0

I had a trojan horse dropper.small.4.ag in my computer last night. AVG supposedly deleted it, then found more in the system restore. I cancelled the restore on all drives, restarted, then put it back on, as I was directed, but I ran hijack to ensure my computer is safe. Another free scan (which didnt allow you to delete anything without purchasing the software) identified some registry keys that were a threat/high threat/potentially dangerous. So, I scanned with hijack. Below is the log, and I would really appreciate it if anyone could tell me if there is anything I need to remove. Thanks.

Full log:

Logfile of HijackThis v1.97.7
Scan saved at 20:45:38, on 01/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\ScsiAccess.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\RunDll32.exe
D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
D:\WINDOWS\System32\Microsoft.NET\msconfig.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
D:\Program Files\Lexmark X74-X75\lxbbbmon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Documents and Settings\User\My Documents\HijackThis.exe

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msc] D:\WINDOWS\System32\Microsoft.NET\msconfig.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3uk.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148

3
Contributors
11
Replies
12
Views
13 Years
Discussion Span
Last Post by DMR
0

Hi. First of all you need to update hijackthis to version 1.98.1 Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. Remove 1.97 from the folder it is in & replace it with 1.98.1.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

Please go here and have this file scanned.
D:\WINDOWS\System32\Microsoft.NET\msconfig.exe

Go here for an on-line scan & set it to autoclean for you.

Try this scan as well.

0

I did everything you said - the file you said to have scanned did have a virus in it, it confirmed. The polar scan found and cleaned 16 infections. Here is my HijackThis log, now:

Logfile of HijackThis v1.98.1
Scan saved at 19:49:11, on 06/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\ScsiAccess.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\RunDll32.exe
D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
D:\WINDOWS\System32\Microsoft.NET\msconfig.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Lexmark X74-X75\lxbbbmon.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msc] D:\WINDOWS\System32\Microsoft.NET\msconfig.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3uk.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148

0

Open Task Manager & end process on the following;
msconfig.exe

Then delete the file by going to;
D:\WINDOWS\System32\Microsoft.NET

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O4 - HKLM\..\Run: [msc] D:\WINDOWS\System32\Microsoft.NET\msconfig.exe

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

Post another log after please.

0

Task manager is disabled, and I cant remember how to enable it again. How do you enable it?

0

Thats what I did. It pops up and says, "Task Manager has been disabled by your administrator." It does it somehow, it did before - I just cant remember how to set enable it.

0

Sorry to double post, there didn't seem to be an edit button. I enabled it (found out how from a friend) and did what you said. Here is the new log:

Logfile of HijackThis v1.98.1
Scan saved at 18:18:46, on 09/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\ScsiAccess.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\RunDll32.exe
D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Lexmark X74-X75\lxbbbmon.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3uk.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148

0

I went:

Start --> Run --> "gpedit.msc"

Then:

Select User Configuration
Administrative Templates
System
Ctrl+Alt+Delete Options
Remove Task Manager (disable)

BUT, it said that "Remove Task Manager" was already disabled. So, I simply enabled it, then disabled it again. :)

0

I was looking on task manager, and wondered if the following file is "ok":

backWeb-7288971.exe

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.