CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 934
Comments: 25
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

ABI Network direct revenue

 
Post new topic   Reply to topic       All -> FavForums -> Trend Micro HijackThis Logs [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
tbuff38

Cadet
Cadet


Joined: Jul 28, 2005
Posts: 1
Location: USA
PostPosted: Fri Jul 29, 2005 12:23 am    Post subject: ABI Network direct revenue
Reply with quote

I have this lovely hijacker on my lap top. here is the log. can you help?

Logfile of HijackThis v1.99.1
Scan saved at 8:01:17 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\System32\VsTaskMngr.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
c:\windows\system32\oisqgw.exe
C:\WINDOWS\scanfile.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TIM\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Date Bar - {A833AB67-7368-457E-B8BF-249CCD8DDD14} - C:\DOCUME~1\TIM\LOCALS~1\Temp\dbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [thptfxy] c:\windows\system32\oisqgw.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Scanner File Utility.lnk = C:\Program Files\Kyocera Mita\FileUtility\fileexec.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120824953895
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://priority-data.webex.com/client/v_mywebex/training/ieatgpc.cab
O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAABCE62-EEE6-4BD7-84C5-762DDB444B92}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CFEA94-720A-4FA6-A69F-6E26F5DFCD23}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9E6AB37-B11B-4679-92A5-21BA4600FE1C}: NameServer = 195.95.218.1,85.255.112.7
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel Centrino2 - Unknown owner - C:\WINDOWS\System32\VsTaskMngr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Back to top
View users profile Send private message
magictouch

1st Responder


Joined: May 02, 2004
Posts: 3293
Location: Denmark
1st Responders

PostPosted: Sun Jul 31, 2005 8:21 am    Post subject:
Reply with quote

Hi and welcome Smile

Please download Ewido-Free Download: http://www.ewido.net/en/
Install and update it. Do not scan

Download and unzip to a new folder on desktop:

http://noahdfear.geekstogo.com/smitRem.zip


Download this scanner – mwav exe http://www.spywareinfo.dk/download/mwav.exe

And this scanner - cureit.
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe





Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then run Hijackthis and place a check beside each of the following. Once you have checked them, click fix checked.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O3 - Toolbar: Date Bar - {A833AB67-7368-457E-B8BF-249CCD8DDD14} - C:\DOCUME~1\TIM\LOCALS~1\Temp\dbar.dll
O4 - HKLM\..\Run: [thptfxy] c:\windows\system32\oisqgw.exe r
O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAABCE62-EEE6-4BD7-84C5-762DDB444B92}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4CFEA94-720A-4FA6-A69F-6E26F5DFCD23}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9E6AB37-B11B-4679-92A5-21BA4600FE1C}: NameServer = 195.95.218.1,85.255.112.7

Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.


Open Folder Options in Controlpanel >view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files

C:\WINDOWS\dsr.dll
C:\DOCUME~1\TIM\LOCALS~1\Temp\dbar.dll
c:\windows\system32\oisqgw.exe r
c:\\nosuch.mht




Run the mwav scanner:
Put a checkmark in:
Memory, Startup folders, drive, Registry, System folders og Services.
And:
All local drives og Scan all files
Push: Scan Button
The scan can take a couple of hours

Open folder with smitrem and run RunThis.bat



Run full scan with Ewido

Reboot

Go to Start | Run and type: cleanmgr.exe and hit enter.
When prompted what drive to clean select your hard drive c:
If asked what folders to clean in a list, tick them all to clean all temp folders, downloaded program folders, temporary internet files, etc., and the recycle/trash bin.


Post fresh hijackthis log


_________________
Member of - Alliance of Security Analysis Professionals
Back to top
View users profile Send private message Send email
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Trend Micro HijackThis Logs All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
141ppm 3.083s (2.369s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer