-
August 7th, 2004, 06:22 AM
#1
Need Help with Hijack This log...
I have recently been hit with a huge spyware/adware attack, I accidently clicked yes to a pop up and boy will I never make that mistake again lol. Anyway, I was hit with well over 200 things of malware. I spent hours cleaning up after it with Spybot, Adaware, and CWshredder. But I still noticed things, like my connection dropping, which was already discussed, and also pop ups and this weird box that pops up and the only way to get rid of it is to restart my comp. I did a Hijack This scan and check it out... Now I'm no Hijack This genius but I don't think the "hosts" are a good sign that my fully updated spybot, adaware, and CWshredder and not to mention Avast! did it's job very well...
Logfile of HijackThis v1.97.7
Scan saved at 12:22:32 AM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Devin Taylor\Desktop\Devin computer defenses\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8100
O1 - Hosts: 64.200.25.145 gator.com #cooklop
O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 tripod.com #cooklop
O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 cj.com #cooklop
O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: Joyo (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PowerWord (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
Thanks in advance for any help
-
August 7th, 2004, 06:36 AM
#2
I'm not that great at reading hijack this logs but I did a search on lspak.dll and came up with some things. It seems you can't just delete it or it will screw up your connection. You need to run lsp-fix form here first: http://www.cexx.org/lspfix.htm. Then it will be safe for removal. Hope this helps.
When death sleeps it dreams of you...
-
August 7th, 2004, 06:51 AM
#3
Well, I would try that out, but the link doesn't work...
-
August 7th, 2004, 06:56 AM
#4
Before we go any further-
Confirm for us that you ran updated spybot, adaware, and AV scans in both safe and normal mode?
Also run housecall.trendmicro.com's virus scanner.
-
August 7th, 2004, 07:06 AM
#5
yes I have, I also ran other things like bitdefender's online scan and a couple other's...
-
August 7th, 2004, 08:41 AM
#6
Blah, the link doesn't work because it has a period at the end of it http://www.cexx.org/lspfix.htm
When death sleeps it dreams of you...
-
August 7th, 2004, 09:18 AM
#7
I'm going to recommend to you, what everyone reading this log is going to be doing anyways:
http://www.google.com
I'm not flaming you, just behing honest. That's how Hijack logs are responded to, people google the information for you.
-
August 7th, 2004, 09:37 AM
#8
hi
Or wait for the HijackThis Team to arrive....Tsk Tsk Groove and meeeeee.
Personally i am not good reading these logs so i don't even try to ...........so the best thnk is to ask some who knows what to look for......apart from the google..
What i would suggest is don't take random advice on these CWS Trojan issues ...........these thinks are interlinked and there is a set procedure to get rid of them..........deleteing random files will not help well generally......Take advice form one person.....and make sure that person know what to look for........So wait for someone like those two gentelmen to arrive.........they might be able to help you appropriately.......both are genegally quick to respont to these kind of threads these days.........
--Good Luck--
-
August 7th, 2004, 03:47 PM
#9
I'm going to recommend to you, what everyone reading this log is going to be doing anyways:
Muerto, good catch. Removing 010's with HJT will break your internet connection by destroying your winsock, which in most cases requires a reinstall of the OS. You won't find that on Google.
***************
Create a new restore point first..most times this next step works flawlessly. I want you to be prepared in case you are the 1% where it goes wrong.
Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of lspak.dll, cdlsp.dll, and nothing else . Reboot
Downlaod the VX2 plug-in for Adaware from here:
http://updates.ls-servers.com/plvx2cleaner.exe
Install it, but don't run it yet.
Also, verify that Adaware is fully up to date. New definitions came out yesterday.
Update your version of HJT to 1.98 from here:
http://www.downloads.subratam.org/hijackthis.zip
Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
O1 - Hosts: 64.200.25.145 gator.com #cooklop
O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 tripod.com #cooklop
O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 cj.com #cooklop
O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
***********************************************************************
Open notepad and paste in the following lines:
del c:\ *.tmp
del %temp%\*.tmp /f
del %windir%\prefetch\*.*
del %windir%\temp\*.* /f
Save to desktop as 'clean.bat' , file types-‘all files’
***********************************************************************
Reboot into safe mode.
Run Adaware with the following options:
- Configure Ad-aware
- Click on the Gear-shaped icon at the top to open the Settings window.
- All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.
- General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)
- Scanning Settings
- Scan Within Archives
- Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.
- Scan Active Processes
- Scan Registry
- Deep Scan Registry
- Scan my IE favorites for banned URL’s
- Scan my Hosts file
- Advanced Settings - Enable all four options under 'Log-file Detail level'
- Tweak Settings
- Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'
- Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'
- Click Proceed
- Click on the 'Start' button in the lower right.
- Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.
- Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.
- Close Ad-aware
Next, open Adaware again, and run the VX2 finder Plugin that you installed.
Then run adaware again to clean up what the plug in found.
Run the clean.bat that you created before.
Then reboot and post a new log.
-
August 7th, 2004, 03:49 PM
#10
I'm sure that Soda hasn't forgot that he is the author of the following thread on HJT log reading.............
So I'll post it anyway.
http://www.antionline.com/showthread...hreadid=255989
[edit] belay that, pull up a chair and listen real close, let Uncle Groove tell you a story. [/edit]
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|