| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 92886 | 2008-08-27 00:35:00 | HJT log | NZHawk (4093) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 700675 | 2008-08-27 00:35:00 | Could someone have a look through this log for me: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:52:21 a.m., on 27/08/2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Megatec\UPSilon 2000\RupsMon.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINNT\jbrjbjjr.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Megatec\UPSilon 2000\Monw32.exe C:\WINNT\system32\cmd.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Documents and Settings\Administrator\Desktop\2 Cleaning Tools\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.nz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll F2 - REG:system.ini: UserInit=userinit.exe,Phantom.exe O1 - Hosts: [Phantom] 2005 Made By Evil[xiaou]. Greetz to good friend x140d4n. Based On sdbot&&mydoom. O1 - Hosts: HellBot3 have BackDoor in HellMsn.h. The HellBot3 author is an idiocy!!! O1 - Hosts: Play with The best Die like the rest. O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn0\yt.dll O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [lphc9d6j0eafl] C:\WINNT\system32\lphc9d6j0eafl.exe O4 - HKLM\..\Run: [jbrjbjjr] %systemroot%\jbrjbjjr.exe O4 - HKLM\..\Run: [brrbbbrr] %systemroot%\brrbbbrr.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Rupsmon Daemon.lnk = C:\Program Files\Megatec\UPSilon 2000\Monw32.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\ Yahoo! \Common\Yinsthelper.dll O16 - DPF: {57453726-BB83-11D2-9047-00105ACE49EC} (PhotoLoad Control) - www.dmotorworks.com.au O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - webdl.symantec.com O16 - DPF: {CEEBC0A9-E9A8-11D2-B50D-00104BC858E1} (Digital Motorworks Intranet Administrator(TM) Entity Tree Control) - www.dmotorworks.com.au O17 - HKLM\System\CCS\Services\Tcpip\..\{9BFCA22B-08DC-4529-AA73-6C8912A5F1A1}: NameServer = 202.27.184.3,202.27.184.5 O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Rupsmon - Mega System Technologies, Inc. - C:\Program Files\Megatec\UPSilon 2000\RupsMon.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 7837 bytes |
NZHawk (4093) | ||
| 700676 | 2008-08-27 01:09:00 | Uninstall Symantec's program its hopeless Tick these then tick fix checked Close browsers C:\WINNT\jbrjbjjr.exe <-- delete this file after you reboot R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm I dont know what these are or do, but they look nasty (These maybe part of Zotob a worm) O1 - Hosts: [Phantom] 2005 Made By Evil[xiaou]. Greetz to good friend x140d4n. Based On sdbot&&mydoom. O1 - Hosts: HellBot3 have BackDoor in HellMsn.h. The HellBot3 author is an idiocy!!! O1 - Hosts: Play with The best Die like the rest. O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) Once you tick these tick fix checked, reboot, find these files and delete them. Go into task manager now and end these processes, if theyre running O4 - HKLM\..\Run: [lphc9d6j0eafl] C:\WINNT\system32\lphc9d6j0eafl.exe O4 - HKLM\..\Run: [jbrjbjjr] %systemroot%\jbrjbjjr.exe O4 - HKLM\..\Run: [brrbbbrr] %systemroot%\brrbbbrr.exe O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') After you reboot get trojan remover (www.simplysup1.com) <-- direct link, install it update it, then click on scan. Then select all options under the utilities menu Whoever owns this PC, tell them to quit opening emails with attachments ! If you dont know where its from , who its from, what its about. delete it |
Speedy Gonzales (78) | ||
| 700677 | 2008-08-27 02:08:00 | I would say you've got this (www.sophos.com) Once you deal with the files / entries / do a scan with trojan remover, in the previous post, MAKE SURE Windows 2K is up to date. As I think this worm targets a Windows vulnerability |
Speedy Gonzales (78) | ||
| 700678 | 2008-08-27 02:10:00 | SpeedyG: I am doing the clean, but in the mean time: "Uninstall Symantec's program its hopeless" is it hopeless because of it's age or because it's Symantec? If it's Symantec, how does BitDefender stack up? The person asked me why they got infected with Symantec & LavaSoft Adaware. You stated: "Whoever owns this PC, tell them to quit opening emails with attachments ! If you dont know where its from , who its from, what its about. delete it" are the infections a reflection of opening e-mails? |
NZHawk (4093) | ||
| 700679 | 2008-08-27 02:11:00 | Ok - will do . I would say you've got this ( . sophos . com/security/analyses/viruses-and-spyware/w32fanbota . html" target="_blank">www . sophos . com) Once you deal with the files / entries / do a scan with trojan remover, in the previous post, MAKE SURE Windows 2K is up to date . As I think this worm targets a Windows vulnerability |
NZHawk (4093) | ||
| 700680 | 2008-08-27 02:18:00 | Well, because of this worm, it has disabled (the link I gave) the updating of that Symantec program. And it has also stopped / blocked you / the person from going to any AV sites online. Until you delete them in the hosts file. Its hopeless because its Symantec, and its got worse with every version, and its bloatware. And can slow a system down, just check some of the other threads in here I've never used Bitdefender, so I have no idea what its like / does. I just use Avast Home, because its free This worm is the result of someone opening an email with an attachment (the link I posted shows the email), then its installed it, and its running You can open emails, (but if you DONT KNOW who its from, and if its got an attachment, DON'T OPEN IT, DELETE IT ) If you / whoever owns this PC uses IRC, quit it. As this worm, uses IRC |
Speedy Gonzales (78) | ||
| 1 | |||||