Hi,
Can anyone check my HJL, I think I've been infected...
Logfile of HijackThis v1.99.0
Scan saved at 17:30:39, on 05/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\iupdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{722438E7-B248-42B9-9D20-6431B2F9FFB9}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Manager - Unknown - c:\iupdate.exe
Full Version: Hijack Log
First, please check your private message box at the top of the forum. I've sent you my email address and request for copies of files in a zip file so that I can submit them for analysis.
1. Download this tool called AboutBuster http://www.downloads.subratam.org/AboutBuster.zip
or here:
http://malwarebytes.biz/AboutBuster.zip
Unzip it to your desktop but don't run it yet.
2. Download CWShredder (free):
Download it here:
http://www.majorgeeks.com/download3019.html
This is a special tool for removing CoolWebSearch and its variants.
a) Download and run CWShredder.
b ) Click the "Check for Update" button and download any update found.
c) Click the "Fix" button to run it. It will scan for and delete any bad files found.
3. Do you already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.
4. Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.
5. Make sure your PC is configured to show hidden files
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
6. Reboot to Safe Mode (you may want to copy these instructions as well)
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
7. Scan with HijackThis and checkmark these items, then press *fix checked*
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O23 - Service: Remote Procedure Call (RPC) Manager - Unknown - c:\iupdate.exe
8. Double click AboutBuster.exe that you downloaded earlier. Follow the directions that popup in the first screen (including how to save the log). Check for updates first then download if any are found. Then click on the *Start* button and then OK to start the scan.. This will scan your computer for the bad files and delete them. Save the report(use the *save log* button) and post a copy back here when you are done with all the steps.
9. Scan with Adaware and let it remove any bad files found.
10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
11. Reboot to normal mode,
do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
12. Post a fresh HijackThis log and the AboutBuster report back here please.
1. Download this tool called AboutBuster http://www.downloads.subratam.org/AboutBuster.zip
or here:
http://malwarebytes.biz/AboutBuster.zip
Unzip it to your desktop but don't run it yet.
2. Download CWShredder (free):
Download it here:
http://www.majorgeeks.com/download3019.html
This is a special tool for removing CoolWebSearch and its variants.
a) Download and run CWShredder.
b ) Click the "Check for Update" button and download any update found.
c) Click the "Fix" button to run it. It will scan for and delete any bad files found.
3. Do you already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.
4. Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.
5. Make sure your PC is configured to show hidden files
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
6. Reboot to Safe Mode (you may want to copy these instructions as well)
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
7. Scan with HijackThis and checkmark these items, then press *fix checked*
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O23 - Service: Remote Procedure Call (RPC) Manager - Unknown - c:\iupdate.exe
8. Double click AboutBuster.exe that you downloaded earlier. Follow the directions that popup in the first screen (including how to save the log). Check for updates first then download if any are found. Then click on the *Start* button and then OK to start the scan.. This will scan your computer for the bad files and delete them. Save the report(use the *save log* button) and post a copy back here when you are done with all the steps.
9. Scan with Adaware and let it remove any bad files found.
10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
11. Reboot to normal mode,
do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
12. Post a fresh HijackThis log and the AboutBuster report back here please.
CalamityJane, here's the file attachment.
Edit by CalamityJane: attachment removed
Edit by CalamityJane: attachment removed
Flight, thanks! I got it (and subsequently removed the attachment so there are no "accidents") :thumb:
This file is definitely infected- it is a trojan. Delete it from your system and follow the steps I outlined for you above.
It is a leftover of a coolwebsearch infection and the steps above will search your entire system for any other files that may not show up in HijackThis.
When you are done with the above, post the requested logs so we can make sure you are clean.
This file is definitely infected- it is a trojan. Delete it from your system and follow the steps I outlined for you above.
It is a leftover of a coolwebsearch infection and the steps above will search your entire system for any other files that may not show up in HijackThis.
When you are done with the above, post the requested logs so we can make sure you are clean.
Ok, done what you said and here's the new log:
Logfile of HijackThis v1.99.0
Scan saved at 22:16:34, on 06/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by20fd.bay20.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{722438E7-B248-42B9-9D20-6431B2F9FFB9}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Logfile of HijackThis v1.99.0
Scan saved at 22:16:34, on 06/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by20fd.bay20.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{722438E7-B248-42B9-9D20-6431B2F9FFB9}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Hello Flight,
Your HijackThis log looks clean, did you save the AboutBuster Log? If so, could you post that?
You really need to get an Antivirus Program and there are several very good ones that are free. Here is one of the many available:
AVG Free Edition
http://free.grisoft.com/doc/2/lng/us/tpl/v5
Avast and Antivir are two others that also come to mind and they are free also.
Do get some protection on that PC.
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Service Pack 2 for XP is now available and it will address numerous security issues in your Operating System and IE :)
http://v5.windowsupdate.microsoft.com/en/default.asp
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 1.2.1 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
You might also consider an alternative browser and use IE only when needed for sites that require ActiveX and are trusted (like Windows update or the online virus scanners). I use Firefox for 99% of my everyday surfing (using it right now in fact). It's free and very easy to setup, understand and use without many of the vulnerabilities that IE has. Or feel free to search around for info on other alternative browsers.
Firefox
http://www.mozilla.org/products/firefox/
Your HijackThis log looks clean, did you save the AboutBuster Log? If so, could you post that?
You really need to get an Antivirus Program and there are several very good ones that are free. Here is one of the many available:
AVG Free Edition
http://free.grisoft.com/doc/2/lng/us/tpl/v5
Avast and Antivir are two others that also come to mind and they are free also.
Do get some protection on that PC.
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Service Pack 2 for XP is now available and it will address numerous security issues in your Operating System and IE :)
http://v5.windowsupdate.microsoft.com/en/default.asp
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 1.2.1 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
You might also consider an alternative browser and use IE only when needed for sites that require ActiveX and are trusted (like Windows update or the online virus scanners). I use Firefox for 99% of my everyday surfing (using it right now in fact). It's free and very easy to setup, understand and use without many of the vulnerabilities that IE has. Or feel free to search around for info on other alternative browsers.
Firefox
http://www.mozilla.org/products/firefox/
Ok, done what you said CalamityJane and here's the AB log:
Scanned at: 23:47:18 on: 06/01/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
I'm gonna download what you suggested (antivirus) and check all my programs are running smoothly.
Thank you SO much for your help with the problem CalamityJane :)
Scanned at: 23:47:18 on: 06/01/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
I'm gonna download what you suggested (antivirus) and check all my programs are running smoothly.
Thank you SO much for your help with the problem CalamityJane :)
Thanks, it looks good .Flight.
Be sure to visit that link I put up there too to prevent Spyware and Hijackers...there are some free programs in there also that will be an enormous help:
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Adaware is one I would especially recommend and scan your system with it if you don't already have it.
Microsoft is working on releasing an Antispyware program as well. Right now it is in Beta so I would recommend you wait for that one until it is final, but do you keep you eyes open for it when it comes out. It should be a very useful tool.
Oh, and you're welcome. We're really glad we could help
Be sure to visit that link I put up there too to prevent Spyware and Hijackers...there are some free programs in there also that will be an enormous help:
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Adaware is one I would especially recommend and scan your system with it if you don't already have it.
Microsoft is working on releasing an Antispyware program as well. Right now it is in Beta so I would recommend you wait for that one until it is final, but do you keep you eyes open for it when it comes out. It should be a very useful tool.
Oh, and you're welcome. We're really glad we could help
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.