Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HiJackThis report, help!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HiJackThis report, help!!!

Unread postby spense08 » January 26th, 2005, 3:50 pm

this is my report, i keep having this thing attack my homepage and just random pop-ups, also a trojan i think:

Logfile of HijackThis v1.99.0
Scan saved at 2:54:33 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\c_12ream.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff= ... hentermine
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.klikfeed.com/search.php?aff= ... hentermine
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sqzdle] C:\WINDOWS\System32\pluvnvp.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: winupdate80736416[1].exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potb_x.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/c ... 0_0_41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31610a24c28 ... xIE601.cab
O16 - DPF: {5649097C-2C98-4D25-8B20-6556B5A894CC} (CIUSetup Object) - http://download.novustek.com/bin/iuwsetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 6677007234
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/cus ... gned35.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b32846.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} (CountSpies.SpyCounter) - http://www.sunbelt-software.com/dell/CounterSpy.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com/act ... Atchmt.ocx
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O21 - SSODL: MSTskMgr32 - {941852D5-B76D-409D-B7C4-C13ECC3A5609} - C:\WINDOWS\System32\xcopevxx.dll
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NT Log Checker - Unknown - C:\WINDOWS\System32\c_12ream.exe
spense08
Active Member
 
Posts: 2
Joined: January 26th, 2005, 3:45 pm
Advertisement
Register to Remove

Unread postby spense08 » January 26th, 2005, 4:03 pm

by the way, its also seems that at startup, some interesting adult material tries to connect me by like, choosing my country? it also appears to be hijacking tmp files, this log might be the same but it might help, i cant look through it all, i must go, good luck

Logfile of HijackThis v1.99.0
Scan saved at 3:04:54 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\c_12ream.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\Spenser\LOCALS~1\Temp\tmp104.tmp
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff= ... hentermine
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.klikfeed.com/search.php?aff= ... hentermine
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sqzdle] C:\WINDOWS\System32\pluvnvp.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: winupdate80736416[1].exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potb_x.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/c ... 0_0_41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31610a24c28 ... xIE601.cab
O16 - DPF: {5649097C-2C98-4D25-8B20-6556B5A894CC} (CIUSetup Object) - http://download.novustek.com/bin/iuwsetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 6677007234
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/cus ... gned35.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b32846.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} (CountSpies.SpyCounter) - http://www.sunbelt-software.com/dell/CounterSpy.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com/act ... Atchmt.ocx
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O21 - SSODL: MSTskMgr32 - {941852D5-B76D-409D-B7C4-C13ECC3A5609} - C:\WINDOWS\System32\xcopevxx.dll
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NT Log Checker - Unknown - C:\WINDOWS\System32\c_12ream.exe
spense08
Active Member
 
Posts: 2
Joined: January 26th, 2005, 3:45 pm

Unread postby ChrisRLG » January 26th, 2005, 5:11 pm

Hi there,

My name is ChrisRLG and I will be assisting you.


This would be optional to add to the list below - if you no longer do file sharing on that network - they are the easiest way to get infected. :(
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

You will see that I am disabling spysweeper at the start of this fix - that is because if it is running it could interfer with the fix - not becaise it is bad.

I am including viewpoint manager in this fix - it is optional but recommended.

O4 - Startup: PowerReg Scheduler.exe
Is an optional fix - it is a program register nag reminder program.

Please set your system to show all files; see here for how to do this if you're unsure.

The following are mandatory fixes:
Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:

C:\WINDOWS\System32\c_12ream.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\DOCUME~1\Spenser\LOCALS~1\Temp\tmp104.tmp
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Exit the Task Manager when finished

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff= ... hentermine
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.klikfeed.com/search.php?aff= ... hentermine
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sqzdle] C:\WINDOWS\System32\pluvnvp.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: winupdate80736416[1].exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O21 - SSODL: MSTskMgr32 - {941852D5-B76D-409D-B7C4-C13ECC3A5609} - C:\WINDOWS\System32\xcopevxx.dll
O23 - Service: NT Log Checker - Unknown - C:\WINDOWS\System32\c_12ream.exe


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\System32\c_12ream.exe
C:\DOCUME~1\Spenser\LOCALS~1\Temp\(all content - but not the folder itself)
C:\Program Files\Viewpoint\Viewpoint Manager\
C:\WINDOWS\System32\pluvnvp.exe
C:\Program Files\AdStatus Service\
C:\PROGRA~1\COMMON~1\WinTools\
C:\WINDOWS\System32\xcopevxx.dll
This one you will need to search your computer for - it is probably in the windows or windows/system32 folder :-
winupdate80736416[1].exe


Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 9th, 2005, 9:45 am

Due to the time delay in a reply to this topic - a new hijackthis log etc would be required, so please post a new one in a new topic should you still require assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware