Hijack this logfile

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DallasRaines42, Oct 15, 2004.

  1. DallasRaines42

    DallasRaines42 Private First Class

    After following all of the steps in Read This First, Hijack still came up with the logfile at the bottom of the page and I have found, but been unable to remove the following trojans and spyware
    JS.Winshow.U
    Trojan.Downloader.Agent.AN
    Trojan.Downloader.Agent.BQ
    Trojan.Downloader.Agent.CD
    Trojan.Golid.A
    Trojan.Dropper.Delf.AV
    Trojan.ADWare.Runedor.C
    Trojan.Fynben.A
    Win32.HLLP.Hantaner.E

    EDIT BY CHASLANG: HJT LOG CHANGED TO AN ATTACHMENT


    File: C:\Program Files\Internet Explorer\vcyoquoi.exe
    Virus: TrojanDownloader:Win32/Small.UG Status: Infected

    File: C:\Program Files\Kazaa\Quarantine\jezzball (1).exe
    Virus: Win32/HLLP.Hantaner Status: Infected

    File: C:\Program Files\Kazaa\Quarantine\kmd202_en.exe
    Virus: Win32/HLLP.Hantaner Status: Infected

    File: C:\WINDOWS\ac3api.ini->ADS:eek:twca
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\addtv.exe
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\addzz.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\atlxy32.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\CTRec.INI->ADS:hiism
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\DELLWP.BMP->ADS:zjsxg
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\DELLWP.BMP->ADS:nzlwc
    Virus: TrojanDownloader:Win32/Agent Status: Infected

    File: C:\WINDOWS\DESKTOP.INI->ADS:ygcyp
    Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

    File: C:\WINDOWS\fqvtx.dll
    Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

    File: C:\WINDOWS\fynbn.exe
    Virus: Trojan:Win32/Fyngen Status: Infected

    File: C:\WINDOWS\ieci.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\ienf.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\ipcn.exe
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\msxg.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\msyn32.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\netflix.ico->ADS:rxlsj
    Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

    File: C:\WINDOWS\ntdh.exe
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\nthk32.exe
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\readme.ico->ADS:xkabf
    Virus: TrojanDownloader:Win32/Agent.dam#2 Status: Infected

    File: C:\WINDOWS\shop.ico->ADS:fykvf
    Virus: TrojanDownloader:Win32/Agent Status: Infected

    File: C:\WINDOWS\SIERRA.INI->ADS:xosmf
    Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

    File: C:\WINDOWS\syses32.exe
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\WINHELP.EXE->ADS:asmzs
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\winpg32.dll
    Virus: TrojanDownloader:Win32/Agent Status: Infected

    File: C:\WINDOWS\winsy.exe
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\WMSysPrx.prx->ADS:damel
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\wuimx.dll
    Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

    File: C:\WINDOWS\Downloaded Program Files\vcyoquoi.exe
    Virus: TrojanDownloader:Win32/Small.UG Status: Infected

    File: C:\WINDOWS\SYSTEM32\addfe.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\apixh32.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\apizy.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\atlvp32.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\atlxr32.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\ClrSchP012.dll
    Virus: Backdoor:Win32/Ruledor.C Status: Infected

    File: C:\WINDOWS\SYSTEM32\iedb32.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\iismo.dll
    Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected

    File: C:\WINDOWS\SYSTEM32\installer_im.exe
    Virus: TrojanDropper:Win32/Delf.AV Status: Infected

    File: C:\WINDOWS\SYSTEM32\ipcw.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\ipot32.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\javagr32.exe
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\javajj32.exe
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\javalc.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\jjj.exe
    Virus: Trojan:Win32/Golid.B Status: Infected

    File: C:\WINDOWS\SYSTEM32\mscw.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\mscw.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\msot.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\MSView.exe
    Virus: PWS:Win32/Bispy Status: Suspicious

    File: C:\WINDOWS\SYSTEM32\mswp.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\netkn32.exe
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\ntkj.exe
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\sdkse.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\sdkse.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\syscd32.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\sysyf.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\winnr.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\winon32.exe
    Virus: TrojanDownloader:Win32/Agent.CD Status: Infected

    File: C:\WINDOWS\SYSTEM32\wintx.dll
    Virus: Trojan:Win32/Agent.BQ Status: Infected

    File: C:\WINDOWS\SYSTEM32\ybxyd.dll
    Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected
     

    Attached Files:

    • hjt.txt
      File size:
      4.8 KB
      Views:
      0
    Last edited by a moderator: Oct 16, 2004
    DallasRaines42, Oct 15, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We have rules about posting HijackThis logs.

    You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!


    Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT



    - No one requested that you post a log
    - You did not attach it as a .txt attachment to your message <--- I fixed this for you!
    - You are running HijackThis from the ZIP file
    - You did not shut down all programs and browsers. You have two IE sessions running, AIM, and a command prompt window running.


    That being said, you have multiple problems. One of which is an about:blank/HSA hijack problem. Did you run the items given in the READ ME FIRST for this. That is, did you run HSremove and about:Buster. If not, please do so and when you run about:Buster save the log and post it back here.

    Make sure you extract HijackThis from the ZIP file and put into its own directory as indicated above. Do this before continuing with the below.

