1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijackthis logfile (and virus detected :( )

Discussion in 'Virus & Other Malware Removal' started by _ViRuS_, Jan 28, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. _ViRuS_

    _ViRuS_ Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    15
    Hi everybody!
    that's my hijackthis log: (that's a virus irc.backdoor.trojan in system32! i can't remove it!!!)

    Logfile of HijackThis v1.99.0
    Scan saved at 10.49.59, on 28/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmi\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\servicetask32.exe
    C:\Programmi\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\winasp.exe
    C:\windows\system\hpsysdrv.exe
    C:\Programmi\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe
    C:\Programmi\Multimedia Card Reader\shwicon2k.exe
    C:\Programmi\File comuni\Symantec Shared\ccApp.exe
    C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\WINDOWS\System32\wtmsv.exe
    C:\WINDOWS\System32\wuampd.exe
    C:\Programmi\ISTsvc\istsvc.exe
    C:\WINDOWS\gdpgm.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\programmi\180solutions\sais.exe
    C:\WINDOWS\System32\SahAgent.exe
    C:\WINDOWS\jydczsx.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Programmi\Common files\updater\wupdater.exe
    C:\Program Files\Internet Optimizer\actalert.exe
    C:\Programmi\NaviSearch\bin\nls.exe
    C:\Programmi\BullsEye Network\bin\bargains.exe
    C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Programmi\Messenger\msmsgs.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Proprietario\Desktop\spy.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-it10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=157515
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=157515
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-it10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-it10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-it10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=157515
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp-go-supplies.com/english/order/index.shtml
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
    O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Programmi\SideFind\sfbho.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll (file missing)
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Vista HP - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Programmi\HP\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
    O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - C:\WINDOWS\system32\srchbar.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Programmi\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Programmi\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [*wuauclt.exe] wtmsv.exe
    O4 - HKLM\..\Run: [Microsoft Update] wuampd.exe
    O4 - HKLM\..\Run: [Win32 USB2 Drivers] servicetask32.exe
    O4 - HKLM\..\Run: [M]O_WaYPUOWN] C:\WINDOWS\System32\cicyxhsdfajugj.exe
    O4 - HKLM\..\Run: [NvCplScan] winasp.exe
    O4 - HKLM\..\Run: [IST Service] C:\Programmi\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [LfqLL] C:\WINDOWS\gdpgm.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [sais] c:\programmi\180solutions\sais.exe
    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
    O4 - HKLM\..\Run: [jydczsx] C:\WINDOWS\jydczsx.exe
    O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
    O4 - HKLM\..\Run: [updater] C:\Programmi\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [MSPluginSrvc] p3.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Programmi\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Programmi\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\RunServices: [*wuauclt.exe] wtmsv.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuampd.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Drivers] servicetask32.exe
    O4 - HKLM\..\RunServices: [M]O_WaYPUOWN] C:\WINDOWS\System32\cicyxhsdfajugj.exe
    O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
    O4 - HKLM\..\RunServices: [MSPluginSrvc] p3.exe
    O4 - HKLM\..\RunOnce: [Win32 USB2 Drivers] servicetask32.exe
    O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [BackupNotify] c:\Programmi\HP\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [Win32 USB2 Drivers] servicetask32.exe
    O4 - HKCU\..\Run: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [*wuauclt.exe] wtmsv.exe
    O4 - HKCU\..\Run: [Microsoft Update] wuampd.exe
    O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
    O4 - HKCU\..\Run: [MSPluginSrvc] p3.exe
    O4 - HKCU\..\RunOnce: [Win32 USB2 Drivers] servicetask32.exe
    O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
    O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
    O4 - Global Startup: Corel Family & Friends Reminders.LNK = C:\Programmi\Corel\Print House Magic\cffrem.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Collegamenti a ritroso - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Pagine simili - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Versione cache della pagina - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programmi\SideFind\sidefind.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://content.handyspider.com/sc.cab
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O18 - Filter: text/html - {829E8064-ED98-40B8-AC19-F3F950046366} - C:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\microsoft\internet explorer\V0.26.dat
    O23 - Service: *wuauclt.exe - Unknown - C:\WINDOWS\System32\wtmsv.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
    O23 - Service: Servizio Norton AntiVirus Auto-Protect - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SCA - Unknown - C:\WINDOWS\System32\SYSTEM.EXE


    help me! what can I fix?

