« previous next »
Pages: [1]

Author Topic: need help please  (Read 1231 times)

Offline ClaireMcC

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
need help please
« on: April 04, 2005, 06:30:09 PM »
This is first time i have been able to get into this site in ages!!!!!!!!!!

sorry never replied b4 guestolo.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

heres my new log if u think u can still help me   http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />


Logfile of HijackThis v1.99.1
Scan saved at 23:17:35, on 04/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\msmpatch.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Documents and Settings\Claire\Desktop\hijackthis.exe

O1 - Hosts: 213.199.154.54 www.symantec.com
O1 - Hosts: 213.199.154.54 www.sophos.com
O1 - Hosts: 213.199.154.54 www.mcafee.com
O1 - Hosts: 213.199.154.54 www.viruslist.com
O1 - Hosts: 213.199.154.54 www.f-secure.com
O1 - Hosts: 213.199.154.54 www.avp.com
O1 - Hosts: 213.199.154.54 www.kaspersky.com
O1 - Hosts: 213.199.154.54 www.networkassociates.com
O1 - Hosts: 213.199.154.54 www.ca.com
O1 - Hosts: 213.199.154.54 www.my-etrust.com
O1 - Hosts: 213.199.154.54 www.nai.com
O1 - Hosts: 213.199.154.54 www.trendmicro.com
O1 - Hosts: 213.199.154.54 www.grisoft.com
O1 - Hosts: 213.199.154.54 securityresponse.symantec.com
O1 - Hosts: 213.199.154.54 symantec.com
O1 - Hosts: 213.199.154.54 sophos.com
O1 - Hosts: 213.199.154.54 mcafee.com
O1 - Hosts: 213.199.154.54 liveupdate.symantecliveupdate.com
O1 - Hosts: 213.199.154.54 viruslist.com
O1 - Hosts: 213.199.154.54 f-secure.com
O1 - Hosts: 213.199.154.54 kaspersky.com
O1 - Hosts: 213.199.154.54 kaspersky-labs.com
O1 - Hosts: 213.199.154.54 avp.com
O1 - Hosts: 213.199.154.54 networkassociates.com
O1 - Hosts: 213.199.154.54 ca.com
O1 - Hosts: 213.199.154.54 mast.mcafee.com
O1 - Hosts: 213.199.154.54 my-etrust.com
O1 - Hosts: 213.199.154.54 download.mcafee.com
O1 - Hosts: 213.199.154.54 dispatch.mcafee.com
O1 - Hosts: 213.199.154.54 secure.nai.com
O1 - Hosts: 213.199.154.54 nai.com
O1 - Hosts: 213.199.154.54 update.symantec.com
O1 - Hosts: 213.199.154.54 updates.symantec.com
O1 - Hosts: 213.199.154.54 us.mcafee.com
O1 - Hosts: 213.199.154.54 liveupdate.symantec.com
O1 - Hosts: 213.199.154.54 customer.symantec.com
O1 - Hosts: 213.199.154.54 rads.mcafee.com
O1 - Hosts: 213.199.154.54 trendmicro.com
O1 - Hosts: 213.199.154.54 grisoft.com
O1 - Hosts: 213.199.154.54 sandbox.norman.no
O1 - Hosts: 213.199.154.54 www.pandasoftware.com
O1 - Hosts: 213.199.154.54 uk.trendmicro-europe.com
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Band Class - {8272B062-BD4D-4EAD-A149-45B3CE3F5CDA} - C:\WINDOWS\GPalm.dll
O2 - BHO: (no name) - {FAF4BD81-3B6B-4216-8EFA-7D9B8D64CEFB} - C:\WINDOWS\System32\pkcbmg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {8272B062-BD4D-4EAD-A149-45B3CE3F5CDA} - C:\WINDOWS\GPalm.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [mzfouoyq] C:\WINDOWS\System32\awkkej.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [GreasyPalmUpdate] C:\WINDOWS\GreasyPalmUpdate.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [rollbk] C:\WINDOWS\msmpatch.exe
O4 - HKLM\..\Run: [AvSer] C:\WINDOWS\msmpatch.exe
O4 - HKLM\..\Run: [DsmSer] C:\WINDOWS\System32\sysup.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\RunServices: [rollbk] C:\WINDOWS\msmpatch.exe
O4 - HKLM\..\RunServices: [AvSer] C:\WINDOWS\msmpatch.exe
O4 - HKLM\..\RunServices: [DsmSer] C:\WINDOWS\System32\sysup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download/sv1.0.15.19/ttinst.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
Logged

