|
BLOODHOUND.EXPLOIT.6 VIRUS
|
|
AfterDawn Addict
|
17. November 2004 @ 23:32 |
Link to this message
|
|
PS, what's the weather like over there?
Gif by Phantom69
 |
|
Advertisement
|
 |
|
|
|
vincentd
Junior Member
|
18. November 2004 @ 02:27 |
Link to this message
|
SHA LA LA LA LA , YOU'VE DONE IT AGAIN MY FRIENDS. CJC YOU WAS AMAZING WHAT YOU'VE TOLD ME ABOUT ERASING SOME THINGS FROM THE LOG I'VE PASTED ON THE THREAD.
THANK YOU ALL SO MUCH, THANKS PULSAR, YOU ALSO DID A GREAT JOB, JUST BEING THERE FOR ME MY FRIENDS, I DON'T KNOW BUT YOU ARE SOMETHING SPECIAL, I'M GOING TO PROMOTE THIS WEBSITE IN MY TELEVISION PROGRAME HERE IN MALTA, I'VE TOLD CJC THAT I AM A TV PERSONALITY HERE...any more about me just click to http://www.prosceniumrecordsmalta.4t.com and go to VINCENT D.PROFILE...You'll see me there my friends. Last thing I whish you can tell me how can I professionally protect my pc from spyware, viruses etc, cause I'm not seeing that some very renowed software , antispyware and antivirus software work. So what can one do for this not to happen again. I whish you all well and season greetings from the tiny tiny island of Malta. Vince Debono AND BY THE WAY PULSAR ABOUT THE WEATHER, IT'S SUNNY HERE, BUT WE HAVE STORM TO COME ACROSS US TOMORROW...(This is not shouting ok!!!!)just to wake you up...ha...ha..ha
This message has been edited since posting. Last time this message was edited on 18. November 2004 @ 02:30
|
|
CJC
Suspended due to non-functional email address
|
18. November 2004 @ 02:41 |
Link to this message
|
|
Hey
Glad you got it fixed Vincent.
Nothing will protect you 100% but you can 'buy' a version of Adaware which has Ad-Watch, which monitors your computer for adware. To purchase Ad-Aware Professional i think its about $40USD
I personally use Norton SystemWorks 2004 and Norton Personal Firewall 2003 and my PC is running in tip top shape.
CJC
|
AfterDawn Addict
|
18. November 2004 @ 09:20 |
Link to this message
|
|
Rock on Vincent, NICE ONE! (that was shouting!!!)
Gif by Phantom69
|
AfterDawn Addict
|
18. November 2004 @ 09:33 |
Link to this message
|
|
I use PC-cillin by trend micro. I have had no probs at all. I also have windows service pack 2 installed on one of my hard drives, so I have 2 firewalls. my other hard drive is used purely for burning & is rarely connected to the internet.
As CJC says, you will never be 100% safe. But with regular AdAware & Spybot scans, de-frag & disk clean ups my Pc boots up lightningly fast & runs really well. Just like any machine, regular maintenance will keep it in tip top shape.
Glad you have learned lots, your problem has bugged me all day & I am really chuffed to bits you have sorted it.
I have to agree this forum rocks, I have learned an immense amount. The knowledge base here is phenomenal & the camaraderie is spot on. I have laughed non stop since I joined this forum. The guys here are great.
Kind regards & happy burning,
Pulsar
PS, don't be a stranger & if you see us posting replies you should say hello in the threads.
Gif by Phantom69
|
AfterDawn Addict
|
18. November 2004 @ 09:35 |
Link to this message
|
|
I'm in the UK.
Gif by Phantom69
|
|
akbar
Newbie
|
19. November 2004 @ 15:14 |
Link to this message
|
Hey everyone, my name is akbar and i had the same virus that was detected by norton antivirus 2005. i recently uninstalled norton but i went to google and searched for bloodhound.exploit.6 and this thread was one result. i read thru everything here and downloaded and ran all of the software. i was wondering if you could check my hihackthis log and tell me if my computer is clean or if there is another way to see if my computer is clean let me know please. thanx.
Logfile of HijackThis v1.98.2
Scan saved at 7:13:29 PM, on 11/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Documents and Settings\Akbar D\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\Radio@Netscape.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
that was the log from hijackthis...thanks again
-Akbar
|
|
CJC
Suspended due to non-functional email address
|
19. November 2004 @ 15:50 |
Link to this message
|
|
Hey akbar
Just had a look at your logs and they look pretty clean.
As long as you have installed the Patch from Microsoft, Ran Adaware, Spybot and Online Virus scan, you should be all right.
CJC
|
|
akbar
Newbie
|
19. November 2004 @ 18:17 |
Link to this message
|
|
thnx for the help...and for the patch...i just get the outlook express 6 patch for windows xp if that what i hav right?
-Akbar
|
|
CJC
Suspended due to non-functional email address
|
19. November 2004 @ 18:23 |
Link to this message
|
|
Yep either Outlook Express 6 or Outlook Express 6 SP1, depending which version you have. Just open it up, click the Help menu then go down to about.
CJC
|
|
sketch143
Newbie
|
1. December 2004 @ 06:04 |
Link to this message
|
yea.. i too have the same crappy problem.. :) anyways... i have noo idea on which to erase here.. so if anyone could... CJC... please check my list.. :D
Logfile of HijackThis v1.98.2
Scan saved at 7:59:40 AM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\ShareDLL\MEDIADET.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\wuauclt.exe
G:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Tiger Files\Programs\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sketch143.deviantart.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sketch143.deviantart.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [istinstall_zazzer.exe] istinstall_zazzer.exe
O4 - HKLM\..\Run: [lite.exe] lite.exe
O4 - HKLM\..\Run: [Aqua.exe] Aqua.exe
O4 - HKLM\..\Run: [F] c:\documents and settings\tiger\local settings\temp\F.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] G:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Caco] C:\Documents and Settings\tiger\Application Data\tscs.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash By FlashFavorite - res://E:\TIGERF~1\Programs\FLASHF~1\FFCom.dll/IeMenu.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - res://E:\TIGERF~1\Programs\FLASHF~1\FFCom.dll/IeMenu.htm (file missing)
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - res://E:\TIGERF~1\Programs\FLASHF~1\FFCom.dll/IeMenu.htm (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Tiger Files\Programs\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Tiger Files\Programs\ICQLite\ICQLite.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097456390276
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
keep sketchin.. XDDD
|
|
CJC
Suspended due to non-functional email address
|
1. December 2004 @ 12:09 |
Link to this message
|
|
Hey
Ok, put a tick in the following then go Fix Checked
O4 - HKLM\..\Run: [istinstall_zazzer.exe] istinstall_zazzer.exe
O4 - HKLM\..\Run: [lite.exe] lite.exe
O4 - HKLM\..\Run: [Aqua.exe] Aqua.exe
O4 - HKLM\..\Run: [F] c:\documents and settings\tiger\local settings\temp\F.exe
**O4 - HKCU\..\Run: [Caco] C:\Documents and Settings\tiger\Application Data\tscs.exe
Im not sure about that last one, never seen it before, so its up to you if you remove it or not.
Seeing as you havnt run it from a Temp DIR, it will create a backup of the files if needed.
After you have done that, search and delete the following files
istinstall_zazzer.exe
lite.exe
Aqua.exe
F.exe
And now you should be ok
CJC
|
|
hojo50
Newbie
|
5. December 2004 @ 21:06 |
Link to this message
|
Howdy
I also got a Bloudhound.exploit.6 alert from NAV on my PC. Could you have a look at the hijacked log and tell me if theres anything that needs deleteing?
Thanks Loads
Logfile of HijackThis v1.98.2
Scan saved at 20:23:57, on 05/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Sony\Keyboard Closure Setup\KSWServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\AOL COMPANION\COMPANION.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JY & CF\Desktop\hijackthis_198\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Keyboard Closure Setup.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
|
|
CJC
Suspended due to non-functional email address
|
5. December 2004 @ 23:12 |
Link to this message
|
|
The log looks pretty clean to me.
Cant see anything supicious there.
