Jump to content


Photo

hijack log just removed 700 spyware objects and 15


  • Please log in to reply
7 replies to this topic

#1 nemmisa

nemmisa

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 June 2004 - 05:04 PM

hi hope someone can help just removed loads of spyware and viruses off of a freinds computer could someone take a look at log to see what is left


Logfile of HijackThis v1.97.7
Scan saved at 21:50:45, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\program files\quicktime\plugins\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\TRACEY AND EDDIE\Desktop\tracy's downloads\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;;localhost;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{DE09D68E-0488-4DF0-BD46-5BF35F2D1F2A} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Copernic Meta - {F79AD27F-8140-4E33-8B1D-C4FC6B663CCA} - C:\WINDOWS\Downloaded Program Files\CopernicMeta.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EKRXBHO] C:\WINDOWS\EKRXBHO.exe
O4 - HKLM\..\Run: [FLSYCIP] C:\WINDOWS\FLSYCIP.exe
O4 - HKLM\..\Run: [DKQX] C:\WINDOWS\DKQX.exe
O4 - HKLM\..\Run: [QXAHOUBH] C:\WINDOWS\QXAHOUBH.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Search Using Copernic Meta - res://C:\WINDOWS\Downloaded Program Files\CopernicMeta.dll/HTML/SearchExt
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Copernic Meta - file://C:\DOCUME~1\AARON\LOCALS~1\Temp\CopernicMeta0.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/do...askbar-inst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} - http://webpdp.gator....ndle44v1d12.cab

#2 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 15 June 2004 - 06:30 PM

Hi, Nemmissa,
I will be glad to research these for you. I see that AVG is running. There was an update today. Was a scan run after it was updated? If not, please run the updated version.
You did not mention what programs were used to remove the spyware. Adaware had an update today, also. Please let me know if Adaware and Spybot were used.
If not, I will post instructions for both programs.

In addition, HijackThis this needs to be moved from the desktop to its own permanent folder. When HJT makes backups they will go into that folder. With it on the desktop, they would be scattered all over the desktop.

There are still several things that need to be fixed, but I will wait for your reply before giving further instructions.
Microsoft MVP - Consumer Security

#3 nemmisa

nemmisa

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 June 2004 - 12:30 PM

hi i used adware to clean up the spyware also used spybot which found a further 80 items but every time clicked to fix problems it crashed but have found some info on spybots website. and adware was using latest ref file and spybot latest update, updated her antivirus as my friend didn't know you had to do that (kid you not) and it found 15 trojen dialers etc which it cleaned up, i also replaced her hosts file with mvphosts as hers had redirects , i also installed her spywareblaster and opera browser her internet connection is up to speed now and her computer is running faster but still not as fast as it should do. i have a rough idea what to fix in hijack this but would just like some advice. also hijack this is in its own folder

#4 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 16 June 2004 - 02:37 PM

It sounds as if you have been busy!
Did you flush her System Restore after cleaning all her malware? We will definitely do it after this, anyway.

Spybot has an update today. After she gets that, please run another scan.
Then just to be safe, please have your friend run an online scan with Trendmicro's Housecall. http://www.trendmicr.../enterprise.htm Sometimes Housecall finds things that other anti-virus programs don't.

Reboot and post a fresh HJT log. Then we can clean out some of the remnants.
Thanks.
Microsoft MVP - Consumer Security

#5 nemmisa

nemmisa

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 June 2004 - 03:50 PM

hi thanks for reply will try again after updating although last time spybot had a update it took a week to get it. will try the housecall website with, her should i turn off her system restore to flush it

#6 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 16 June 2004 - 04:15 PM

To flush the XP System Restore Points.
(Using XP, you must be logged in as Administrator to do this.)

Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore back on. A new Restore Point will be created.
Microsoft MVP - Consumer Security

#7 nemmisa

nemmisa

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 17 June 2004 - 05:00 AM

hi thank you for reply i will try and see my freind this evening to try the house call website and see if spybot s&d can remove the last bits of spyware without crashing. although just as i thought my spybot is still not showing any updates only the teatimer help file. also none of the viruses and spyware were found in the restore so should i still flush it. also forgot to mention for ages she had a error message when starting pc about runtime libary can't remember exact message i did notice in hijack log that she has 2 entries for java runtime could this have anyting to do with her error message

#8 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 17 June 2004 - 08:28 AM

There was a security update for Sun JAVA a few months ago. The process for updating it was very specific. I can't tell from her log which version she has installed. You should be able to research that better when you know the exact error messge.

Regarding the System Restore. If it was not cleaned out, it might be a good idea to do it anyway, now that the computer is running better.
Microsoft MVP - Consumer Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button