Offline ClaireMcC

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
need help please
« Reply #1 on: April 04, 2005, 07:07:27 PM »
also done a scan with mwav, these r the results   http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

File C:\PROGRA~1\MYWEBS~1\SrchAstt\1.bin\MWSSRCAS.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\msmpatch.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\sysup.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\svosm.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\GreasyPalmUpdate.exe infected by "not-a-virus:AdWare.SearchFast.a" Virus. Action Taken: No Action Taken.

File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "FunWebProducts Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "mywebsearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "AT-Games Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "btgrab Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "msbb Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\1j1dah1.dll infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\1j1dah1.dll infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Downloaded Program Files\ClientAX.dll infected by "not-a-virus:AdWare.180Solutions.b" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Vera\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Aidan\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Claire\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Christina\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Daniel\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Dee\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL infected by "not-a-virus:AdWare.FunWeb.d" Virus. Action Taken: No Action Taken.

File C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.

File C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.

File C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.

File C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.

File C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.

File C:\dsm.exe infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\One Eye Granny pic!.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Me drunk at The Sea!.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Punk Lives! lol.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Me Love You Long Time.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Me pic.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\HillBilly Chick lol.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Recycled\Q330995.exe infected by "Trojan-Downloader.Win32.Agent.hr" Virus. Action Taken: No Action Taken.

File C:\Dumb Looking Goth Chick.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Hot Blonde!.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Modelling Her New Bikini.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Crazy Japanese man kicks crazy frog!.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\Funny Hitler parody!.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File C:\My birthday pic!.pif infected by "IM-Worm.Win32.Sumom.a" Virus. Action Taken: No Action Taken.

File D:\hp\bin\Terminator.exe tagged as not-a-virus:RiskWare.Tool.KillApp. No Action Taken.

File D:\hp\bin\WIN32ALL-125.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\My Docs\My Music\Fat Joe\What's Luv Definition\Whatdoesyournamemean.exe infected by "not-virus:Joke.Win32.Anywork" Virus. Action Taken: No Action Taken.


thanks very much guestolo  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
need help please
« Reply #2 on: April 04, 2005, 08:01:26 PM »
Claire, let's try and get you clean, once and for all, don't start any new posts
Just stick with this one
I'll ensure I don't close it until I hear back from you
If it's within a reasonable time  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

I need you to download a couple tools
===First, Download and Unzip to a Folder
The Hoster
We'll need this later

After you have done that

Could you please unistall both SpySpotter and Spyware Vanisher if you didn't pay for them
There both on the Rogue list (There bogus)
Read more at this link
http://www.spywarewarrior.com/rogue_anti-spyware.htm

After that
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- ISEXEng

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

Open Hijackthis>>Open Misc Tools Section>>Open "Delete an NT Service"
Copy and paste or type the following in bold to the blank box
and hit OK

ISEXEng

Stay in safe mode
Find and delete these files or folders if found

C:\WINDOWS\msmpatch.exe <-file
C:\WINDOWS\System32\awkkej.exe <-file
C:\WINDOWS\System32\sysup.exe <-file
C:\WINDOWS\system32\f3PSSavr.scr <-file
C:\WINDOWS\GreasyPalmUpdate.exe <-file
C:\WINDOWS\System32\1j1dah1.dll <-file
C:\WINDOWS\GPalm.dll
C:\WINDOWS\Downloaded Program Files\ClientAX.dll
C:\dsm.exe
D:\My Docs\My Music\Fat Joe\What's Luv Definition\Whatdoesyournamemean.exe