CJC
|
|
lisat15
Newbie
|
8. December 2004 @ 17:54 |
Link to this message
|
hi,
i'd love it if someone could help me-- i have this bloodhound virus and another backdoor.sdbot.gen
my hijack log looks like this:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1.1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus CE 9.0.1\DefWatch.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus CE 9.0.1\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Symantec AntiVirus CE 9.0.1\VPC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\Lisa\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by zack
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0.2\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1.1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/121e0d3371fd6c58b020/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094183764575
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
please let me know if you can help me out! thanks!
|
|
CJC
Suspended due to non-functional email address
|
8. December 2004 @ 20:29 |
Link to this message
|
|
Hey
Really the only thing i can see is:
C:\Program Files\Symantec AntiVirus CE 9.0.1\VPC32.EXE
Tick that and remove.
Apart from that, looks pretty good.
CJC
|
|
lisat15
Newbie
|
9. December 2004 @ 07:39 |
Link to this message
|
|
cjc,
even though it says C:\Program Files\Symantec AntiVirus CE 9.0.1\VPC32.EXE
on my log, i can't seem to find it to tick off on the actual program. do you know why this is or what i can do?
|
|
CJC
Suspended due to non-functional email address
|
9. December 2004 @ 11:57 |
Link to this message
|
|
Hey
You dont need to go into the Program to take the 'Tick' out or put the tick in.
Open up HiJackThis and in the list, put a tick in the box at the beginning of the name then click on Fixed Selected.
CJC
|
|
DocSante
Suspended due to non-functional email address
|
10. December 2004 @ 19:57 |
Link to this message
|
|
Hi CJC
This message has been edited since posting. Last time this message was edited on 11. December 2004 @ 13:59
|
|
CJC
Suspended due to non-functional email address
|
10. December 2004 @ 21:45 |
Link to this message
|
Having a quick look, here is what looks like the problem.
When i first opened this thread, i got a notification about the HTML containing BloodHound and when i went to reply, the same thing.
Have you ran Adaware, Spybot and Housecall yet ?
C:\WINDOWS\iau.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\iau.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\iau.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.189.120/winsearchie32.chm::/winse archie32.exe
CJC
|
|
DocSante
Suspended due to non-functional email address
|
11. December 2004 @ 02:37 |
Link to this message
|
|
Hi CJC. thanks for the quick response.
Yes, I have run ad-aware and spybot several times. spybot keep finding DSO exploits so I ran it a few times until I learned that they are false positives. I ran housecall once and it found and removed two trojans.
|
|
DocSante
Suspended due to non-functional email address
|
11. December 2004 @ 03:42 |
Link to this message
|
|
Hi CJC
I fixed the 6 files you suggested plus the two ROs listed and ran both ad-aware and spybot again.
I am not sure what to do with the C:\WINDOWS\iau.exe
|
|
DocSante
Suspended due to non-functional email address
|
11. December 2004 @ 03:48 |
Link to this message
|
|
This message has been edited since posting. Last time this message was edited on 11. December 2004 @ 03:50
|
|
CJC
Suspended due to non-functional email address
|
11. December 2004 @ 10:48 |
Link to this message
|
|
First run HJT and remove the iau.exe then fix selected, now
If u do what that page says, you should get rid of that, restart your computer and run HJT again and see if its still there, if not, you are pretty clean by the looks of it. If you are unsure, re-post a clean log after you have done all this.
CJC
|
|
Advertisement
|
|
|
|
DocSante
Suspended due to non-functional email address
|
11. December 2004 @ 13:50 |
Link to this message
|
|
Thanks CJC
pointing out that iau.exe file really did the trick. I followed the directions in that norton fix and that did the trick. scanned norton in safe mode and it found the bloodhound. Only had to edit the last file in the registry because of the fixes I made after the HJT scan I think and I'm good now.
WOOO HOOO!!! thanks so much for the help
I know where to come now if I run in to any more problems.
Have a nice holiday CJC!!!!!!!!
Peace,
Doc
This message has been edited since posting. Last time this message was edited on 11. December 2004 @ 16:04
|
