log results, NEED HELP!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

infinitesun

Thread Starter
Joined
Oct 11, 2003
Messages
7
PLS help, my computer has gone awol. Problems started last week really when i came home and something called Power Scan had downloaded itself and several icons started appearing. I cleaned off the icons with ad-aware and using other posts removed up to 4 trojans from online scans.

here is the latest logfile, if anyone can translate this for me i'd be most greatful. What is this powerscan, and more importantly how can i get rid of it.

Logfile of HijackThis v1.97.3
Scan saved at 3:21:32 PM, on 10/13/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Encompass\EncMontr.exe
C:\WINDOWS\System32\Whta3ue6.exe
C:\WINDOWS\System32\IewYPb.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\ParaNeil\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.clickyestoenter.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://drvvv.com/jf-home.phtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O1 - Hosts: 38.115.131.131 sk2.slsk.org
O1 - Hosts: 38.115.131.131 www.slsk.org
O1 - Hosts: 38.115.131.131 mail.slsk.org
O1 - Hosts: 38.115.131.131 server.slsk.org
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [3RY3AGS49AJHDC] C:\WINDOWS\System32\AthffaH.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: InternetDirect Monitor.lnk = C:\Program Files\Encompass\EncMontr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37806.5892824074
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4025.cab
O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB} (FastSeekerToolbar Control) - http://www.fastseeker.com/toolbar/download/FastSeekerSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCB6F126-1E95-4631-8F54-091D15BDD29B}: Domain = speakeasy.net
 
Joined
Feb 19, 2003
Messages
8,812
Delete these

C:\Program Files\Encompass\EncMontr.exe
C:\WINDOWS\System32\Whta3ue6.exe
C:\WINDOWS\System32\IewYPb.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.clickyestoenter.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://drvvv.com/jf-home.phtml

O4 - HKLM\..\Run: [3RY3AGS49AJHDC] C:\WINDOWS\System32\AthffaH.exe
O4 - Startup: InternetDirect Monitor.lnk = C:\Program Files\Encompass\EncMontr.exe
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download...ptdmgainads.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yah.../yiebio4025.cab
O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB} (FastSeekerToolbar Control) - http://www.fastseeker.com/toolbar/d...SeekerSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCB6F126-1E95-4631-8F54-091D15BDD29B}: Domain = speakeasy.

Also, you seem to have a virus of some sort, you need to do a full virus scan with a good antivirus. It is impossible for me to tell what virus it is..
 

infinitesun

Thread Starter
Joined
Oct 11, 2003
Messages
7
deleted files, the pop-up attacks have ceased. I know have a problem where I am unable to install norton 2003. I get a "fatal error" when trying to install it. I had norton 2002 and have (or at least attempted) to remove it. is it possible that a something i haven't removed yet is crapping this out??

thanks for the help.

also, Whta3ue6.exe was the only file on process list.
 

infinitesun

Thread Starter
Joined
Oct 11, 2003
Messages
7
Logfile of HijackThis v1.97.3
Scan saved at 10:05:22 PM, on 10/13/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\ParaNeil\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O1 - Hosts: 38.115.131.131 sk2.slsk.org
O1 - Hosts: 38.115.131.131 www.slsk.org
O1 - Hosts: 38.115.131.131 mail.slsk.org
O1 - Hosts: 38.115.131.131 server.slsk.org
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [3RY3AGS49AJHDC] C:\WINDOWS\System32\PlsO0A55.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37806.5892824074
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
 
Joined
Jul 26, 2002
Messages
46,331
Download TDS-3 from http://www.wilders.org/anti_trojans.htm
and update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update

This is a trial version so you will have to do the update manually as the auto update only works with the registered version which costs $49.

Open TDS-3 and click on "System testing" then "full System Scan" and the scan will begin.


Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: 38.115.131.131 sk2.slsk.org
O1 - Hosts: 38.115.131.131 www.slsk.org
O1 - Hosts: 38.115.131.131 mail.slsk.org
O1 - Hosts: 38.115.131.131 server.slsk.org

O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe

O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe

O4 - HKLM\..\Run: [3RY3AGS49AJHDC] C:\WINDOWS\System32\PlsO0A55.exe

O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx

O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab

Restart your computer and delete:

The C:\Program Files\Orbit folder
 

infinitesun

Thread Starter
Joined
Oct 11, 2003
Messages
7
running clean so far, the trojan has appeared to have stopped downloading itself and the pop-up attacks have ceased.

Thanks!!!!!!!!!!!!!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top