1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

http://www.0x90-team.com/~diablo/index.html

Discussion in 'Windows XP' started by robin payne, Jun 21, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. robin payne

    robin payne Thread Starter

    Joined:
    Jun 21, 2005
    Messages:
    3
    I realise this problem has already come up on this forum before so having read everything posted here I have attached with this post my HJT log for the techies to help me with.

    It started when my boss opened an email purportedly coming from our mail server administrator explaining he had only 24 hours or something like that to update his email details etc.

    Since then IE has been opening on bootup the page mentioned in the subject line above and prompting for a network password (even when not on a network!). The laptop has been running slow for the last week or two and now the email is not working. When the first problem of the webpage opening up on bootup occurred I downloaded for him noadware which found 291 infected files which I deleted. I am sure the oemji toolbar that is now present on all IE windows is related as I remember a similar thing attacking my computer before.

    Below is the attached Hijack This Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 16:44:14, on 06/21/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\1XConfig.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\WINDOWS\system32\beta.exe
    C:\xx.exe
    C:\WINDOWS\system32\msxct.exe
    C:\WINDOWS\system32\3u85ft1t.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\j?vaw.exe
    C:\Program Files\bama\tlii.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Robin Payne\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {905F2427-C396-E219-B89D-B6FEDB870DC6} - C:\WINDOWS\system32\izmghrq.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

    If someone could please help me identify which ones I need to delete and any other steps I need to take to delete this virus it would be great. I think my boss is really sick of computer problems and this sticky problem will finish off any further idea of using it in his business.
     
  2. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,323
    First Name:
    James
    You are missing the rest of the log. Most of the details are in the O4 section.
     
  3. robin payne

    robin payne Thread Starter

    Joined:
    Jun 21, 2005
    Messages:
    3
    Thanks Tidus4Yuna,

    Sorry don't know how missed highlighting the rest. Here you go. Got to logoff now but will check replies tomorrow. Thanks.

    Logfile of HijackThis v1.99.1
    Scan saved at 17:09:33, on 06/21/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\1XConfig.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Apoint\Apntex.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\WINDOWS\system32\beta.exe
    C:\xx.exe
    C:\WINDOWS\byxkqhbc.exe
    C:\WINDOWS\system32\msxct.exe
    C:\WINDOWS\system32\3u85ft1t.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\j?vaw.exe
    C:\Program Files\bama\tlii.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Robin Payne\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {905F2427-C396-E219-B89D-B6FEDB870DC6} - C:\WINDOWS\system32\izmghrq.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [WINDOWS SYSTEM] beta.exe
    O4 - HKLM\..\Run: [REGRUN] C:\xx.exe
    O4 - HKLM\..\Run: [MvFE] C:\WINDOWS\byxkqhbc.exe
    O4 - HKLM\..\Run: [msxct] msxct.exe
    O4 - HKLM\..\Run: [tcfaxyv] C:\WINDOWS\tcfaxyv.exe
    O4 - HKLM\..\Run: [Á³# *L"h'þ9Ӝð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\byxkqhbc.exe
    O4 - HKLM\..\Run: [3u85ft1t] C:\WINDOWS\system32\3u85ft1t.exe
    O4 - HKLM\..\Run: [Mvùõš/‚²‘ÆßfÏNb‰»9C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\byxkqhbc.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] beta.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Cpnta] C:\WINDOWS\system32\j?vaw.exe
    O4 - HKCU\..\Run: [Sen] C:\Program Files\bama\tlii.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c5.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_mp3x.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4E976035-E1EB-432C-9312-7256DCECFE2D}: NameServer = 159.134.237.6
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

    Sorry don't know how missed highlighting the rest. Here you go. Got to logoff now but will check replies tomorrow. Thanks.
     
  4. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,323
    First Name:
    James
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    O2 - BHO: (no name) - {905F2427-C396-E219-B89D-B6FEDB870DC6} - C:\WINDOWS\system32\izmghrq.dll
    O4 - HKLM\..\Run: [WINDOWS SYSTEM] beta.exe
    O4 - HKLM\..\Run: [REGRUN] C:\xx.exe
    O4 - HKLM\..\Run: [MvFE] C:\WINDOWS\byxkqhbc.exe
    O4 - HKLM\..\Run: [msxct] msxct.exe
    O4 - HKLM\..\Run: [tcfaxyv] C:\WINDOWS\tcfaxyv.exe
    O4 - HKLM\..\Run: [Á³# *L"h'þ9Ӝð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\byxkqhbc.exe
    O4 - HKLM\..\Run: [3u85ft1t] C:\WINDOWS\system32\3u85ft1t.exe
    O4 - HKLM\..\Run: [Mvùõš/‚²‘ÆßfÏNb‰»9C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\byxkqhbc.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] beta.exe
    O4 - HKCU\..\Run: [Cpnta] C:\WINDOWS\system32\j?vaw.exe
    O4 - HKCU\..\Run: [Sen] C:\Program Files\bama\tlii.exe
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c5.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_mp3x.cab

    go into safe mode and delete the EXE files list in the O4s that i posted.

    Delete the ISTSVC folder.

    Reboot, install SpywareBlaster to prevent any further attacks. Then install Spybot S&D and Lavasoft Ad-Aware (all all www.majorgeeks.com under spyware on the left). Use those to detect any spyware that is on the system.
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    For ISTsvc, I'd also recommend running this removal tool:
    http://securityresponse.symantec.co...er/FxIstbar.exe

    The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.
    The removal tool may terminate Internet Explorer and Windows Explorer.
    It is recommended that users save their work and log out of these programs before running the removal tool.
    The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Setings\Administrator\Local Settings\Temporary Internet Files.
    These can be manually deleted using the following steps:
    Start Internet Explorer.
    Click Tools > Internet Options.
    In the Temporary Internet Files section, then click the Delete Files button.
    Check Delete all offline content, and then click OK.
    The Removal tool will not reset any changes made to settings in Internet Explorer.
    To restore default settings in Internet Explorer it is necessary to perform the following actions:
    a. Click Start > Settings > Control Panel
    b. Select Internet Options
    c. Select the Programs tab
    d. Click Reset Web Settings
    e. Click OK
    f. Exit Control Panel
     
  6. robin payne

    robin payne Thread Starter

    Joined:
    Jun 21, 2005
    Messages:
    3
    Thanks, I solved all the problems from that HJT log although whilst running Ad Aware McAfee Virusscan decided to pop up and delete Hijack This! However I should hopefully be able to avoid needing HJT again for now. :)
     
  7. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,323
    First Name:
    James
    (y)

    Don't forget to mark this as solved by going to Thread Tools on the top and click marked as solved.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - http 0x90 team
  1. Michayla
    Replies:
    8
    Views:
    663
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/373809

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice