New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!

· Ian T's (AR 23)
· Marcia's (CO8)
· Bill G's (CO11)
· Paul's (AR 5)
· Robin's (AR 2)

· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· RegChat
· Reviews
· Google Search
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?

$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 1010
Comments: 21
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

Need Help with Hijacker log. got rid of stuff, comes back
Goto page 1, 2  Next
 
Post new topic   Reply to topic       Computer Cops Forum Index -> Hijackthis - Spyware, Viruses, Worms, Trojans Oh My!
View previous topic :: View next topic  
Author Message
tech096

Trooper
Trooper



Joined: May 11, 2004
Posts: 12
Location: USA

PostPosted: Tue May 11, 2004 9:45 pm    Post subject: Need Help with Hijacker log. got rid of stuff, comes back
Reply with quote

Logfile of HijackThis v1.97.7
Scan saved at 9:44:27 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Kris Holmes\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://campus.fsu.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://fsu.proxy.fcla.edu:80
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab

this is log after 1st clean out, there is still stuff there that is popping up zesty find. etc....... Trying to fix friends pc. have been cleaning it up all day long, this is all that I can find that I cant remve. Have ran pc-cillin house call. adaware 6. cws shredder, hijacker. etc etc but I cant get it all Please help[/b]
Back to top
View users profile Send private message
illukka

1st Responder
1st Responder
Premium Member
Premium Member


Joined: Feb 27, 2004
Posts: 702
Location: Finland

PostPosted: Wed May 12, 2004 4:47 am    Post subject:
Reply with quote

first uninstall wintools from add/remove programs, then reboot and delete [WinTools] C:\Program Files\Common files\WinTools entire folder

close all windows except hijackthis, tick the boxes next to these lines and click FIX

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe


post a fresh log when done
Back to top
View users profile Send private message
tech096

Trooper
Trooper



Joined: May 11, 2004
Posts: 12
Location: USA

PostPosted: Wed May 12, 2004 7:01 pm    Post subject:
Reply with quote

Logfile of HijackThis v1.97.7
Scan saved at 7:01:26 PM, on 5/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Winamp2\winampa.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Documents and Settings\Kris Holmes\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://fsu.proxy.fcla.edu:80
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp2\winampa.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
Back to top
View users profile Send private message
illukka

1st Responder
1st Responder
Premium Member
Premium Member


Joined: Feb 27, 2004
Posts: 702
Location: Finland

PostPosted: Thu May 13, 2004 4:35 am    Post subject:
Reply with quote

on second view this caught my eye:
C:\WINDOWS\System32\atiptaxx.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe

on most of the logs i've seen its loacated at program files,
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

can you scan that file C:\WINDOWS\System32\atiptaxx.exe
with kav online scanner
http://www.kaspersky.com/remoteviruschk.html
Back to top
View users profile Send private message
tech096

Trooper
Trooper



Joined: May 11, 2004
Posts: 12
Location: USA

PostPosted: Thu May 13, 2004 5:49 pm    Post subject:
Reply with quote

Very Happy Thanks, I ran that file, it said it was clear. I have not gotten any other searchbars/engines...etc Looks like your advice did the trick! There were just a few things that I could not get rid of..
I appreciate it illukka
Back to top
View users profile Send private message
illukka

1st Responder
1st Responder
Premium Member
Premium Member


Joined: Feb 27, 2004
Posts: 702
Location: Finland

PostPosted: Fri May 14, 2004 8:13 am    Post subject:
Reply with quote

There were just a few things that I could not get rid of..

can you tell me which?
Back to top
View users profile Send private message
tech096

Trooper
Trooper



Joined: May 11, 2004
Posts: 12
Location: USA

PostPosted: Fri May 14, 2004 10:32 am    Post subject:
Reply with quote

Sorry about confusion.....I was working on this computer all day long before I posted, after I took your advice everything is all cleared up. I was just stating that what was left is what I was having problems with. It is clean now. I appreciate the help. Very Happy
Back to top
View users profile Send private message
illukka

1st Responder
1st Responder
Premium Member
Premium Member


Joined: Feb 27, 2004
Posts: 702
Location: Finland

PostPosted: Fri May 14, 2004 4:20 pm    Post subject:
Reply with quote

no problem
if you feel there is still something , post a fresh log Smile
Back to top
View users profile Send private message
tech096

Trooper
Trooper



Joined: May 11, 2004
Posts: 12
Location: USA

PostPosted: Fri May 14, 2004 4:38 pm    Post subject:
Reply with quote

http://65.61.157.153/AdServer/MemTurbo/Adm/ad.htm
64.4.10.250
65.61.157.153
http://69.20.62.53/yyy2.html
(69.20.62.53)-------> these keep popping up, at taskbar says loading and shuts browser window??? not sure what it is loading?? I came back today and there were 2 windows opened ip.

not sure what keeps causing it???

I know they are probally not harmful. but very annoying!

Here is fresh log
Logfile of HijackThis v1.97.7
Scan saved at 4:36:40 PM, on 5/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kris Holmes\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fsu.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://fsu.proxy.fcla.edu:80
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
Back to top
View users profile Send private message
illukka

1st Responder
1st Responder
Premium Member
Premium Member


Joined: Feb 27, 2004
Posts: 702
Location: Finland

PostPosted: Sat May 15, 2004 2:36 am    Post subject:
Reply with quote

do you have ad aware and spybot installed?

ADAWARE

1. Download and install http://www.lavasoft.de/ Adaware (free edition)l. (Click on "Adaware" in the left-hand column near the top at their website to download the free edition.)

2. Go to Start > Programs > Lavasoft and click on AdAware 6 to open the program

3. Look at the icons on the top right of the page and click on the ‘world’ and let AdAware update the spyware reference list

4. Once the update is finished click on the ‘Gear’ icon (second from the left) to access the preferences/settings window

1. In the ‘General’ window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)

2. Click on the ‘Scanning’ button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file
· Under ‘Click here to select drives + folders’, choose:
· All of your hard drives

3. Click on the ‘Advanced’ button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information
· Include additional object details

4. Click the ‘Tweak’ button and select:
· Under the ‘Scanning Engine’:
· Unload recognized processes during scanning
· Include basic Ad-aware settings in logfile
· Include additional Ad-aware settings in logfile
· Under the ‘Cleaning Engine’:
· Let Windows remove files in use at next reboot

5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’ and on the next screen choose ‘Activate in-depth Scan’ at the bottom of the page and then choose:
· Use Custom Scanning Options

7. Click ‘Next’ and AdAware will scan your hard drive(s) with the options you have selected.

8. Save the log file when it asks and then click ‘finish’

9. REBOOT
----------------------------------------------------------
SPYBOT SEARCH & DESTROY

1. Next, download and install http://www.safer-networking.org/index.php?page=download Spybot Search and Destroy

2. Go to Start > Programs >Spybot - Search & Destroy and choose ‘Spybot S&D - easy mode’

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ and download and install the Updates.

5. Next click the button ‘Check for Problems’

6. When Spybot is complete, it will be showing ‘RED’ entries ‘BLACK’ entries and ‘GREEN’ entries in the window

7. Put a check mark beside the RED entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

9. REBOOT
Back to top
View users profile Send private message
illukka

1st Responder
1st Responder
Premium Member
Premium Member


Joined: Feb 27, 2004
Posts: 702
Location: Finland

PostPosted: Sat May 15, 2004 10:23 am    Post subject:
Reply with quote

i did a bit of consulting in your case:
www.misec.net
download the trial version of trojan hunter, install it. update following instructions here
http://www.misec.net/support/trojanhunter/updating/
then reboot, and fire up trojan hunter scanner and do a full scan.
post back any findings if you need info


then download this
http://www.staff.uiuc.edu/~ehowes/res/ie-spyad.zip and this http://www.mvps.org/winhelp2002/hosts.zip
ectract the hosts.zip to
C:\WINDOWS\SYSTEM32\DRIVERS\ETC


here is info on how to use the hosts file
http://accs-net.com/hosts/how_to_use_hosts.html

or
http://www.mvps.org/winhelp2002/hosts.htm
Back to top
View users profile Send private message
tech096

Trooper
Trooper



Joined: May 11, 2004
Posts: 12
Location: USA

PostPosted: Sun May 16, 2004 2:06 am    Post subject:
Reply with quote

Illuka, I really really appreciate all the time you are putting into this! I can not thank you enough!! and I am going to share the knowledge I have learned from you with others! I will not be able to work on problem again till next week. I am back in my home town.... but as soon as I get a chance to work on it again. I will update you on status.

Thanks again Very Happy
Back to top
View users profile Send private message
tech096

Trooper
Trooper



Joined: May 11, 2004
Posts: 12
Location: USA

PostPosted: Fri Jun 04, 2004 9:07 pm    Post subject:
Reply with quote

'bump'

Still having problems with adware, and I think there is a virus also. Thought all was fixed, and IE pages pop up automatically load then shut
http://c4c01.com/ad/1313/CD1267/&dp=0&l=0&p=0 This page was trying to load but I clicked stop.

Here is a new log

Logfile of HijackThis v1.97.7
Scan saved at 9:06:05 PM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCMAIN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kris Holmes\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://campus.fsu.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://fsu.proxy.fcla.edu:80
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...7234606482
Back to top
View users profile Send private message
tech096

Trooper
Trooper



Joined: May 11, 2004
Posts: 12
Location: USA

PostPosted: Fri Jun 04, 2004 9:50 pm    Post subject:
Reply with quote

This is log after S&D and I have more problems
Logfile of HijackThis v1.97.7
Scan saved at 9:49:21 PM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Documents and Settings\Kris Holmes\Desktop\HijackThis.exe
C:\WINDOWS\TEMP\sta3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://fsu.proxy.fcla.edu:80
O2 - BHO: (no name) - {8AC3C586-191F-52AE-6F6D-1FF8D186560B} - C:\PROGRA~1\PLATFO~1\List Error.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Titletick32 - {CF0304AA-E73F-E0B7-CA51-9917CC8D5AB1} - C:\PROGRA~1\PLATFO~1\List Error.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [DUPE VGA] C:\PROGRA~1\SENDRO~1\Draw Open.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...7234606482
Back to top
View users profile Send private message
illukka

1st Responder
1st Responder
Premium Member
Premium Member


Joined: Feb 27, 2004
Posts: 702
Location: Finland

PostPosted: Sat Jun 05, 2004 3:42 am    Post subject:
Reply with quote

run adaware too(update first)

on the first log was this

O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
removed by spybot::


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html

these are lop.com, try their uninstallers first:
http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe



fix these, but before fixing send both files below to

O2 - BHO: (no name) - {8AC3C586-191F-52AE-6F6D-1FF8D186560B} - C:\PROGRA~1\PLATFO~1\List Error.dll

O3 - Toolbar: Titletick32 - {CF0304AA-E73F-E0B7-CA51-9917CC8D5AB1} - C:\PROGRA~1\PLATFO~1\List Error.dll


could find NO info on that clsid> fix 'em
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       Computer Cops Forum Index -> Hijackthis - Spyware, Viruses, Worms, Trojans Oh My! All times are GMT - 5 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops