PDA

View Full Version : Desktop Hijacked...need help


gmoulliet
2006-04-21, 05:20
Well this time it happened to my son's computer.
I have done the following:
Booted in "Safe Mode" and ran ewido full computer scan.
Then ran HiJackThis.
I have posted the logs below. Please review for me and advise.
Thanks very much.

Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:06:53 PM, 4/20/2006
+ Report-Checksum: 6634CE69

+ Scan result:

C:\Documents and Settings\Gary1\Local Settings\Temporary Internet Files\Content.IE5\D40BP14X\story0001[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\Documents and Settings\Gary1\Local Settings\Temporary Internet Files\Content.IE5\D40BP14X\story0001[2].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\Documents and Settings\Gary1\Local Settings\Temporary Internet Files\Content.IE5\FASFVXCH\hta[1].txt -> Downloader.Phel.f : Cleaned with backup
C:\Documents and Settings\Gary1\Local Settings\Temporary Internet Files\Content.IE5\GXUB0LYR\ibar[1].js -> Downloader.IstBar.ad : Cleaned with backup
C:\Documents and Settings\Gary1\Local Settings\Temporary Internet Files\Content.IE5\GXUB0LYR\ysb_pictures[1].cab/YSBactivex.dll -> Downloader.IstBar : Cleaned with backup
C:\Documents and Settings\Gary1\Local Settings\Temporary Internet Files\Content.IE5\GXUB0LYR\ysb_prompt[1].htm -> Downloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Gary1\Local Settings\Temporary Internet Files\Content.IE5\KDYJCHAZ\0day[1].htm -> Not-A-Virus.Exploit.JS.CVE20061359.b : Cleaned with backup
C:\Documents and Settings\Gary1\Local Settings\Temporary Internet Files\Content.IE5\M9I58Z2P\eifr[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\ej.exe -> Trojan.LowZones.dm : Cleaned with backup
C:\WINDOWS\system32\openconf.exe -> Adware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\pentxpl.exe -> Hijacker.Small.dg : Cleaned with backup
C:\WINDOWS\system32\rock.exe -> Trojan.LowZones.dm : Cleaned with backup
C:\WINDOWS\system32\winuptd.exe -> Downloader.Small.agg : Cleaned with backup
C:\WINDOWS\system32\xscan.exe -> Dropper.Agent.hy : Cleaned with backup
C:\WINDOWS\t23vt57ayg.exe -> Trojan.Krepper.i : Cleaned with backup
C:\WINDOWS\tmp.hta -> Downloader.Psyme.at : Cleaned with backup


::Report End


HiJackThis log:


Logfile of HijackThis v1.98.2
Scan saved at 10:09:55 PM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Security\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C64 Series on STUDIO] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P38 "Auto EPSON Stylus C64 Series on STUDIO" /O19 "\\STUDIO\EPSON S-64" /M "Stylus C64"
O4 - HKLM\..\Run: [\\STUDIO\EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P32 "\\STUDIO\EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C64 Series on NUMBER-1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P40 "Auto EPSON Stylus C64 Series on NUMBER-1" /O26 "\\NUMBER-1\EPSON_Stylus-64" /M "Stylus C64"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB


Thanks for the help>
pskelley
2006-04-24, 01:58
Hello and welcome to the forum. Your version of HJT is obsolete. Please make sure you follow the directions in this Pinned informational link.
http://forums.spybot.info/showthread.php?t=288 Where you have HJT now is fine, it just needs to be updated. Once you complete these instructions and update HJT make sure you are running in Normal mode with everything enabled in MSConfig. Then post a new log in this same topic. I will be notified when you post and respond as soon as possible after that.

Thanks...pskelley
Safer Networking Forums
tashi
2006-04-27, 19:44
Due to lack of a response this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.