    thanx!! ;)

    ViRuS
     
  2. tj416

    tj416

    Joined:
    Nov 18, 2004
    Messages:
    747
    Hi virus,

    This is a real messy PC.

    Step 1

    Run atleast two of these Online virus scanners:
    Housecall
    Panda
    RAV Anti-virus Online
    eTrust Anti-virus Scanner

    Step 2

    Your log shows signs of a CWS infection. To remove this infection:
    1.Download CWShredder and save it in its own folder.
    2.Close all Windows, including this one.
    3.Double click to run CWShredder.
    4.Choose to FIX all problems as opposed to scan.
    5.Restart your computer after the fixes are complete.

    Step 3

    1. Download and Install Spybot S&D, accepting the Default Settings
    2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
    3. Close ALL windows except Spybot S&D
    4. Click the button to ‘Search for Updates’ then download and install the Updates.
    5. Next click the button ‘Check for Problems’
    6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window
    7. Make certain there is a check mark beside all of the RED entries ONLY.
    8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
    9.REBOOT to complete the scan and clear memory.


    Step 4

    1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan
    2.Close ALL windows except Ad-Aware SE
    3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
    4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

    1) In the ‘General’ window make sure the following are selected in green:
    *Automatically save log-file
    *Automatically quarantine objects prior to removal
    *Safe Mode (always request confirmation)

    Under Definitions:
    *Prompt to udate outdated definitions - set the number of days

    2) Click on the ‘Scanning’ button on the left and select in green :

    Under Driver, Folders & Files:
    *Scan Within Archives

    Under Select drives & folders to scan -
    *choose all hard drives

    Under Memory & Registry: all green
    *Scan Active Processes
    *Scan Registry
    *Deep Scan Registry
    *Scan my IE favorites for banned URL’s
    *Scan my Hosts file

    3) Click on the ‘Advanced’ button on the left and select in green:

    Under Shell Integration:
    *Move deleted files to recycle bin

    Under Logfile Detail Level: (all green)
    *include addtional object information
    *DESELECT - include negligible objects information
    *include environment information

    Under Alternate Data Streams:
    *Don't log streams smaller than 0 bytes
    *Don't log ADS with the following names: CA_INOCULATEIT

    4) Click the ‘Tweak’ button and select in green:

    Under the ‘Scanning Engine’:
    *Unload recognized processes during scanning
    *Scan registry for all users instead of current user only

    Under the ‘Cleaning Engine’:
    *Let Windows remove files in use at next reboot

    Under the Log Files:
    *Include basic Ad-aware SE settings in logfile
    *Include additional Ad-aware SE settings in logfile
    *Please do not check or make green: Include Module list in logfile

    5. Click on ‘Proceed’ to save the settings.
    6. Click ‘Start’

    *Choose:'Perform Full System Scan'
    *DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
    8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
    9. Save the log file when it asks and then click ‘finish’
    10. REBOOT to complete the removal of what Ad-Aware SE found.

    Step 5

    Then, reboot and post a new log in this thread.
     
  3. tj416

    tj416

    Joined:
    Nov 18, 2004
    Messages:
    747
    Did you rename Hijack This? Please name it HJT or Hijack This before posting a new log, this will make solving your log easier.
     
  4. _ViRuS_

    _ViRuS_ Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    15

    yeah, I renamed it "spy"

    thank you, I will try and re-post my log ;)

    ViRUS
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324264

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice