HJT

Question

Logfile of HijackThis v1.99.1 Scan saved at 9:00:32 PM, on 8/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\Program Files\Common Files\Symantec Shared\ccProxy.exe F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe F:\WINDOWS\system32undll32.exe F:\Program Files\Norton Internet Security\ISSVC.exe F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe F:\WINDOWS\Explorer.EXE F:\WINDOWS\system32\LEXBCES.EXE F:\WINDOWS\system32\spoolsv.exe F:\Program Files\Norton Internet Security\Norton AntiVirus
avapsvc.exe F:\WINDOWS\system32\RioMSC.exe F:\WINDOWS\System32\svchost.exe F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe F:\Program Files\Common Files\Real\Update_OBealsched.exe C:\mt.exe F:\Program Files\Common Files\Symantec Shared\ccApp.exe F:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe F:\WINDOWS\system32\RUNDLL32.exe F:\Program Files\Internet Explorer\iexplore.exe f:\progra~1\intern~1\iexplore.exe F:\Program Files\Microsoft Office\Office\OSA.EXE F:\Documents and Settings\Pam\Desktop\WinsockXPFix.exe F:\WINDOWS\system32\yodiyyb.exe F:\Program Files\Mozilla Firefox\firefox.exe F:\WINDOWS\system32\RUNDLL32.EXE F:\WINDOWS\system32\cxtpls_loader.EXE F:\WINDOWS\system32\MTE2NzY6ODoxNg.EXE C:\HJT\HijackThis.exe F:\Program Files\Messenger\msmsgs.exe f:\progra~1\intern~1\iexplore.exe F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [Tray Temperature] F:\DOCUME~1\Pam\LOCALS~1\Temp\MiniBug.exe 1 O4 - HKLM\..\Run: [PrinTray] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [Face joy 1 axis] F:\Documents and Settings\All Users\Application Data	rust heart face joyegs idol.exe O4 - HKLM\..\Run: [TkBellExe] 'F:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [MMC] F:\WINDOWS\inisys.exe O4 - HKLM\..\Run: [Updater] C:\mt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [ccApp] 'F:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] 'F:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe' O4 - HKLM\..\Run: [System service63] F:\WINDOWS\etb\pokapoka63.exe O4 - HKLM\..\Run: [dnam] F:\WINDOWS\system32\d140113.a.Stub.EXE O4 - HKLM\..\Run: [winsync] F:\WINDOWS\system32\ssgssp.exe reg_run O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [version] F:\WINDOWS\system32\Lwwocp.exe O4 - HKLM\..\Run: [gqxdqdd] F:\WINDOWS\system32\yodiyyb.exe r O4 - HKCU\..\Run: [Settingspoll] F:\DOCUME~1\Pam\APPLIC~1\DRIVEN~1\Boldaim.exe O4 - Startup: Microsoft Find Fast.lnk = F:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: Office Startup.lnk = F:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.1_07\bin
pjpi141_07.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.1_07\bin
pjpi141_07.dll O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - F:\WINDOWS\system32\wuauclt.dll O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - F:\WINDOWS\system32\wuauclt.dll O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - F:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - F:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx O20 - Winlogon Notify: RunOnce - F:\WINDOWS\system32\crwmdm.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - F:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\Norton AntiVirus
avapsvc.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - F:\WINDOWS\system32\RioMSC.exe O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

RKinner · Answer

Download the Hoster from:

http://www.funkytoad.com/

Unpack to your desktop and run it. If you have green print at the top then just press Restore Original Hosts then OK.
IF you have red print then press make Hosts Writeable first.

Get DelDomain.inf from:

http://www.mvps.org/winhelp2002/restricted.htm and then right click on it and Install.

Download the killbox:

http://www.downloads.subratam.org/killbox.exe
216.180.233.142

Where it says Full Path of File to Delete you need to type or copy (Hightlight and Ctrl + c) and Paste (move to the killbox and place the cursor in the box and Ctrl + V):

Also download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet.

Start then right click on My Computer and press Manage. In the new window
Service and Applications then Services. In the right pane scroll down and find
the System Startup Service. Double click on it and and then set the Start Type
to Disabled. Then OK.

Get ABIRemover.zip from

http://forum.hijackthis.de/attachment.php?attachmentid=177

unpack(extract) it to your desktop but don't run it yet.

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.

Run HijackThis and just do a Scan only. Check then Fix
Checked the following:

F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Tray Temperature] F:\DOCUME~1\Pam\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [Face joy 1 axis] F:\Documents and Settings\All Users\Application Data\trust heart face joy\regs idol.exe
O4 - HKLM\..\Run: [MMC] F:\WINDOWS\inisys.exe
O4 - HKLM\..\Run: [Updater] C:\mt.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "F:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [System service63] F:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [dnam] F:\WINDOWS\system32\d140113.a.Stub.EXE
O4 - HKLM\..\Run: [winsync] F:\WINDOWS\system32\ssgssp.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [version] F:\WINDOWS\system32\Lwwocp.exe
O4 - HKLM\..\Run: [gqxdqdd] F:\WINDOWS\system32\yodiyyb.exe r
O4 - HKCU\..\Run: [Settingspoll] F:\DOCUME~1\Pam\APPLIC~1\DRIVEN~1\Boldaim.exe
O20 - Winlogon Notify: RunOnce - F:\WINDOWS\system32\crwmdm.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe

Run ccleaner.exe, uncheck everything on the first page except the two entries
with Temporary and then Run Cleaner.

run ABIRemover. Then reboot into Safe Mode again and run HijackThis.exe
and do a Scan and check (if it still shows up)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe
O4 - HKLM\..\Run: [gqxdqdd] F:\WINDOWS\system32\yodiyyb.exe r <==may change its name but look for the "r" by itself
then press Fix Checked.

Reboot into regular mode and install deldomain.inf and run hoster / Restore Default Hosts
just to make sure.

Run another HijackThis log and send it to me. Let's
see how we did.

Ron

Message Edited by RKinner on 08-31-2005 12:45 PM

Virus & Spyware

Was this post helpful?