HJT log: pop ups, homepage been taken over

Author	All Replies
strat_6400 join:2005-03-27	HJT log: pop ups, homepage been taken over OK, I have been at this the past half a day! I have read the HJT help file and done most of the instructions on it including the TDS and Trojen Hunter. Here is my HJT file, most upto date version available: Would be greateful for any help Logfile of HijackThis v1.99.1 Scan saved at 23:16:44, on 03/04/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\CFusionMX\runtime\bin\jrunsvc.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\CFusionMX\runtime\bin\jrun.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\SONY\vaio media music server\SSSvr.exe C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe C:\WINDOWS\System32\carpserv.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\ICO.EXE C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Sony\HotKey Utility\HKWnd.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Rob Jordan\Local Settings\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »letgohome.com/sp.htm?id=9 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »letgohome.com/sp.htm?id=9 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »letgohome.com/sp.htm?id=9 O1 - Hosts: 64.91.255.87 www.dcsresearch.com O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe O4 - HKLM\..\Run: [wtkvyl] C:\WINDOWS\wtkvyl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/ O15 - Trusted Zone: *.greg-search.com O16 - DPF: {36AEF20A-BEF1-1262-D9AB-2A781B8B1FF2} - »69.50.182.94/1/gdnIE1862.exe O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - »support.f-secure.com/ols/fscax.cab O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - »advnt01.com/dialer/internazionale_ver4.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{C6F74F96-0051-42D4-9E3D-E3558D4C648E}: NameServer = 159.134.237.6 159.134.248.17 O20 - AppInit_DLLs: bc5vgpfj7nx.dll O21 - SSODL: SystemCheck - {54645654-2225-4455-44A1-9F4543D34544} - C:\WINDOWS\System32\vbsys.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe (file missing) O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\SONY\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing) O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing) O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing) O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
strat_6400 join:2005-03-27	to forum · permalink · · 2005-04-03 18:21:37 ·
Cudni La Merma - Vigilado Premium,MVM join:2003-12-20 Someshire	What happened since »HJT Log-about:Blank taken over+pop ups re spyware when you had it fixed? Cudni
	to forum · permalink · · 2005-04-03 18:37:08 ·
strat_6400 join:2005-03-27	This is a different computer, got stuck trying to fix this as well!! Is there anything that I am missing, think the homepage is back working, I think! But there is still some pop ups saying that the computer is infected.
strat_6400 join:2005-03-27	to forum · permalink · · 2005-04-03 18:40:31 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	reply to strat_6400 You really need to run this PC through some of the online AV scans. It would have caught few things on here. 1. Make sure your PC is configured to show hidden files How to Show Hidden Files »www.xtra.co.nz/help/0,,4155-1916458,00.html 2. Make a copy of these instructions so you have them handy as the next steps need to be done offline with IE closed. 3. Disonnect from the internet, and keep IE and any other browsers or windows closed with only Hijackthis open. Scan with HijackThis and checkmark these items, then press fix checked R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »letgohome.com/sp.htm?id=9 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »letgohome.com/sp.htm?id=9 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »letgohome.com/sp.htm?id=9 O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe O4 - HKLM\..\Run: [wtkvyl] C:\WINDOWS\wtkvyl.exe O15 - Trusted Zone: .greg-search.com O16 - DPF: {36AEF20A-BEF1-1262-D9AB-2A781B8B1FF2} - »69.50.182.94/1/gdnIE1862.exe O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - »advnt01.com/dialer/internazionale_ver4.. O20 - AppInit_DLLs: bc5vgpfj7nx.dll O21 - SSODL: SystemCheck - {54645654-2225-4455-44A1-9F4543D34544} - C:\WINDOWS\System32\vbsys.dll Delete this folder: c:\program files\180solutions* Delete these files: bc5vgpfj7nx.dll C:\WINDOWS\System32\vbsys.dll 4. Follow additional removal instructions here: »www.doxdesk.com/parasite/nCase.html You have the sais variant 5. Get an online scan at one ...preferably two of the following and let them delete any infected files found: Panda's Active Scan »www.pandasoftware.com/activescan···ipal.htm Trend Micro (PC-cillin) - Free on-line Scan »housecall.antivirus.com RAV Antivirus Online Scan »www.ravantivirus.com/scan/ eTrust AV web scanner (Computer Associates) »www3.ca.com/virusinfo/virusscan.aspx 6. Finally, when done, reboot your PC. Scan again with HijackThis and post a fresh log for review -- It takes a disaster to make a woman out of a female Gladiator Security Forum Proud Member of ASAP (Alliance of Security Analysis Professionals)
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	to forum · permalink · · 2005-04-03 19:13:23 ·
strat_6400 join:2005-03-27	Have gotten as far as step three. When running the HJT program, it could not fix the step: line - 020. I could not delete any of the following either: "bc5vgpfj7nx.dll" and the 180solutions folder as I could not find it even through windows search. Am i missing something here or should I continue to step 4?? HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 00:57:26, on 04/04/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\CFusionMX\runtime\bin\jrunsvc.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\CFusionMX\runtime\bin\jrun.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\SONY\vaio media music server\SSSvr.exe C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe C:\WINDOWS\System32\carpserv.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\ICO.EXE C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Sony\HotKey Utility\HKWnd.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Documents and Settings\Rob Jordan\Desktop\Robs Folder\My Folder\Misc\Virus Dector\Hijackthis\HijackThis.exe O1 - Hosts: 64.91.255.87 www.dcsresearch.com O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/ O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - »support.f-secure.com/ols/fscax.cab O20 - AppInit_DLLs: bc5vgpfj7nx.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe (file missing) O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\SONY\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing) O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing) O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing) O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
strat_6400 join:2005-03-27	to forum · permalink · · 2005-04-03 20:04:03 ·


Friday, 27-Nov 15:34:18	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF