0

This is the hijackthis log of a friend of mine ... please check it n tell me how to remove the spyware...

Logfile of HijackThis v1.99.1
Scan saved at 11:13:39 AM, on 5/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\AD-AWARE.EXE
C:\WINDOWS\system32\atmclk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpA9DC.tmp
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TSS.ORG.PK
O17 - HKLM\Software\..\Telephony: DomainName = TSS.ORG.PK
O17 - HKLM\System\CCS\Services\Tcpip\..\{85A88044-BC0C-4F95-96F0-9F5682F56357}: NameServer = 203.128.3.18,203.128.7.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TSS.ORG.PK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TSS.ORG.PK
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winxtx32 - C:\WINDOWS\SYSTEM32\winxtx32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

2
Contributors
1
Reply
2
Views
11 Years
Discussion Span
Last Post by tayspen
0

Hi, first run HJT again, and check these items.


O20 - Winlogon Notify: winxtx32 - C:\WINDOWS\SYSTEM32\winxtx32.dll

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpA9DC.tmp

Click Fix Checked.

-------------------------------------------------

We will let scanners and what not take out the rest. Please follow the instructions on this page to remove smitfraud.

http://siri.geekstogo.com/SmitfraudFix.php

------------------------------------------------

Then please download ewido (www.ewido.net). Install it. Update it. Run it. Remove whatever it finds. (Save the log).

When the scan is done, you may want to ensure that this file is deleted - You will need to Show hidden files to see it.

File:

C:\WINDOWS\system32\hpA9DC.tmp

Post a new HJT log, along with the ewido log, and the contents of C:\rapport.txt - We will then make sure you are clean, ewido should kill most of it :)

OT:

ATTN: jhay116 (since I know you will be looking at this thread today :) ) - I would like to talk to you about somthing, but you have PM's and email disabled, any way I can get in touch with you? Maybe AIM, or MSN or somthing?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.