• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jfx

hijackthis.log

6 posts in this topic

Hi, I have AVG and it keeps detecting a PSW.Bipsy virus along with a few others. Here is my hijackthis.log, hopefully someone can help me. Thanks in advance!

 

Logfile of HijackThis v1.97.7

Scan saved at 10:42:03 AM, on 6/22/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\SYSTEM32\DNTUS26.EXE

C:\WINNT\SYSTEM32\DWRCS.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\rtr.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\binn.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Winamp5\winamp.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\JAMES1\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: ohb - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - (no file)

O3 - Toolbar: (no name) - {179E4B4A-76C3-4F65-BCED-C9FA1A28D2EF} - (no file)

O3 - Toolbar: (no name) - {423BD222-52BE-471A-BE01-75FCCEB3D48F} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/875455/files/installer.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8122.4522453704

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

 

 

 

 

BTW, I have a question, is the internet suppose to be disconnect while I run this? Or does it not matter?

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - Default URLSearchHook is missing

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

 

O2 - BHO: ohb - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)

O3 - Toolbar: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - (no file)

O3 - Toolbar: (no name) - {179E4B4A-76C3-4F65-BCED-C9FA1A28D2EF} - (no file)

O3 - Toolbar: (no name) - {423BD222-52BE-471A-BE01-75FCCEB3D48F} - (no file)

 

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

 

O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {8A0DCBDA-6E20-489C-9041-C1E8A0352E75} - http://download.getmirar.com/875455/files/installer.cab

Reboot after fixing.

 

This will probably not affect the trojans reported by AVG, as these fixes are only orphaned registry entries, for the most part.

 

What files are reported by AVG, and where?

Share this post


Link to post
Share on other sites

Here's my AVG log:

 

Results of Complete Test, date and time 6/22/2004 12:49:45 :

 

Testing C:\ volume MAIN serial 1358-1CFA

C:\WINNT\SYSTEM32\REG.EXE:\cpu.exe Trojan horse BackDoor.Iroffer.S

C:\WINNT\SYSTEM32\REG.EXE:\firehell.ini Trojan horse IRC/BackDoor.Flood

C:\WINNT\SYSTEM32\REG.EXE:\hasn.ini Trojan horse IRC/BackDoor.Flood

C:\WINNT\SYSTEM32\REG.EXE:\msdn.exe Trojan horse HideWindow

C:\WINNT\SYSTEM32\REG.EXE:\secure.bat Virus identified Worm/Ircobus

C:\WINNT\SYSTEM32\REG.EXE:\soundman.exe Trojan horse IRC/BackDoor.Flood

C:\WINNT\SYSTEM32\ATPART~1.DLL repaired

C:\Documents and Settings\JAMES1\NTUSER.DAT Cannot open; not checked!

C:\Documents and Settings\JAMES1\ntuser.dat.LOG Cannot open; not checked!

C:\Documents and Settings\JAMES1\Local Settings\TEMP\BI.DLL repaired

C:\Documents and Settings\JAMES1\Local Settings\TEMP\BIPREP.EXE repaired

C:\Documents and Settings\JAMES1\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!

C:\Documents and Settings\JAMES1\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\CHANDIR.IDX Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\STORYDB.IDX Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\D0000000.FCS Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\STORYDB.DAT Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\L0000006.FCS Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\CHANDIR.DAT Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\CHN.DAT Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\CHN.IDX Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_DIE.DAT Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_DIE.IDX Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_DND.DAT Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_DND.IDX Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_EXT.DAT Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_EXT.IDX Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_RCV.DAT Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS_RCV.IDX Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS.DAT Cannot open; not checked!

C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\JAMES1\DATA\PRS.IDX Cannot open; not checked!

 

Test finished, duration 00:44:39.7 s

41941 objects tested, 9 found infected

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0