Author Topic: HijackThis Logfile (Read 458 times)

Guest · « **on:** January 22, 2005, 10:31:07 AM »

It's been a few days by now that I've got a virus on my PC, such as Lefeat.1 or StartPage. Those seem to continuously reproduce themselves by renaming themselves and/or modifying their location repeatedly. In addition, I found the following four software programs that I never installed but which I can't delete either, not even in Safe Mode: Home Search Assistent, Search Extender, Shopping Wizard, and SimpleToolbar. Just so you know, I've got installed AntiVir/XP - Personal Edition (most recent version incl. current update) as well as the current version of Spybot - Search & Destroy 1.3, Ad-Aware SE Personal, and SpywareBlaster v3.2. Even though some stuff is usually always found and deleted, it seems that the critical, i.e. most damaging and severe files remain.

The virus becomes most evident whenever I open an online browser window, because then, I not only receive a advertising pop-up but also several warning questions from Spybot, asking me whether I'd allow or deny a change of a value, and of course, I always deny that. Even beforethen, AntiVir provides me with the first pop-up warning, asking me what should happen with the following affected file, i.e. whether I'd like to delete it or prohibit access to it, etc.:

C:\WINDOWS\SYSTEM32\CRYL.EXE
Is the Trojan Horse TR/Lefeat.1

However, the next time I open a browser window, I'm confronted with the following warning, which clearly demonstrates that the virus keeps renaming itself or adds itself to a different file, as before, that file was still named CRYL.EXE and now it's all of a sudden CRCB32.EXE:

C:\WINDOWS\SYSTEM32\CRCB32.EXE
Is the Trojan Horse TR/Lefeat.1

Below is the most recent log from HijackThis I just ran. I always delete all R entries as well as O15, but whenever I shut down the computer and restart it, everything's back again. Therefore, I'd very much appreciate your help and input on how I shall proceed here. Thanks a lot in advance!

Logfile of HijackThis v1.98.2
Scan saved at 15:03:38, on 22.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Programme\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\WinPortrait\wpctrl.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Programme\WinPortrait\floater.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcpeq.dll/sp.html#52196
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcpeq.dll/sp.html#52196
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcpeq.dll/sp.html#52196
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yfemv.dll/sp.html#52196
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcpeq.dll/sp.html#52196
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcpeq.dll/sp.html#52196
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcpeq.dll/sp.html#52196
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {61ACFD2D-92CF-C5C4-3EBB-7C236D3C5D81} - C:\WINDOWS\mszn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Programme\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Programme\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.Email Removed.msn.com/resour...es/MsnPUpld.cab

guestolo · « **Reply #1 on:** January 22, 2005, 03:48:58 PM »

Can I please have you update your version of Hijackthis to Hijackthis 1.99
Open Hijackthis>>Config>>Misc tools>>Check for Updates online

If for some reason it won't update you can download the latest version from my Signature below
Save it to the C:\Programme\HijackThis folder, allowing it to overwrite your version if prompted

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

Could you also Download ServiceFilter.zip
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Try not to RESTART your computer again after you have posted the logs
And please don't try any more fixes with Hijackthis, let me see it all, thanks

Guest · « **Reply #2 on:** January 22, 2005, 04:00:48 PM »

Thanks, guestolo, for your input. Here is the log I just got after running the new HijackThis version. Right below the HijackThis log, I'm going to post the content of the 'Post_This.txt' file. Please note that "Wahr" means "True" whereas "Falsch" means "False" and "Pause" means "Break" (anything else should be in English). I look forward to another reply. Thank you!

Logfile of HijackThis v1.99.0
Scan saved at 20:51:47, on 22.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Programme\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\WinPortrait\wpctrl.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Programme\WinPortrait\floater.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {61ACFD2D-92CF-C5C4-3EBB-7C236D3C5D81} - C:\WINDOWS\mszn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Programme\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Programme\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.Email Removed.msn.com/resour...es/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9E56139-FF61-49A8-872C-FDD6C6BFAA6C}: NameServer = 213.191.74.18 213.191.92.87
O23 - Service: Altiris Client-Dienst - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Compaq Local Alerter - Compaq Computer Corporation - C:\Programme\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Win32Sl - Intel - C:\Programme\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\d3vc32.exe (file missing)

