Check out some similar questions!

holidayinn · Jan 4, 2005, 08:22 PM

This virus has taken over my machine and I need it gone. I've used Ad-aware, Norton Antivirus, and Panda Activescan and none have worked. Below is my logfile. Please help!!

Logfile of HijackThis v1.99.0
Scan saved at 1:40:39 PM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NetMotion Client\messerv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\NetMotion Client\nomtray.exe
C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nigzxbyfvenblthd.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\MCCRAYR\My Documents\My Received Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.diamondcluster.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sonic.com/default.asp?lang=ENU
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = hodc-cache.allstate.com:8088
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\.. \Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\.. \Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\.. \Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\.. \Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\.. \Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor
O4 - HKLM\.. \Run: [TpShocks] TpShocks.exe
O4 - HKLM\.. \Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\.. \Run: [TP4EX] tp4ex.exe
O4 - HKLM\.. \Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\.. \Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\.. \Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\.. \Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\.. \Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\.. \Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\.. \Run: [IBM Warranty Notification] "C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"
O4 - HKLM\.. \Run: [nomtray] C:\Program Files\NetMotion Client\nomtray.exe
O4 - HKLM\.. \Run: [lukhddcrn] C:\WINDOWS\System32\ouflmi.exe
O4 - HKLM\.. \Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
O4 - HKLM\.. \Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\.. \Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\.. \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\.. \Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\.. \Run: [Control handler] C:\WINDOWS\system32\nigzxbyfvenblthd.exe
O4 - HKCU\.. \Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\.. \Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\.. \Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://chgmail1.diamondcluster.com/iNotes6.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://eroom.diamondcluster.com/eRoomSetup/client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://themeetingson.webex.com/clie...ex/ieatgpc.cab
O20 - AppInit_DLLs: w8c6s4xcm66t67l.dll.dll.dll.dll.dll.dll.dll.dll.dl l
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMotion Client - NetMotion Wireless, Inc. - C:\Program Files\NetMotion Client\messerv.exe
O23 - Service: Multi-user Cleanup Service - Unknown - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: IBM PSA Access Driver Control - Unknown - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Also, if anything else looks out out place inform me. Ignore Diamondcluster.

fredg · Jan 5, 2005, 04:47 AM

Hi,
You really don't need to run Highjack This, or any logfile; that's a long one.

Here are steps to rid your computer of any Trojan, and also some tips and a free program to stop this stuff before it ever gets into the computer:

If you think you already have Spyware/Advertising Ware in your computer, run these as follows:
Spyware/Advertising ware removal

http://www.security-related.com/download2.htm
Download: SpyBot Search & Destroy; 1.3

AdAware at:
www.lavasoftusa.com
Download: AdAware_SE

Both the above programs run better and much faster when run in SafeMode.
It's best to run the AdAware scan first; 3 times; then re-boot.
Then, run the AdAware scan again 3 times; then run the SpyBot.
Re- Boot.
Reason for running so many times:
Some of these trojans' files can be deleted the first time; leaving some others; but on re-boot, they re-write the files that were deleted.
Running multiple times deletes most of it the first
time.

If you wish to have a great program, after you clean out Spyware/Advertising Ware:
SpyWare Blaster 3.2
Great, free, program that STOPS spyware, trojans, home page hijacks, etc, BEFORE they get into your computer. Check it out at CNET at link:

http://www.download.com/SpywareBlast...ml?tag=lst-0-2

Two Tips:
If you notice the little green computer lights that show your dial-up connection to the internet staying on when they shouldn't be, located on the bottom right of the system tray, disconnect immediately and run AdAware. These lights staying on means that some URL is sending or receiving spyware/advertising ware to or from your computer, most of the time.

Other Tip: After being on the net, if you have visited any sites you don't really trust, then run AdAware BEFORE you shut down or re-start the computer. This will delete any Spyware easier, before the computer can configure it, set it up, spread it throughout the Registry, and make it more difficult to remove after re-booting.

If the above doesn't work, then try editing the Registry.
First, back up your Registry. The simplest way to do it is to shut down the computer, wait a few seconds, then turn it back on. It will automatically back up the Registry when booting up.

BE CAREFUL when deleting things from the Registry; your computer might not re-boot.
When the computer boots up, the Registry tells it what programs to run; telling it to run the SpyWare/Advertising programs first, if in the computer.
Here are steps for deleting things that startup when you boot up the computer:

Go to Start/Run. Type in "regedit" without quotes, then click on OK.
At the top, Click on "Edit", then "Find".
In the space Find What: type in what you want to find. (in this case, RUN).
Then, put a check mark by "Match whole string only". This will keep the search from stopping at every word it finds, like the word "run", etc.
Then click "Find Next". It will search the registry for the first entry you typed in.
It will "open" a folder on the left hand side of the screen, showing what is in the folder on the right hand side. If you know that an entry on the right hand side is something you no longer have, or has just been added with a name you don't know, then right click on it, then left click "delete", tell it Yes or OK to remove it.
Then, press F3 on the top of the keypad to continue the search.
When finished, at the top, click on File, Exit.

Any StartUp programs, that start when the computer boots up will be listed in folders on the left hand side of the screen with names like:
RUN, RUNSERVICES, RUNONCE, RUN-, etc.
Click on the next folder down with the name RUN in it, to look at its startups on the right hand side.

You can also search for other words, rather than RUN, such as Hotsearchbar; or whatever; and delete values on the right hand side associated with it.

If the spyware/advertising program has re-set your home page; you will have to type in the home page you want.; click on Apply, and OK.

I know all the above is a LOT of stuff, but if you follow it, you will be rid of any Trojans.
Also, I personally use the Spyware Blaster program, and have not had even 1 spyware/advertising/trojan program/files in my computer since I installed it.
Best of luck,
fredg