Results 1 to 7 of 7
  1. #1
    Member grimm003's Avatar
    Join Date
    Jul 2004
    Location
    SIU

    Post Can some1 check this out?

    I just ran ad-aware and found 388 new items on my sisters computer, and then 19 with spybot after that. Here's a HijackThis log, can any1 spot anything else that needs to be deleted? Thanks for any help

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Spybot\TeaTimer.exe
    C:\Program Files\MP3Downloading\bindata.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Ad Aware\hijackthis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
    O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\System32\replaceSearch.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
    O4 - HKLM\..\Run: [nhdrnqunglkc] C:\WINDOWS\System32\nbfrul.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [SYSsfit] C:\WINDOWS\SYSsfit.exe
    O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\zzlwuwt.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
    O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\MP3Downloading\bindata.exe" -tray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...271ab95b94951b
    O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.priv.mlsni.xmlsweb.com/XM...h/XMLCache.CAB
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlsni.mlxchange.com/Control/M...ctComboBox.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlsni.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mlsni.mlxchange.com/Control/IRCSharc.cab
    O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter.com/pop_shooter...0/SYSsfitb.cab
    O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
    Last edited by grimm003; 11-23-04 at 04:28 PM.
    Motherboard ASUS P5Q Deluxe
    CPU E8400
    RAM Mushkin DDR2-1000 2x2GB
    Video Sapphire HD4870 512MB
    Case Lian-Li A-7010
    Res MCR320-QP
    CPU Block GTZ
    Video Block MCW60-R2
    Pump MCP355

    There are 10 kinds of people in the world.
    Those that understand binary, and those that don't.

  2. #2
    Member loks's Avatar
    Join Date
    Jun 2004
    Location
    The M-I-A
    why dont you do the following. go to start>run>msconfig>startup>and uncheck all the boxes. Reboot your machine. Then run your ad removing software and if it finds any processes that are unusual then remove them. another great thing would be rebooting in safe mode and run your spyware removing software. that will help

  3. #3
    Member grimm003's Avatar
    Join Date
    Jul 2004
    Location
    SIU
    Ok, I will try in safe mode
    Motherboard ASUS P5Q Deluxe
    CPU E8400
    RAM Mushkin DDR2-1000 2x2GB
    Video Sapphire HD4870 512MB
    Case Lian-Li A-7010
    Res MCR320-QP
    CPU Block GTZ
    Video Block MCW60-R2
    Pump MCP355

    There are 10 kinds of people in the world.
    Those that understand binary, and those that don't.

  4. #4
    Member grimm003's Avatar
    Join Date
    Jul 2004
    Location
    SIU
    ok, I just ran spybot and ad-aware in safe mode, they found more problems. Now I am back in normal mode and Spybot it still finding DoubleClick and DSO Exploit. Ad-aware found
    References detected during the scan:

    AdShooter(TAC index:6):1 total references
    BargainBuddy(TAC index:8):3 total references
    BlazeFind(TAC index:5):4 total references
    ImIServer IEPlugin(TAC index:5):1 total references
    MRU List(TAC index:0):29 total references
    ReplaceSearch.BHO(TAC index:5):1 total references
    Tracking Cookie(TAC index:3):2 total references
    WhenU(TAC index:10):2 total references
    WinAD(TAC index:7):1 total references
    VX2(TAC index:10):4 total references

    It seems these won't go away, even when deleted in safe mode, any ideas?
    Motherboard ASUS P5Q Deluxe
    CPU E8400
    RAM Mushkin DDR2-1000 2x2GB
    Video Sapphire HD4870 512MB
    Case Lian-Li A-7010
    Res MCR320-QP
    CPU Block GTZ
    Video Block MCW60-R2
    Pump MCP355

    There are 10 kinds of people in the world.
    Those that understand binary, and those that don't.

  5. #5
    Member hkgonra's Avatar
    10 Year Badge
    Join Date
    Aug 2001
    Location
    West TN.
    If it was a system in my house I would format it. Then I would load good spy-ware and anti-virus programs before she gets on it again. Hopefully that will help.
    "I am for doing good to the poor, but...I think the best way of doing good to the poor, is not making them easy in poverty, but leading or driving them out of it. I observed...that the more public provisions were made for the poor, the less they provided for themselves, and of course became poorer. And, on the contrary, the less was done for them, the more they did for themselves, and became richer."
    -- Benjamin Franklin

    My Heatware

  6. #6
    Member loks's Avatar
    Join Date
    Jun 2004
    Location
    The M-I-A
    I agree. Format. Fresh Install. SP1. SP2. Spysweeper and your everyday useful proggies. Dont click on any windows that says your a winner. AND DONT DOWNLOAD ANYTHING YOU DON'T NEED. If you need something ask here first!!!!

  7. #7
    Member
    10 Year Badge
    Join Date
    Feb 2001
    Location
    Iowa
    I have yet to come across a malware infection I couldn't fix, however as said earlier, it may be less work, and it would certainly perform better in the end, if you did a reformat/reinstall.

    If you haven't already read through the stickies on spyware removal be sure to:

    http://www.ocforums.com/showthread.php?t=307720
    http://www.ocforums.com/showthread.php?t=319615

    If after following those two stickies to the T and you still have problems, please post a fresh hijackthis log.
    Intel i7-2600k
    ASUS P8P67 Pro
    G.SKILL Ripjaws-X 8GB DDR3
    Sapphire HD 7970 OC
    Corsair HX750 750w
    OCZ Agility 2 120GB SSD
    Cooler Master CM 690 II
    Logitech G710+ & G9x
    Dell U2713HM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •