| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 57239 | 2005-04-27 08:58:00 | Hijack help please | paradox (1082) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 349378 | 2005-04-27 08:58:00 | Hi...This is the hijack log from my grandaughter's PC, which is in very poor shape. I have already found a lot of nasties but some of them are reborn after a re-start. It also will not connect to the net but after dialling, the handshake just turns into a reset for the whole PC. I have been going to try a clean install but then I remembered seeing Highjack. Way out of my league but it would be great if one of you Hijack wizards could interpret the log for me and maybe find the problem. Cheers Ken. Logfile of HijackThis v1.99.1 Scan saved at 11:12:31 AM, on 4/27/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Media Pass\MediaPass.exe C:\temp\salm.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\TEMP\~compoundinst0\auto_update_loader. exe C:\WINDOWS\System32\csrlogon.exe C:\WINDOWS\System32\cneview.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Media Pass\MediaPassK.exe C:\WINDOWS\System32\mpdat.exe C:\Program Files\CxtPls\CxtPls.exe C:\Program Files\BullsEye Network\bin\bargains.exe C:\Documents and Settings\Lisa\Local Settings\Temp\Temporary Directory 3 for hijackthis-3.zip\HijackThis.exe C:\WINDOWS\notepad.exe C:\Documents and Settings\Lisa\Local Settings\Temp\Temporary Directory 4 for hijackthis-3.zip\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" F2 - REG:system.ini: Shell=Explorer.exe mpdat.exe O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe O4 - HKLM\..\Run: [salm] c:\temp\salm.exe O4 - HKLM\..\Run: [rodofoj] C:\WINDOWS\rodofoj.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~compoundinst0\auto_update_loader. exe" /PC=CP.CDT3 /ShowLegalNote=nonbranded /ForSupportedBrowsers O4 - HKLM\..\Run: [438W3ti] csrlogon.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [L0r6RjG2h] cneview.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - (no file) O21 - SSODL: mtkle - {F9AB65F7-2084-4BAE-6C9C-54210ADCDEAF} - C:\WINDOWS\System32\yiba32.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe |
paradox (1082) | ||
| 349379 | 2005-04-27 09:11:00 | Oh dear god. Right now I can see 5 spyware processes running press ctrl + alt + delete and get into taskmanager Kill these processes salm.exe auto_update_loader.exe mediapassk.exe cxtpls.exe mpdat.exe bargains.exe Then, download and run Spybot search & destroy Lavasoft Ad-aware SE personal Microsoft Antispyware beta I recommend that you allow either Spybot S&D or Microsoft Antispyware to have live protection. Probably Microsoft's antispyware, as it has a nicer interface for your granddaughter Then run hijackthis again |
Edward (31) | ||
| 349380 | 2005-04-27 09:21:00 | Question number 1: Did you disable System Restore before attempting any repairs? If not, System Restore will helpfully put the crap back in for you. Right-click My Computer on the desktop; go into Properties. In the System Restore tab, click Turn off system restore on all drives. :) As well as Spybot & Ad Aware, download (from another computer) the standalone virus scanner Stinger (vil.nai.com). Not the best, but it may pick up a few things. |
Peterj116 (6762) | ||
| 349381 | 2005-04-27 09:25:00 | C:\Program Files\Media Pass\MediaPass.exe Uninstall Mediapass in Add/remove programs Uninstalling Mediapass might disable it loading on bootup. securityresponse.symantec.com C:\temp\salm.exe C:\WINDOWS\TEMP\~compoundinst0\auto_update_loader. exe These are suss. C:\WINDOWS\System32\csrlogon.exe C:\WINDOWS\System32\cneview.exe C:\Program Files\Media Pass\MediaPassK.exe This file is related to a trojan C:\WINDOWS\System32\mpdat.exe This is spyware/adware C:\Program Files\CxtPls\CxtPls.exe C:\Program Files\BullsEye Network\bin\bargains.exe F2 - REG:system.ini: Shell=Explorer.exe mpdat.exe O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (This is part of spybot but isnt needed. O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll - This is a trojan O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe O4 - HKLM\..\Run: [salm] c:\temp\salm.exe O4 - HKLM\..\Run: [rodofoj] C:\WINDOWS\rodofoj.exe O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~compoundinst0\auto_update_loader. exe" /PC=CP.CDT3 /ShowLegalNote=nonbranded /ForSupportedBrowsers O4 - HKLM\..\Run: [438W3ti] csrlogon.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [L0r6RjG2h] cneview.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - (no file) Don't know what this file is O21 - SSODL: mtkle - {F9AB65F7-2084-4BAE-6C9C-54210ADCDEAF} - C:\WINDOWS\System32\yiba32.dll O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe If this computer is on a network, I WOULD remove it / unplug it from the network, until u remove the above in Hijackthis. That MPDAT.Exe file is possibly a worm, which is network aware, and it'll infect the rest of the computers, if this pc is on a network. |
Speedy Gonzales (78) | ||
| 349382 | 2005-04-27 09:28:00 | I'd add that you definitely need to update this PC (i.e. Windows Update and find SP2 on CD) ASAP. Also the ZESOFT service is dodgy see here (www.iamnotageek.com) Plus a mountain of other stuff... And check the hosts file. Should be in: C:\WINDOWS\system32\drivers\etc |
gibler (49) | ||
| 349383 | 2005-04-27 09:37:00 | er you could just reinstall windows & install spybot etc etc. | Fatjoz (6366) | ||
| 349384 | 2005-04-27 09:41:00 | All good solutions. Paradox, is it possible for you to download either Adaware or Microsoft Anti-Spyware? If not, I'm happy to write them to a CD and send them out to you. | Aurealis_ (7897) | ||
| 349385 | 2005-04-27 09:55:00 | I'd enable immunize on Spybot. And install Spywareblaster or similar and enable everything on it. Make sure her firewall is configured properly and she hasn't allowed everyhting like most people do. The more protection the better. |
pctek (84) | ||
| 349386 | 2005-04-27 10:06:00 | Not sure how much this will help, but my friends mum had a computer full of spyware/adware that kept coming back on restart, Ibooted it in safe mode and ran Lavasoft Adaware, it completely cleaned all the bugs and there haven't been any problems since then. | lewisc (7929) | ||
| 349387 | 2005-04-27 10:27:00 | I had a quick search, and it hasnt been mentioned in the forums yet, but concerning HijackThis logs, theres a great utility online that can you give you useful feedback about your logs - http://hjt.iamnotageek.com/ I think this should also be mentioned in the FAQ on Spyware, adware and viruses (pressf1.co.nz 16) under the HJT section. Also it is suggested to not post HJT logs in forums, but instead link to a log file. Log files are welcome to be uploaded at IF1 (sal.neoburn.net) (.log is fine to upload). |
sal (67) | ||
| 1 2 | |||||