MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: HiJack This Log Help Please
September 22, 2019, 05:51:44 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
September 22, 2019, 05:51:44 PM

Login with username, password and session length
 
News
Welcome to MyTechSupport.ca! - Registration is FREE, so why not join our friendly community today?
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: HiJack This Log Help Please  (Read 1910 times)
Indentured Lackey
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« on: June 16, 2004, 08:07:32 PM »

Hello All,

i'm trying to get some junk off of a Dell desktop running Win XP Pro.  It's locking up/running slow and getting frequent popups.  I've tried a few programs and they've helped some but not completely.  There's some stuff in this log that i think i can get rid of, but some that i'm not sure about.

all help appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 2:45:23 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\puypqz.exe
C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\destes40.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\dgnorsvc.exe
C:\WINDOWS\System32\PikPWfDx.exe
C:\WINDOWS\System32\DrcG.exe
F:\Gails email\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livingstonitown.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.fnblivingston.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\System32\IEEnhancer.dll
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [CNISFPDN] C:\WINDOWS\CNISFPDN.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [vwqwxfbzi] C:\WINDOWS\System32\puypqz.exe
O4 - HKLM\..\Run: [XMUK4EFo3] C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\EgneGdW1.exe
O4 - HKLM\..\Run: [XMUK4EFo3.exe] C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [o3FW3ne] destes40.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [Z0w6RhK2W] dgnorsvc.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Shortcut to logon.lnk = C:\logon.bat
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fnb.local
O17 - HKLM\Software\..\Telephony: DomainName = fnb.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fnb.local



Logged

90% of being smart is knowing what you're dumb at.
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: June 17, 2004, 05:19:22 AM »

You got quite a bit in your log that needs cleaning up
I see you have Spybot----Is it version 1.3?

Could you also Download
Ad-Aware

Install it---CHECK FOR UPDATES
We'll run this later, but ensure you update

Next, you have Peper Trojan
Could you download this Uninstaller
http://downloads.subratam.org/PeperFix.exe
Save it to desktop---Close down ALL other windows but remain ONLINE
Click on "Find and Fix" Reboot when prompted or RESTART if not prompted
Run it again after RESTART to ensure of Removal

Next Would you please open the Updated Ad-Aware and set these options
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

RESTART one more time and post back with a Fresh Hijackthis log

P.S. Before I go hunting this down
O4 - Global Startup: Shortcut to logon.lnk = C:\logon.bat

Is this a script that you wrote?
Logged

 
Indentured Lackey
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #2 on: June 21, 2004, 02:12:11 PM »

hey, thanks for your help.  the logon.bat is from me.

i found a post that you helped with for someone else and i followed some of the instructions from there.  so between that help and running Ad-Aware already I think i'm in good shape already.

i didn't know about the trojan tho, so next time i get to that PC i'll make sure that it's gone.  Why didn't the a/v software catch it?  we use eTrust Antivirus from Computer Associates, and it's updated several times a day.

so, once i get the trojan removed i'll post a new log.

thanks again,
just another lackey
Logged

90% of being smart is knowing what you're dumb at.
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: June 21, 2004, 04:01:49 PM »

hi lackey, could you please post a fresh hijackthis log and post it in this thread with your reply, thanx
Logged

 
Indentured Lackey
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #4 on: June 29, 2004, 05:30:10 PM »

Benditup,
Here's an updated log.  I think the .exe from the Peper Trojan was already deleted, but i removed the registry entry.

Still getting frequent popups so i'm missing something.

Logfile of HijackThis v1.97.7
Scan saved at 12:26:39 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\puypqz.exe
C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
C:\WINDOWS\System32\Adstartup.exe
C:\WINDOWS\System32\iphpagnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\naroice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
F:\Gails email\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livingstonitown.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.fnblivingston.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\System32\IEEnhancer.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [CNISFPDN] C:\WINDOWS\CNISFPDN.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [vwqwxfbzi] C:\WINDOWS\System32\puypqz.exe
O4 - HKLM\..\Run: [XMUK4EFo3] C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
O4 - HKLM\..\Run: [XMUK4EFo3.exe] C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe
O4 - HKLM\..\Run: [o3FW3ne] iphpagnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Z0w6RhK2W] naroice.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Shortcut to logon.lnk = C:\logon.bat
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fnb.local
O17 - HKLM\Software\..\Telephony: DomainName = fnb.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fnb.local

Thanks!

-"I have not failed.  I've just found 10,000 ways that won't work." Thomas Edison

Logged

90% of being smart is knowing what you're dumb at.
Indentured Lackey
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #5 on: June 29, 2004, 06:01:44 PM »

Benditup,

what is malware?

better use this log...
Logfile of HijackThis v1.97.7
Scan saved at 12:59:02 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\puypqz.exe
C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
C:\WINDOWS\System32\iphpagnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\naroice.exe
F:\Gails email\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livingstonitown.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.fnblivingston.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\System32\IEEnhancer.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [CNISFPDN] C:\WINDOWS\CNISFPDN.exe
O4 - HKLM\..\Run: [vwqwxfbzi] C:\WINDOWS\System32\puypqz.exe
O4 - HKLM\..\Run: [XMUK4EFo3] C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
O4 - HKLM\..\Run: [XMUK4EFo3.exe] C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe
O4 - HKLM\..\Run: [o3FW3ne] iphpagnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Z0w6RhK2W] naroice.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Shortcut to logon.lnk = C:\logon.bat
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fnb.local
O17 - HKLM\Software\..\Telephony: DomainName = fnb.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fnb.local

the logon.bat is from me.
Logged

90% of being smart is knowing what you're dumb at.
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #6 on: June 30, 2004, 09:42:56 PM »

Hi again Lackey,
What is Malware?
http://www.webopedia.com/TERM/M/malware.html

Speaking of Malware, can you set Windows to Show Hidden Files and Folders
* Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

Navigate to these files and let me know what they are related too.
Do you know what they are?
Right click on them----properties--version
Or better yet go to Kapersky's
http://www.kaspersky.com/scanforvirus
Simpy browse to the files and Submit them
They look bad---I will assume they are for now, unless you know otherwise

C:\WINDOWS\CNISFPDN.exe <---this file
C:\WINDOWS\System32\puypqz.exe <---this file
C:\WINDOWS\System32\iphpagnt.exe <--this file
C:\WINDOWS\System32\naroice.exe <---this file

Assuming they are bad

Enter Task Manager----Hold down the CTRL+SHIFT keys and tap ESC
End Process on these files
puypqz.exe
XMUK4EFo3.exe
iphpagnt.exe
naroice.exe

Ensure that AD-Aware is totally updated---CHECK FOR UPDATES

Disconnect from the NET

Do another Scan with Hijackthis and put a check next to these entries and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\System32\IEEnhancer.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [CNISFPDN] C:\WINDOWS\CNISFPDN.exe
O4 - HKLM\..\Run: [vwqwxfbzi] C:\WINDOWS\System32\puypqz.exe
O4 - HKLM\..\Run: [XMUK4EFo3] C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
O4 - HKLM\..\Run: [XMUK4EFo3.exe] C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe
O4 - HKLM\..\Run: [o3FW3ne] iphpagnt.exe

O4 - HKCU\..\Run: [Z0w6RhK2W] naroice.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

RESTART your Computer in SAFE MODE

Find and delete this files or folders if they exist

C:\WINDOWS\System32\IEEnhancer.dll <---this file
C:\WINDOWS\CNISFPDN.exe <---this file if unknown
C:\WINDOWS\System32\puypqz.exe <---this file if unknown
C:\WINDOWS\System32\dp-him.exe <---this file
C:\WINDOWS\System32\Adstartup.exe <---this  file
C:\WINDOWS\System32\naroice.exe <---this file if unknown
C:\WINDOWS\System32\iphpagnt.exe <--this file if unknown

C:\documents and settings\trm210\local settings\temp\XMUK4EFo3.exe
The XMUK4EFo3.exe file or delete the Whole contents of the temp folder

C:\Program Files\TV Media <--this folder
C:\Program Files\SEP <---this folder

RESTART your computer in Normal Mode---Don't open a browser yet
instead do a Custom Scan with AD-Aware
Set these
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

RESTART your computer and then post back a Fresh hijackthis log and
let me know how your doing......

Logged

 
Indentured Lackey
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #7 on: July 09, 2004, 08:56:21 PM »

Well let's try again,

here's the latest log.  i've got a real problem now though.  the start bar is gone, network login is real slow, and one of the network based apps won't run.  Right now i have no idea what the problem is.  i can't run the system restore either.

Logfile of HijackThis v1.97.7
Scan saved at 3:52:28 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\userinit.exe
F:\Gails email\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKCU\..\RunOnce: [eZstub] C:\ezstub.exe
O4 - Global Startup: Shortcut to logon.lnk = C:\logon.bat
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fnb.local
O17 - HKLM\Software\..\Telephony: DomainName = fnb.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fnb.local

thanks.
Logged

90% of being smart is knowing what you're dumb at.
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #8 on: July 10, 2004, 06:18:37 AM »

Nothing we removed should give you those side effects Huh?

Do another Scan with Hijackthis and put a check next to these entries and then FIX CHECKED when ALL other windows are closed

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)

O4 - HKCU\..\RunOnce: [eZstub] C:\ezstub.exe
Restart your computer and delete this file if found
C:\ezstub.exe <---this file

Post back a fresh hijackthis log
I'm curious about this entry
O4 - Global Startup: Shortcut to logon.lnk = C:\logon.bat

If you disable it does you problems go away

On another note, can you run an online virus scan at Housecall's
Set to Autoclean, delete what it can't fix if you can
http://housecall.trendmicro.com/
Logged

 
Indentured Lackey
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #9 on: July 20, 2004, 02:11:29 PM »

well it's finally fixed.

last monday i reloaded XP.  i did the upgrade option so i didn't have to reinstall the apps, and it worked great!

before i did that i followed your recomendation and ran the virus scan from trendmicro.  it found 3 trojans, sandbox.a, lowiq, and something like Iboco.a.  i removed them, but still counldn't run one of the primary apps for this machine.

the info on these shows them to be non destructive, but it seems to me these may likely be the cause of my trouble.  do you know anything about these?
Logged

90% of being smart is knowing what you're dumb at.
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page July 26, 2017, 08:21:08 PM