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Jan 22, 2005 20:55:12

---> Begin Service Listing <---

Unknown Service # 1
Service Name: AClient
Display Name: Altiris Client-Dienst
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\compaq\aclient\aclient.exe -service
State: Running
Process ID: 1436
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 2
Service Name: AntiVirService
Display Name: AntiVir Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\avpersonal\avguard.exe
State: Running
Process ID: 1476
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 3
Service Name: AVWUpSrv
Display Name: AntiVir Update
Start Mode: Auto
Start Name: LocalSystem
Description: Hilfsdienst fuer AntiVir Personal ...
Service Type: Own Process
Path: "c:\programme\avpersonal\avwupsrv.exe"
State: Running
Process ID: 1488
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 4
Service Name: CPQALERT
Display Name: Compaq Local Alerter
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\compaq\compaq management agents\cpqalert.exe
State: Running
Process ID: 1504
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 5
Service Name: CpqDfwWebAgent
Display Name: Compaq Remote Diagnostics Enabling Agent
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\cpqdiag\cpqdfwag.exe
State: Running
Process ID: 1528
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 6
Service Name: cpqdmi
Display Name: cpqdmi
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\compaq\compaq~1\cpqdmi.exe
State: Running
Process ID: 936
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 7
Service Name: cpqWebDmi
Display Name: Compaq DMI Web Agent
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\compaq\compaq~1\cpqweb~1\webdmi.exe
State: Running
Process ID: 1540
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #8
Service Name: iPodService
Display Name: iPod Service
Start Mode: Manual
Start Name: LocalSystem
Description: iPod hardware management ...
Service Type: Own Process
Path: c:\programme\ipod\bin\ipodservice.exe
State: Running
Process ID: 908
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #9
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Manages local and remote debugging for Visual Studio ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 1576
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 10
Service Name: NMSSvc
Display Name: Intel® NMS
Start Mode: Auto
Start Name: LocalSystem
Description: Intel® NIC Management ...
Service Type: Own Process
Path: c:\windows\system32\nmssvc.exe
State: Running
Process ID: 1616
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #11
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{6a63995b-ff59-45be-ac97-3ba6f31078ff}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 12
Service Name: WIN32SL
Display Name: Win32Sl
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\compaq\compaq management agents\dmi\win32\bin\win32sl.exe
State: Running
Process ID: 1732
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 13
Service Name: %AFå¤¶À¨
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\d3vc32.exe /s
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

---> End Service Listing <---

There are 86 Win32 services on this machine.
13 were unrecognized.

Script Execution Time: 0,875 seconds.

guestolo · « **Reply #3 on:** January 22, 2005, 06:09:35 PM »

Let's try and cleanup the leftovers

Open Ad-Aware and check for updates, download updates if any
Don't run a scan yet

Create a New folder on your Desktop, call it AboutBuster
Download to desktop ABOUT:BUSTER.zip
by RubbeR Ducky
Unzip it to that new folder===Open About:Buster and Check for Updates
Don't run a Scan yet

Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf and save it to desktop
We'll need this later

Download and UNZIP to a folder Hoster by Toadbee
We'll need this later

Set Windows to Show Hidden Files and Folders

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the Whole contents of the Quote box to notepad
In Notepad click FILE>>>SAVE AS

Important>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop, well need this later, don't run it yet

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

Print the rest of this out or save to a Notepad file on the desktop for easy access
Disconnect from the Internet

Spybot's Tea Timer is a great feature but can get in the way of any fixes we try in your log
Open Spybot>>Click on Mode at the top
Advanced mode>>Yes to the prompt
TOOLS>>RESIDENT
Uncheck only >>>Resident Tea Timer
Allow the change and then exit Spybot

RESTART your Computer in SAFE MODE

Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Network Security Service <--look carefully, there are others that are similiar, but not exact name
Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

navigate to and delete these files or folders if they exist

C:\WINDOWS\mszn32.dll <--file

===Do another scan with Hijackthis and put a check next to these entries, not all might appear in safe mode, but check all that you can see

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xomyf.dll/sp.html#52196
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {61ACFD2D-92CF-C5C4-3EBB-7C236D3C5D81} - C:\WINDOWS\mszn32.dll

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\d3vc32.exe (file missing)

After you have put a check next to the above entries, close out All other windows
Leave Hijackthis open and click FIX CHECKED
YES to the prompt and exit Hijackthis

. Go to Start | Run and type regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and expand Services in the left pane. Look for any entries named as:

%AFå¤¶À¨ or Network Security Service

If any are listed, right-click that entry and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and expand Root in the Left Pane. Look for any entries like this:

LEGACY %AFå¤¶À¨ or LEGACY Network Security Service

If any are listed, right-click the entry and choose Delete.
Exit Registry editor

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again

Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time.
Save the log to a convenient location, I will want to see it later. Then hit exit

===Double click on fix.reg you saved to desktop earlier
and Allow it to merge to the Registry

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

======Open Hoster and click the "Restore Original Hosts" and press "OK". Exit Program.

===Open Ad-aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode to finish the cleaning process

Run a scan again with About:buster again and save the log

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

===Look in your system32 folder for shell.dll
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

===# Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

===Look for SDHelper.dll in your C:\Program Files\Spybot - Search & Destroy folder
If it's not there download this zip file SDHelper13.zip
Save the Zip file to your desktop and Unzip it to your C:\Program Files\Spybot - Search & Destroy folder

You may also want to do an online Virus scan at Trend Micro's>>Set to Autoclean
http://housecall.trendmicro.com/

Do another scan with hijackthis and save the log and post it back here
Also post back with the about:buster logs

Guest · « **Reply #4 on:** January 23, 2005, 05:50:04 PM »

Your input is very helpful, guestolo, so thank you very much again. Below is the most recent HijackThis log as well as both AboutBluster logs (before and after repair). After all you said was done, I also had Trend Micro's perform an online virus scan, and it still found 17 viruses that I had Trend Micro's delete. I can confirm that these annoying pop-ups (particularly regarding the Lefeat virus) are gone, which is a very nice thing. Still, please let me know what you think about the outcome. Does it look good to you now? And is there anything I'd need to set back, i.e. TeaTimer by Spybot? Thanks in advance for your reply. I really appreciate your great help.

Logfile of HijackThis v1.99.0
Scan saved at 22:40:18, on 23.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Programme\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\WinPortrait\wpctrl.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Programme\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\WinPortrait\floater.exe
C:\Programme\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Programme\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Programme\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.Email Removed.msn.com/resour...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9E56139-FF61-49A8-872C-FDD6C6BFAA6C}: NameServer = 213.191.74.18 213.191.92.87
O23 - Service: Altiris Client-Dienst - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Compaq Local Alerter - Compaq Computer Corporation - C:\Programme\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Win32Sl - Intel - C:\Programme\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

Scanned at: 21:32:00 on: 23.01.2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

Removed Data Streams:
C:\WINDOWS\ODBCINST(2).INI:zhyhw
C:\WINDOWS\Präriewind.bmp:kjcas
C:\WINDOWS\Q308678.log:ujufm
C:\WINDOWS\regedit.exe:nvcuh
C:\WINDOWS\RosoftCDExtractor.ini:fwmzb
C:\WINDOWS\setuplog.txt:stnha
C:\WINDOWS\svcpack.log:vnjfy
C:\WINDOWS\WinNetOptimize98ag.cfg:qnoey

Removed 2 Random Key Entries
Removed! : C:\WINDOWS\asucg.dat
Removed! : C:\WINDOWS\prrrj.dat
Removed! : C:\WINDOWS\trun.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

Removed Data Streams:
C:\WINDOWS\ODBCINST(2).INI:zhyhw
C:\WINDOWS\Präriewind.bmp:kjcas
C:\WINDOWS\Q308678.log:ujufm
C:\WINDOWS\regedit.exe:nvcuh
C:\WINDOWS\RosoftCDExtractor.ini:fwmzb
C:\WINDOWS\setuplog.txt:stnha
C:\WINDOWS\svcpack.log:vnjfy
C:\WINDOWS\WinNetOptimize98ag.cfg:qnoey

Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 21:54:07 on: 23.01.2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

guestolo · « **Reply #5 on:** January 23, 2005, 06:10:03 PM »

If everything is running better
you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

You can go back and enable Tea Timer now, I would also reenable
Resident SDHelper>>Found in the same location as enabling Tea Timer

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Could you post back one more hijackthis log after you reenable Tea Timer, thanks

TheTechGuide Forum

News:

Author Topic: HijackThis Logfile (Read 458 times)

Guest

HijackThis Logfile

guestolo

HijackThis Logfile

Guest

HijackThis Logfile

guestolo

HijackThis Logfile

Guest

HijackThis Logfile

guestolo

HijackThis Logfile