C:\spywarevanisher-free <-folder
C:\Program Files\SpySpotter <-folder
C:\Program Files\MyWebSearch <-folder

also look for these files and remove them if found, related too W32.Serflog.B worm

# C:\Windows\System32\msmpatch.exe
# C:\Windows\System32\svosm.exe
# C:\WINDOWS\dsm.exe
# C:\One Eye Granny pic!.pif
# C:\Me drunk at The Sea!.pif
# C:\Punk Lives! lol.pif
# C:\Me Love You Long Time.pif
# C:\Me pic.pif
# C:\HillBilly Chick lol.pif
# C:\Dumb Looking Goth Chick.pif
# C:\Hot Blonde!.pif
# C:\Modelling Her New Bikini.pif
# C:\Crazy Japanese man kicks crazy frog!.pif
# C:\Funny Hitler parody!.pif
# C:\My birthday pic!.pif
# C:\Funny Hitler parody.pif
# C:\Documents and Settings\Claire\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe

Do a Disk Cleanup
Go to START>>RUN>>type in
cleanmgr
Hit OK
Give it time to compress files
Ensure Temp and Temp internet files are checked

Do another scan with Hijackthis and put a check next to these entries:

O1 - Hosts: 213.199.154.54 www.symantec.com
O1 - Hosts: 213.199.154.54 www.sophos.com
O1 - Hosts: 213.199.154.54 www.mcafee.com
O1 - Hosts: 213.199.154.54 www.viruslist.com
O1 - Hosts: 213.199.154.54 www.f-secure.com
O1 - Hosts: 213.199.154.54 www.avp.com
O1 - Hosts: 213.199.154.54 www.kaspersky.com
O1 - Hosts: 213.199.154.54 www.networkassociates.com
O1 - Hosts: 213.199.154.54 www.ca.com
O1 - Hosts: 213.199.154.54 www.my-etrust.com
O1 - Hosts: 213.199.154.54 www.nai.com
O1 - Hosts: 213.199.154.54 www.trendmicro.com
O1 - Hosts: 213.199.154.54 www.grisoft.com
O1 - Hosts: 213.199.154.54 securityresponse.symantec.com
O1 - Hosts: 213.199.154.54 symantec.com
O1 - Hosts: 213.199.154.54 sophos.com
O1 - Hosts: 213.199.154.54 mcafee.com
O1 - Hosts: 213.199.154.54 liveupdate.symantecliveupdate.com
O1 - Hosts: 213.199.154.54 viruslist.com
O1 - Hosts: 213.199.154.54 f-secure.com
O1 - Hosts: 213.199.154.54 kaspersky.com
O1 - Hosts: 213.199.154.54 kaspersky-labs.com
O1 - Hosts: 213.199.154.54 avp.com
O1 - Hosts: 213.199.154.54 networkassociates.com
O1 - Hosts: 213.199.154.54 ca.com
O1 - Hosts: 213.199.154.54 mast.mcafee.com
O1 - Hosts: 213.199.154.54 my-etrust.com
O1 - Hosts: 213.199.154.54 download.mcafee.com
O1 - Hosts: 213.199.154.54 dispatch.mcafee.com
O1 - Hosts: 213.199.154.54 secure.nai.com
O1 - Hosts: 213.199.154.54 nai.com
O1 - Hosts: 213.199.154.54 update.symantec.com
O1 - Hosts: 213.199.154.54 updates.symantec.com
O1 - Hosts: 213.199.154.54 us.mcafee.com
O1 - Hosts: 213.199.154.54 liveupdate.symantec.com
O1 - Hosts: 213.199.154.54 customer.symantec.com
O1 - Hosts: 213.199.154.54 rads.mcafee.com
O1 - Hosts: 213.199.154.54 trendmicro.com
O1 - Hosts: 213.199.154.54 grisoft.com
O1 - Hosts: 213.199.154.54 sandbox.norman.no
O1 - Hosts: 213.199.154.54 www.pandasoftware.com
O1 - Hosts: 213.199.154.54 uk.trendmicro-europe.com

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Band Class - {8272B062-BD4D-4EAD-A149-45B3CE3F5CDA} - C:\WINDOWS\GPalm.dll