    You need uninstall Kazaa. You will continue to have problems like this unless you remove this program and any crap that came along with it.

    After running HSremove and About:Buster some of the lines below may not be present in your log to fix. So just skip them.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\iismo.dll/sp.html#37680
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\iismo.dll/sp.html#37680
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\iismo.dll/sp.html#37680
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\iismo.dll/sp.html#37680
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\iismo.dll/sp.html#37680
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\iismo.dll/sp.html#37680
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Allison Bader\Application Data\h??o?.exe
    O4 - HKCU\..\Run: [Lxgbsed] C:\WINDOWS\System32\m?iexec.exe
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/...ller/dwnldr.cab

    Did you choose to install his HydraVision program? Do you want it? If not, fix the next line too?
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe

    Make sure you have viewing of hidden files enabled.
    Then boot in safe mode and lets delete those files you were showing in your last message. Some of these may also be gone due to About:Buster and HSremove.

    File: C:\Program Files\Internet Explorer\vcyoquoi.exe
    File: C:\Program Files\Kazaa\Quarantine\jezzball (1).exe
    File: C:\Program Files\Kazaa\Quarantine\kmd202_en.exe
    File: C:\WINDOWS\ac3api.ini->ADS:eek:twca
    File: C:\WINDOWS\addtv.exe
    File: C:\WINDOWS\addzz.exe
    File: C:\WINDOWS\atlxy32.exe
    File: C:\WINDOWS\CTRec.INI->ADS:hiism
    File: C:\WINDOWS\DELLWP.BMP->ADS:zjsxg
    File: C:\WINDOWS\DELLWP.BMP->ADS:nzlwc
    File: C:\WINDOWS\DESKTOP.INI->ADS:ygcyp
    File: C:\WINDOWS\fqvtx.dll
    File: C:\WINDOWS\fynbn.exe
    File: C:\WINDOWS\ieci.dll
    File: C:\WINDOWS\ienf.dll
    File: C:\WINDOWS\ipcn.exe
    File: C:\WINDOWS\msxg.exe
    File: C:\WINDOWS\msyn32.dll
    File: C:\WINDOWS\netflix.ico->ADS:rxlsj
    File: C:\WINDOWS\ntdh.exe
    File: C:\WINDOWS\nthk32.exe
    File: C:\WINDOWS\readme.ico->ADS:xkabf
    File: C:\WINDOWS\shop.ico->ADS:fykvf
    File: C:\WINDOWS\SIERRA.INI->ADS:xosmf
    File: C:\WINDOWS\syses32.exe
    File: C:\WINDOWS\WINHELP.EXE->ADS:asmzs
    File: C:\WINDOWS\winpg32.dll
    File: C:\WINDOWS\winsy.exe
    File: C:\WINDOWS\WMSysPrx.prx->ADS:damel
    File: C:\WINDOWS\wuimx.dll
    File: C:\WINDOWS\Downloaded Program Files\vcyoquoi.exe
    File: C:\WINDOWS\SYSTEM32\addfe.exe
    File: C:\WINDOWS\SYSTEM32\apixh32.exe
    File: C:\WINDOWS\SYSTEM32\apizy.dll
    File: C:\WINDOWS\SYSTEM32\atlvp32.exe
    File: C:\WINDOWS\SYSTEM32\atlxr32.exe
    File: C:\WINDOWS\SYSTEM32\ClrSchP012.dll
    File: C:\WINDOWS\SYSTEM32\iedb32.exe
    File: C:\WINDOWS\SYSTEM32\iismo.dll
    File: C:\WINDOWS\SYSTEM32\installer_im.exe
    File: C:\WINDOWS\SYSTEM32\ipcw.exe
    File: C:\WINDOWS\SYSTEM32\ipot32.dll
    File: C:\WINDOWS\SYSTEM32\javagr32.exe
    File: C:\WINDOWS\SYSTEM32\javajj32.exe
    File: C:\WINDOWS\SYSTEM32\javalc.exe
    File: C:\WINDOWS\SYSTEM32\jjj.exe
    File: C:\WINDOWS\SYSTEM32\mscw.dll
    File: C:\WINDOWS\SYSTEM32\mscw.exe
    File: C:\WINDOWS\SYSTEM32\msot.dll
    File: C:\WINDOWS\SYSTEM32\MSView.exe
    File: C:\WINDOWS\SYSTEM32\mswp.dll
    File: C:\WINDOWS\SYSTEM32\netkn32.exe
    File: C:\WINDOWS\SYSTEM32\ntkj.exe
    File: C:\WINDOWS\SYSTEM32\sdkse.dll
    File: C:\WINDOWS\SYSTEM32\sdkse.exe
    File: C:\WINDOWS\SYSTEM32\syscd32.exe
    File: C:\WINDOWS\SYSTEM32\sysyf.exe
    File: C:\WINDOWS\SYSTEM32\winnr.dll
    File: C:\WINDOWS\SYSTEM32\winon32.exe
    File: C:\WINDOWS\SYSTEM32\wintx.dll
    File: C:\WINDOWS\SYSTEM32\ybxyd.dll

    You should also go to the Alternative Scans section of the read me and run those tools. Make sure you run A-squared.
     
    chaslang, Oct 16, 2004
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds