Login 
 Search | |
| |
10-Jul-2004, 06:23 PM
#1 | |||||
| hijackthis log
__________________ i RoCk |
| |
10-Jul-2004, 11:30 PM
#2 | ||||||
| It's badly compromised and may take several days to fix.  Preliminaries: Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > ViewBefore proceeding, move HijackThis into a PERMANENT folder, not temporary one. Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.computercops.biz/downloads-cat-14.html Then: 1 >> Restart in Safe Mode: http://service1.symantec.com/SUPPORT...01052409420406 2 >> In Safe Mode run the CoolWebShredder, have it "fix" problems detected, then run HijackThis and check and "fix" the following entries: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://find4u.net/spa.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\system32\blank.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.********com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\system32\blank.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://find4u.net/spa.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O1 - Hosts: 64.200.25.145 gator.com #cooklop O1 - Hosts: 64.200.25.145 tripod.com #cooklop O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop O1 - Hosts: 64.200.25.145 cj.com #cooklop O1 - Hosts: 64.200.25.145 www.cj.com #cooklop O1 - Hosts: 64.200.25.145 paypopup.com #cooklop O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop O1 - Hosts: 64.200.25.145 worldsex.com #cooklop O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop O1 - Hosts: 64.200.25.145 free6.com #cooklop O1 - Hosts: 64.200.25.145 www.free6.com #cooklop O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop O2 - BHO: IEBho Class - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\ssurf022.dll O3 - Toolbar: Does program flap - {9FCD782E-5D62-B1D3-0626-983D103EF197} - C:\PROGRA~1\ISOSEN~1\Fastwin.dll (file missing) O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe O4 - HKLM\..\Run: [gqpplbcq] C:\WINDOWS\qgwjzulh.exe O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe O4 - HKLM\..\Run: [sys] regedit -s sysdllwm.reg O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe O4 - HKLM\..\Run: [Start axis] C:\PROGRA~1\browse help ford\rdr build bits.exe ^^ Delete the above if you cannot vouch for it. O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe O4 - HKLM\..\Run: [GRMWEOJTB] C:\WINDOWS\GRMWEOJTB.exe O4 - HKLM\..\Run: [BIO] C:\WINDOWS\BIO.exe O4 - HKLM\..\Run: [] C:\WINDOWS\System32\ O4 - HKLM\..\Run: [FLSY] C:\WINDOWS\FLSY.exe O4 - HKLM\..\Run: [DKQELRYEL] C:\WINDOWS\DKQELRYEL.exe O4 - HKLM\..\Run: [mswspl] C:\DOCUME~1\Bryan\LOCALS~1\Temp\msg27.tmp10864086696314.exe O4 - HKLM\..\Run: [HUTDOWNS] C:\WINDOWS\System32\HUTDOWNS.exe ^^ delete if you cannot vouch for this. O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe (Do NOT delete winlogon.exe from c:\windows\system32)  Virtually ALL of the exes in the program paths above should be found and deleted. Too many for me to identifiy individuall. This needs to be done in Safe Mode.3 >> Install, UPDATE and run both Ad-Aware and the VX2 plugin following directions below, reboot and post a new Scanlog. I will move this to the Security Forum for follow-ups. Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73 How Did I Get Infected? {Basic Ad-Aware instructions: 1. Check for Updates. 2. Start > Activate in depth scan. 3. (note: green checks = enabled, it is best to leave defaults unless problems are encountered). 4. Use custom scanning options > Customize > Drives and Folders = Scan within Archives > Memory and Registry = check all. 5. Tweak > Scanning Engine = Unload recognized processes during scanning > Cleaning Engine = let windows remove files in use at next reboot > Proceed > Next. Upon completion > Select All. 6. Reboot} How to use Lavasoft?s VX2 Cleaner plug-in Close Ad-Aware 6 build 181 and Ad-Watch (if running) Download the free VX2 Cleaner here Install the VX2 Cleaner Start Ad-Aware 6 build 181 Go to ?Plug-ins? Select the VX2 Cleaner plug-in and click ?Run Plugin? If your computer isn?t infected, click ?Close?. If your computer is infected Select ?Clean system? Reboot your computer Scan your computer with Ad-Aware Remove any VX2 objects detected Reboot your computer again Run a second scan to make sure the files have been removed from your computer |
11-Jul-2004, 01:22 PM
#4 | ||||||
| I saw a worse one in the XP forum and jumped on this instead   |
 |
| |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service. All times are GMT -4. The time now is 11:05 AM. Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved. |  |
Facebook
Twitter
TechGuy.tv
TSG Mobile