|
Re: HijackThisLog Analysis - Jonkirk
Date: Wednesday, 22 September, 2004 9:02 AM
Here is what you should do.
End the below suspicious process :
C: \ WINDOWS \ sysxu.exe
C: \ WINDOWS \ system32 \ addoi.exe
Remove these search keys:
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = res: / / ivott.dll / index.html#37049
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = res: / / ivott.dll / index.html#37049
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = res: / / ivott.dll / index.html#37049
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R3 - Default URLSearchHook is missing
Remove these additional browser plug-in keys (O2...O4):
O4 - HKLM \ .. \ Run: [addoi.exe] C: \ WINDOWS \ system32 \ addoi.exe
O4 - HKLM \ .. \ Run: [d3pd32.exe] C: \ WINDOWS \ system32 \ d3pd32.exe
Remove these extra items in IE menu (O8...O9):
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C: \ WINDOWS \ Downloaded Program Files \ SbCIe028.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c: \ program files \ partypoker \ IEExtension.dll
O9 - Extra ´Tools´ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c: \ program files \ partypoker \ IEExtension.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
O9 - Extra ´Tools´ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - website: download.sidestep.com / get / k00719 / sb028.cab
Reboot the computer and put it to safe mode. Then delete these files from your C: drive.
c: \ program files \ partypoker \
Original log but with private information removed.
Logfile of HijackThis v1.98.2
Scan saved at 6:00:01 PM, on 9 / 21 / 2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ Explorer.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ Program Files \ Norton AntiVirus \ navapsvc.exe
C: \ WINDOWS \ sysxu.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ Adaptec \ Easy CD Creator 5 \ DirectCD \ DirectCD.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ downloaded program \ HijackThis \ HijackThis.exe
C: \ WINDOWS \ system32 \ addoi.exe
C: \ Program Files \ Messenger \ msmsgs.exe
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: dellnet.com /
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = res: / / ivott.dll / index.html#37049
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = res: / / ivott.dll / index.html#37049
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = res: / / ivott.dll / index.html#37049
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = res: / / C: \ WINDOWS \ system32 \ ivott.dll / sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Reader \ ActiveX \ AcroIEHelper.dll
O2 - BHO: (no name) - {9E7072FF-CFC6-4623-8D56-A16A3B9CB9FF} - C: \ WINDOWS \ system32 \ atlwj32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c: \ program files \ google \ googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C: \ Program Files \ Norton AntiVirus \ NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C: \ Program Files \ Norton AntiVirus \ NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ System32 \ msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C: \ Program Files \ Yahoo! \ common \ ycomp5_2_3_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c: \ program files \ google \ googletoolbar1.dll
O4 - HKLM \ .. \ Run: [AdaptecDirectCD] "C: \ Program Files \ Adaptec \ Easy CD Creator 5 \ DirectCD \ DirectCD.exe"
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [ccRegVfy] "C: \ Program Files \ Common Files \ Symantec Shared \ ccRegVfy.exe"
O4 - HKLM \ .. \ Run: [EPSON Stylus CX5400] C: \ WINDOWS \ System32 \ spool \ DRIVERS \ W32X86 \ 3 \ E_S4I2G1.EXE / P19 "EPSON Stylus CX5400" / O6 "USB002" / M "Stylus CX5400"
O4 - HKLM \ .. \ Run: [addoi.exe] C: \ WINDOWS \ system32 \ addoi.exe
O4 - HKLM \ .. \ Run: [d3pd32.exe] C: \ WINDOWS \ system32 \ d3pd32.exe
O6 - HKCU \ Software \ Policies \ Microsoft \ Internet Explorer \ Control Panel present
O8 - Extra context menu item: &Define - C: \ Program Files \ Common Files \ Microsoft Shared \ Reference 2001 \ A \ ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res: / / C: \ Program Files \ Google \ GoogleToolbar1.dll / cmsearch.html
O8 - Extra context menu item: Backward Links - res: / / C: \ Program Files \ Google \ GoogleToolbar1.dll / cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res: / / C: \ Program Files \ Google \ GoogleToolbar1.dll / cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C: \ Program Files \ Common Files \ Microsoft Shared \ Reference 2001 \ A \ ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res: / / C: \ Program Files \ Google \ GoogleToolbar1.dll / cmsimilar.html
O8 - Extra context menu item: Translate into English - res: / / C: \ Program Files \ Google \ GoogleToolbar1.dll / cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file: / / / C: \ Program Files \ Yahoo! \ Common / ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file: / / / C: \ Program Files \ Yahoo! \ Common / ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C: \ Program Files \ Yahoo! \ common \ ylogin.dll
O9 - Extra ´Tools´ menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C: \ Program Files \ Yahoo! \ common \ ylogin.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C: \ Program Files \ Common Files \ Microsoft Shared \ Reference 2001 \ A \ ERS_ENC.HTM
O9 - Extra ´Tools´ menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C: \ Program Files \ Common Files \ Microsoft Shared \ Reference 2001 \ A \ ERS_ENC.HTM
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C: \ WINDOWS \ Downloaded Program Files \ SbCIe028.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C: \ Program Files \ Yahoo! \ Messenger \ yhexbmes.dll
O9 - Extra ´Tools´ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C: \ Program Files \ Yahoo! \ Messenger \ yhexbmes.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C: \ Program Files \ Common Files \ Microsoft Shared \ Reference 2001 \ A \ ERS_DEF.HTM
O9 - Extra ´Tools´ menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C: \ Program Files \ Common Files \ Microsoft Shared \ Reference 2001 \ A \ ERS_DEF.HTM
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c: \ program files \ partypoker \ IEExtension.dll
O9 - Extra ´Tools´ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c: \ program files \ partypoker \ IEExtension.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
O9 - Extra ´Tools´ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C: \ WINDOWS \ System32 \ Shdocvw.dll
O16 - DPF: Yahoo! NBA StatTracker - website: aud4.sports.yahoo.com / java / y / nbast8268_x.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C: \ Program Files \ Yahoo! \ common \ yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C: \ Program Files \ Yahoo! \ common \ yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - website: 207.188.7.150 / 280a2eed77e5ee97a217 / netzip / RdxIE601.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - website: download.sidestep.com / get / k00719 / sb028.cab
|
Post your comment