Jump to content


Photo

hijackthis.log


  • Please log in to reply
5 replies to this topic

#1 jfx

jfx

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 22 June 2004 - 12:44 PM

Hi, I have AVG and it keeps detecting a PSW.Bipsy virus along with a few others. Here is my hijackthis.log, hopefully someone can help me. Thanks in advance!

Logfile of HijackThis v1.97.7
Scan saved at 10:42:03 AM, on 6/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\rtr.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\binn.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp5\winamp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\JAMES1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: ohb - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - (no file)
O3 - Toolbar: (no name) - {179E4B4A-76C3-4F65-BCED-C9FA1A28D2EF} - (no file)
O3 - Toolbar: (no name) - {423BD222-52BE-471A-BE01-75FCCEB3D48F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.c...dia/MyFIDNL.ocx
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getm...s/installer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8122.4522453704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab






BTW, I have a question, is the internet suppose to be disconnect while I run this? Or does it not matter?

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 22 June 2004 - 01:59 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: ohb - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)
O3 - Toolbar: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - (no file)
O3 - Toolbar: (no name) - {179E4B4A-76C3-4F65-BCED-C9FA1A28D2EF} - (no file)
O3 - Toolbar: (no name) - {423BD222-52BE-471A-BE01-75FCCEB3D48F} - (no file)

O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.c...dia/MyFIDNL.ocx
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getm...s/installer.cab

Reboot after fixing.

This will probably not affect the trojans reported by AVG, as these fixes are only orphaned registry entries, for the most part.

What files are reported by AVG, and where?
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 jfx

jfx

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 22 June 2004 - 03:35 PM

Here's my AVG log:

Results of Complete Test, date and time 6/22/2004 12:49:45 :

Testing C:\ volume MAIN serial 1358-1CFA
C:\WINNT\SYSTEM32\REG.EXE:\cpu.exe Trojan horse BackDoor.Iroffer.S
C:\WINNT\SYSTEM32\REG.EXE:\firehell.ini Trojan horse IRC/BackDoor.Flood
C:\WINNT\SYSTEM32\REG.EXE:\hasn.ini Trojan horse IRC/BackDoor.Flood
C:\WINNT\SYSTEM32\REG.EXE:\msdn.exe Trojan horse HideWindow
C:\WINNT\SYSTEM32\REG.EXE:\secure.bat Virus identified Worm/Ircobus
C:\WINNT\SYSTEM32\REG.EXE:\soundman.exe Trojan horse IRC/BackDoor.Flood
C:\WINNT\SYSTEM32\ATPART~1.DLL repaired
C:\Documents and Settings\JAMES1\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\JAMES1\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\JAMES1\Local Settings\TEMP\BI.DLL repaired
C:\Documents and Settings\JAMES1\Local Settings\TEMP\BIPREP.EXE repaired
C:\Documents and Settings\JAMES1\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\JAMES1\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\CHANDIR.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\STORYDB.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\D0000000.FCS Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\STORYDB.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\L0000006.FCS Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\CHANDIR.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\CHN.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\CHN.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_DIE.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_DIE.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_DND.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_DND.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_EXT.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_EXT.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_RCV.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_RCV.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS.IDX Cannot open; not checked!

Test finished, duration 00:44:39.7 s
41941 objects tested, 9 found infected

#4 jfx

jfx

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 23 June 2004 - 12:04 PM

Bump.. any help would be appreciated, thanks!

#5 jfx

jfx

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 23 June 2004 - 08:12 PM

Bump

#6 jfx

jfx

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 June 2004 - 02:35 PM

Help..?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button