HIjack This Log...I had tons of crap!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Refbean

Thread Starter
Joined
Jan 7, 2005
Messages
53
Cab someone take a look at this log. I found tons of crap on the drive today. Just want to make sure I have cleaned it all.

Thanks,
Refbean


Logfile of HijackThis v1.99.1
Scan saved at 7:49:47 AM, on 6/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\p2pnetworking.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\TextBridge Pro Millennium BE\Bin\InstantAccess.exe
C:\Program Files\Obyz\Hokprmt.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vaya.netfirms.com/best/lan
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\TextBridge Pro Millennium BE\Bin\InstantAccess.exe /h
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [Xqeqrfy] C:\Program Files\Obyz\Hokprmt.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
121,530
I have edited the title of your post. Please be careful of the language you use here.

Run this removal tool:

http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Please download and run the following program(s):

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware SE Personal

Install the program and launch it.

First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next).

Restart your computer.


SPYBOT SEARCH & DESTROY

http://majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click Online – Search for updates – Download all available updates. Close all Browser windows, click Check for Problems. Anything that needs to be fixed will show in red and have a green check in the box to the left. Click Fix Selected Problems, then restart your computer.

Then, after rebooting, please post another log and we’ll see what’s left to get rid of.
 

Refbean

Thread Starter
Joined
Jan 7, 2005
Messages
53
Here's the new log. I also noticed that I have this folder called UPLOAD. It have tons of files in it that I did not recognize. So I deleted the folder. Now the folder is back with new files. What is this?

Ref


Logfile of HijackThis v1.99.1
Scan saved at 9:14:43 AM, on 6/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\p2pnetworking.exe
C:\Program Files\TextBridge Pro Millennium BE\Bin\InstantAccess.exe
C:\Program Files\Obyz\Hokprmt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\TextBridge Pro Millennium BE\Bin\InstantAccess.exe /h
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [Xqeqrfy] C:\Program Files\Obyz\Hokprmt.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
121,530
Not sure about the upload folder. Where is it located and what sort of files does it contain?

Go to Control Panel – Add/Remove programs and remove the following, if there:

Media Access
winupdate

Go here: http://www.filehippo.com/download_ccleaner.html to download and install CCleaner. Do not run it yet. Have it ready to run in safe mode later.


Download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/

Install Ewido.

During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch the program.

It will prompt you to update click the OK button and it will go to the main screen. On the left side of the main screen click update. Click on Start and let it update.

DO NOT run a scan yet. You will do that later in safe mode.


Download Killbox here: http://www.thespykiller.co.uk/files/killbox.exe and save it to your desktop but don’t run it yet.


Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click “fix checked.”


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto

O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe

O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\TextBridge Pro Millennium BE\Bin\InstantAccess.exe /h

O4 - HKLM\..\Run: [Xqeqrfy] C:\Program Files\Obyz\Hokprmt.exe

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe




Then boot to safe mode:


How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Now configure your computer to show all hidden files and folders like so:

Go to Start - Search and under "More advanced search options", make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders."

Next, click on My Computer, Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders." Click "Apply" and then "OK."


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.


C:\Program Files\winupdate\winupdate.exe

C:\WINDOWS\system32\p2pnetworking.exe

C:\Program Files\Obyz\Hokprmt.exe

C:\Program Files\Media Access\MediaAccK.exe


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


Locate and delete these folders:

C:\Program Files\winupdate

C:\Program Files\Obyz

C:\Program Files\Media Access


Run Ewido:

Click on scanner

Put a check by the following before you scan:
  • Binder
    [*]Crypter
    [*]Archives

Click the Start Scan button to start the scan.

During the scan it will prompt you to clean files, click OK. When the scan is finished, look at the bottom of the screen and click the Save report button.

Save the report to your desktop


Start CCleaner and click Run Cleaner

Boot back to Windows normally and post another HijackThis log and the log from Ewido please.
 

Refbean

Thread Starter
Joined
Jan 7, 2005
Messages
53
Here is the report. As for the UPLOAD folder it is located at c:\upload. It contains file archives of programs that are listed in alphabetical order. All files are exactly the same size. Odd.

Thanks!


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:58:07 AM, 6/26/2005
+ Report-Checksum: A6BC96F5

+ Date of database: 6/26/2005
+ Version of scan engine: v3.0

+ Duration: 43 min
+ Scanned Files: 85764
+ Speed: 33.04 Files/Second
+ Infected files: 25
+ Removed files: 25
+ Files put in quarantine: 25
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\!Submit\hokprmt.exe -> Trojan.Small.cy -> Cleaned with backup
C:\!Submit\p2pnetworking.exe -> Backdoor.Rbot.rc -> Cleaned with backup
C:\!Submit\winupdate.exe -> Trojan.Crypt.e -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@sexsearchcom[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\temp.fr117E -> Spyware.WinAD.ag -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\temp.fr41D5\MediaAccess.exe -> Spyware.WinAD -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\temp.fr521D -> Spyware.MediaPass -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\4TAR0XUF\istsvc[1].exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\4TAR0XUF\power_remove[1].exe -> TrojanDownloader.IstBar.gi -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\4TAR0XUF\wsem303[1].dll -> TrojanDownloader.Dyfuca.dt -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\81QFGT2N\rogue[1].exe -> Trojan.Small.cy -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\C5A34D2F\sahagent[1].exe -> Spyware.Sahat.m -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\CPAJGTUF\sidefind[1].exe -> TrojanDownloader.IstBar.jm -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\GL056FCT\optimize[1].exe -> TrojanDownloader.Dyfuca.ei -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\OLMVSTQR\actalert[1].exe -> TrojanDownloader.Dyfuca.dp -> Cleaned with backup
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\OLMVSTQR\istdownload[1].exe -> TrojanDownloader.IstBar.kh -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{3E8C6CDF-0E00-4281-979F-41ED6FC089AC}\{B27A3EE5-29DD-4A62-AB9E-1711A9BEAB76}.exe/{B27A3EE5-29DD-4A62-AB9E-1711A9BEAB76}.exe -> Spyware.Altnet.b -> Cleaned with backup
C:\Program Files\Mozilla Firefox\plugins\npzango.dll -> Spyware.WinAD -> Cleaned with backup
C:\temp\180SAPack.exe -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\WINDOWS\system32\bszip.dll -> Worm.Wurmark.c -> Cleaned with backup
C:\WINDOWS\wsem303.dll -> TrojanDownloader.Dyfuca.dt -> Cleaned with backup
C:\xz.exe -> Backdoor.Rbot.rc -> Cleaned with backup


::Report End
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
121,530
Please post a new Hijack This log.

Can you tell me some of the programs that are in the C:\update folder?
 

Refbean

Thread Starter
Joined
Jan 7, 2005
Messages
53
It seems the Upload folder is now gone. Must have been associated with one of those entries removed. Here is the new HJT log file.

Logfile of HijackThis v1.99.1
Scan saved at 8:05:06 AM, on 7/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
121,530
The log looks good now but you need to get an anti-virus program on board immediately!

AVG is a good one that's free and you can get it here:

http://www.grisoft.com/doc/40/lng/us/tpl/tpl01

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD for added protection.


Read here for info on how to tighten your security.


Delete your temporary files:

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type %temp% in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the recycle bin.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top