O2 - BHO: (no name) - {FAF4BD81-3B6B-4216-8EFA-7D9B8D64CEFB} - C:\WINDOWS\System32\pkcbmg.dll (file missing)

O4 - HKLM\..\Run: [mzfouoyq] C:\WINDOWS\System32\awkkej.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe

O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon <--this may return in the future, that's ok, were just preventing it on a fresh startup

O4 - HKLM\..\Run: [GreasyPalmUpdate] C:\WINDOWS\GreasyPalmUpdate.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [rollbk] C:\WINDOWS\msmpatch.exe
O4 - HKLM\..\Run: [AvSer] C:\WINDOWS\msmpatch.exe
O4 - HKLM\..\Run: [DsmSer] C:\WINDOWS\System32\sysup.exe

O4 - HKLM\..\RunServices: [rollbk] C:\WINDOWS\msmpatch.exe
O4 - HKLM\..\RunServices: [AvSer] C:\WINDOWS\msmpatch.exe
O4 - HKLM\..\RunServices: [DsmSer] C:\WINDOWS\System32\sysup.exe

O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYGB

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab

O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Hoster you unzipped earlier and click the
Click the "Restore Original Hosts"

Restart back to Normal mode

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows

Download and Install Spybot S&D 1.3
After installation--SEARCH FOR UPDATES
Check all updates and Download them
Afterwards
Check for Problems---Let it complete it's scan, when it's done
FIX everything in RED>>should be checked by default

Restart your computer again to finish the cleaning process

Post back a fresh Hijackthis log afterwards

Could you also do the following
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat
Save it on the desktop

Code: [Select]
@echo off
regedit /e C:\temp.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT"
more C:\temp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\temp.reg
del /q C:\Display.txt
Double click Export.bat and copy and paste back the finding
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ClaireMcC

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
need help please
« Reply #3 on: April 05, 2005, 05:55:17 PM »
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />   computer is better already.

done everything and downloaded everything. some things i couldnt find

service
name---- ISEXEng         (this was not there)

C:\WINDOWS\msmpatch.exe <-file   (DELETED)
C:\WINDOWS\System32\awkkej.exe <-file   NOT THERE
C:\WINDOWS\System32\sysup.exe <-file   (DELETED)
C:\WINDOWS\system32\f3PSSavr.scr <-file  (DELETED)
C:\WINDOWS\GreasyPalmUpdate.exe <-file  (DELETED)
C:\WINDOWS\System32\1j1dah1.dll <-file  (DELETED)
C:\WINDOWS\GPalm.dll                  (DELETED)
C:\WINDOWS\Downloaded Program Files\ClientAX.dll    NOT THERE
C:\dsm.exe    (DELETED)
D:\My Docs\My Music\Fat Joe\What's Luv Definition\Whatdoesyournamemean.exe  (DELETED)

C:\spywarevanisher-free <-folder   NOT THERE
C:\Program Files\SpySpotter <-folder   NOT THERE
C:\Program Files\MyWebSearch <-folder   (DELETED)


# C:\Windows\System32\msmpatch.exe   NOT THERE
# C:\Windows\System32\svosm.exe    (DELETED)
# C:\WINDOWS\dsm.exe         NOT THERE
# C:\One Eye Granny pic!.pif    (DELETED)
# C:\Me drunk at The Sea!.pif    (DELETED)
# C:\Punk Lives! lol.pif        (DELETED)
# C:\Me Love You Long Time.pif   (DELETED)
# C:\Me pic.pif                 (DELETED)
# C:\HillBilly Chick lol.pif   (DELETED)
# C:\Dumb Looking Goth Chick.pif   (DELETED)
# C:\Hot Blonde!.pif                (DELETED)
# C:\Modelling Her New Bikini.pif   (DELETED)
# C:\Crazy Japanese man kicks crazy frog!.pif   (DELETED)
# C:\Funny Hitler parody!.pif             (DELETED)
# C:\My birthday pic!.pif              (DELETED)
# C:\Funny Hitler parody.pif           (DELETED)
# C:\Documents and Settings\Claire\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe        (DELETED)

