\WINDOWS\vcchost.exe
- C:\WINDOWS\vhchost.exe
- C:\WINDOWS\svchost.exe <-- the one that runs from C:\Windows, not the one from the System32 folder
(if you are not sure from where it runs, leave it and report to me)
- C:\WINDOWS\system32\cisvc.exe

Then download The Cleaner, let it do a scan and fix all it finds.

Let Hijack This fix the following lines (if they are still there after the scan):
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\vxdmgr32.exe
F1 - win.ini: run=C:\WINDOWS\dllreg.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\vxdmgr32.exe
O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Program Files\SurfAssistant.com\saiemod.dll
O4 - HKLM\..\Run: [Deafult configuration] C:\WINDOWS\vcchost.exe
O4 - HKLM\..\Run: [Default Operation] C:\WINDOWS\vhchost.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\load32.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [Configuration Service] C:\WINDOWS\System32\suchost.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - Startup: rundllw.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O19 - User stylesheet: C:\WINDOWS\system32\mklsyt.3wd

Do this by closing all browser windows, placing a checkmark before the above items and clicking the Fix-button.

Set Explorer to display hidden files and delete these files:
- C:\WINDOWS\dllreg.exe
- C:\WINDOWS\vcchost.exe
- C:\WINDOWS\vhchost.exe
- C:\WINDOWS\svchost.exe
- C:\WINDOWS\System32\load32.exe
- C:\WINDOWS\System32\idctup20.exe
- svchosd.exe <-- do a search for this one
- rundllw.exe <-- do a search for this one
- C:\WINDOWS\system32\mklsyt.3wd
If some files cannot be deleted because they are in use delete them in Safe Mode (reboot, hit F8 and choose 'Start in Safe Mode').
Some may already have been deleted by The Cleaner.

Reboot and post a fresh log here again.
_______
Wiskonst

#3 saul

saul

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 May 2004 - 09:44 AM

Wiskonst,

I'm not sure what you mean by Task Manager I've never used that utility before. Is that msconfig? If not how do you get to it and by finish I assume you mean delete? Thanks.

#4 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 27 May 2004 - 10:53 AM

Saul

When you press Ctrl-Alt-Del (hold down Ctrl and Alt keys and press Del key once) you will see a panel with o.a. a button 'Task Manager'. Click that and you are in Task Manager. Click the middle tabsheet, 'Processes'. You see a list of programs that are actively running on your system at the moment.

Posted Image

Look at the list in my previous post and try to find the programs in the Task Manager list. When you find one, select it (left mouse button click on the name) and then click the button below 'End process'. Do so for the whole list I gave, with exception of 'svchost.exe' (with the blue text). Now these programs are still on disk, but not running anymore. This makes removal easier.
Close Task Manager by clicking on the X button in the upper right corner.

Start Hijack This, press the Scan button and when the list is ready, place a checkmark in front of all the items I mentioned in my previous post.
Then close all browser windows and click in Hijack This the 'Fix Checked' button.

Now the bad files must be deleted on the disk.
Go to Windows Explorer and in the left pane browse to the folder C:\Windows. In the right hand pane you will see a list of files. Find 'dllreg.exe'. When you see it, select it with the left mouse button (it should become blue) and press the Delete key. When asked if you really want to delete the file, check the filename (ddlreg.exe) and if it is the same, confirm the deletion. Do so for the whole list I gave under 'Set Explorer to ...'. If you cannot find a file, leave it.

After that, go to Hijack This again and let it make a fresh scan. Post the log here.
_______
Wiskonst

#5 saul

saul

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 May 2004 - 11:00 AM

Figured it out after I posted the reply. Followed all directions however I was unsure which svchost.exe to delete, task manager listed about 5 processes running as svchost.exe, so I left them running and did not delete. Here is my HJT log after completing directions. Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 11:52:32 AM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Washer\washer.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ZEXPANDL] C:\WINDOWS\System32\ZEXPANDL.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

#6 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 27 May 2004 - 11:46 AM

Saul

OK, your log is clean.
To be sure Hacker Defender is gone, did you find the ini file that belongs to it?
Did the Cleaner find anything?
Does Ad Aware still make an alarm at NT Winlogin?

You best clean out all temporary folders:
- C:\Windows\Temp
- C:\Windows\Downloaded Program Files
- C:\Documents and Settings\<name>\Local Settings\Temp

A general protection against hijackers are a trojan monitor (like TCActive) and the programs Spywareguard and Spywareblaster (both free).
TCActive will stop activation of Hacker Defender, provided it is running before the HD service is started.

BTW The Cleaner is shareware, the trial period ends after 30 days.
_______
Wiskonst

Edited by Wiskonst, 27 May 2004 - 11:57 AM.


#7 saul

saul

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 May 2004 - 02:20 PM

Thanks alot for the help. Yeah I think I completely rid myself of HackerDefender. I found and deleted all the .ini files related to HD. The cleaner did find some spyware, and worms. All have been cleaned/deleted. Yes Adaware is still catching something in NT Winlogin. Been doing it ever since I contracted this trojan.

Do I need to do anything about svchost.exe? Like I said there were 5 running processes with that file name. Didn't know which one to delete.

Also concerned about this process. You instructed me to stop it in Task Manager but not to delete in HJT. Just leave it?
C:\WINDOWS\system32\cisvc.exe


Thanks again!

#8 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 27 May 2004 - 04:00 PM

Saul

I asked for stopping cisvc.exe for certainty but it is probably allright.
Submit C:\WINDOWS\system32\cisvc.exe
to a scan by Kaspersky online virusscan. On the Kaspersky page click Browse and go to cisvc.exe, then click submit. It may be a legitimate Windows file but also a keylogger.

The bad version of svchost.exe has been taken care of by the fix in HJT and the reboot thereafter. All instances of scvhost running now are allright.

Is Ad Aware referencing a file or a registry key, if you can see that?
If possible give an Ad Aware log, but after everything else has been fixed in Ad Aware.
_______
Wiskonst

#9 saul

saul

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 May 2004 - 04:19 PM

Wiskonst,

I really appreciate your instruction you've helped tremendously. I ran adaware again and it didn't catch on NT Winlogin so I guess we're OK. I must have been hallucinating when I said it was there after your fix, but it was catching it before. You must have got it.

I submitted the cisvc.exe to the online virus scan and it was clean so hopefully I'm disease free. Thanks!

Saul

#10 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 27 May 2004 - 05:08 PM

Saul

OK, thank you! :)
_______
Wiskonst




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button