Done a Disk Cleanup



just gona post back a log now  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />
Logged

Offline ClaireMcC

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
need help please
« Reply #4 on: April 05, 2005, 06:44:51 PM »
sorry took so long there. was having trouble with my outpost firewall. couldnt get onto internet. had to disable it.


anyway here it is    http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />


Logfile of HijackThis v1.99.1
Scan saved at 00:42:17, on 06/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Claire\Desktop\hijackthis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download/sv1.0.15.19/ttinst.cab
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
Logged

Offline ClaireMcC

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
need help please
« Reply #5 on: April 05, 2005, 06:47:07 PM »
heres export bat findings




Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"="0"
"DisableConfig"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
need help please
« Reply #6 on: April 05, 2005, 07:26:25 PM »
Can you do the following for me please

===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

 
Code: [Select]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=-
"DisableConfig"=-
Open a Command prompt
START>>Run>>type in
cmd
Hit OK

At the prompt type the following in bold, excluding (Enter)<<Indicates hitting Enter on your keyboard

cd C:\WINDOWS\Downloaded Program Files (Enter
del ClientAX.dll (Enter)
exit (Enter)

Notice the single spaces after cd and del

Could you also try and find these files and delete them if found
I missed them earlier
There in different profiles
C:\Documents and Settings\Christina\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe
C:\Documents and Settings\Aidan\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe

C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe
C:\Documents and Settings\Dee\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe

You get the picture, check all profiles on the computer

Afterwards
Double click on Fix.reg and allow to merge to the registry

Post back one last hijackthis log
Let me know if you are still having problems with Outpost
Don't need you without a firewall enabled

Could you also post a hijackthis log from a different profile
If you have a user who has Administrative privileges, post that log, thanks

EDIT>>After merging Fix.reg, can you Restart your computer, thanks
« Last Edit: April 05, 2005, 07:50:09 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ClaireMcC

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
need help please
« Reply #7 on: April 05, 2005, 07:54:33 PM »
all done. outpost seems to be ok now.



Logfile of HijackThis v1.99.1
Scan saved at 01:52:14, on 06/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Claire\Desktop\hijackthis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download/sv1.0.15.19/ttinst.cab
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
Logged

Guest_ClaireMcC_*

  • Guest
need help please
« Reply #8 on: April 05, 2005, 07:58:54 PM »
here it is from another user


Logfile of HijackThis v1.99.1
Scan saved at 01:56:28, on 04/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe /waitservice
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download/sv1.0.15.19/ttinst.cab
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
need help please
« Reply #9 on: April 05, 2005, 08:37:56 PM »
Let's call this user B

With this user
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYGB

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart the computer

We should ensure all user accounts are clean
Can you post a log from another user
Name it User C

You can include user D if you want also,
We don't want too miss nothing

But I'm sure we're just going to be cleaning leftovers now

We should get some free security preventive tools on your computer afterwards
« Last Edit: April 05, 2005, 08:41:50 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ClaireMcC

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
need help please
« Reply #10 on: April 13, 2005, 05:08:44 PM »
sorry took so long to repl. gona do this now
Logged

Offline ClaireMcC

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
need help please
« Reply #11 on: April 15, 2005, 03:19:03 AM »
SORRY ALL THIS IS TAKIN SO LONG  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />


BUT HERE IS USER C   http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Logfile of HijackThis v1.99.1
Scan saved at 09:15:50, on 04/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\hijackthis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download/sv1.0.15.19/ttinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
need help please
« Reply #12 on: April 15, 2005, 09:04:38 AM »
Looks good, for User C just have Hijackthis fix checked this entry with all other windows closed
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

If everything is running better
Disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection

SpywareGuard 2.2 by JavaCool
*SpywareGuard  provides a real-time protection solution against spyware that is a great addition to SpywareBlaster

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With SpywareBlaster and IE-Spyad
Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
SpywareGuard, doesn't need to update all that often, but check once a month

I suspect all other users are clean now
Maybe the leftover MyWebSearch entries to get rid of
You should put on the protection

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »