Can Some one look over this Hijackthis log please

BigBoy

BigBoy

BigBoy

Soldato
Joined
19 Oct 2002
Posts
6,943
Location
Bath
Hi guys i have been given a PC to sort out from a friend of a friend ( :rolleyes: at self) And its a mess. Spybot S&D cleared 290 entries of spyware and still somthing is not letting it dial out. (slowdem) Error code is 775 Connection was blocked by remote computer. Also it will not let me install Service pack 2 it gets about half way through and says access denied, also Spybot cannot get access to the hosts file. Any one got any ideas? Also here is the hijackthis log for the setup.

Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 04:39:58, on 11/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Documents and Settings\Kevin\Local Settings\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0AB844A3-59F7-B49D-2CE3-649396BA8F19} - (no file)
O2 - BHO: (no name) - {0F0643E6-66C9-84AC-D29E-41B9B31BF9E6} - (no file)
O2 - BHO: (no name) - {0F8C2FF8-B84B-1234-32EF-FBA2FFCC592C} - (no file)
O2 - BHO: (no name) - {1433BDB4-D628-3EC4-BB12-57F1E0CFC5E7} - (no file)
O2 - BHO: (no name) - {1519816D-1FF0-3229-FF9F-3750CC369B91} - (no file)
O2 - BHO: (no name) - {17FC5AF7-0C0F-B62B-EE7D-6FB2FEABA69B} - (no file)
O2 - BHO: (no name) - {3897A705-7679-6536-79CB-574573A6CBC0} - (no file)
O2 - BHO: (no name) - {3AD12656-0FD3-1764-2D8E-76287329A8BC} - (no file)
O2 - BHO: (no name) - {477B7AAD-0649-5E89-9CE8-C2D797FBBFCE} - (no file)
O2 - BHO: (no name) - {49B2AC5F-DF52-2AA0-9B7C-1E928535C509} - (no file)
O2 - BHO: (no name) - {55AC4EE7-4B4F-A677-88EE-C19AD29C7B4D} - (no file)
O2 - BHO: (no name) - {62AD4EF2-C738-EB7A-35B8-F6BCD27B9F70} - (no file)
O2 - BHO: (no name) - {9DE118DF-4921-D35F-0ACA-DA210E65232D} - (no file)
O2 - BHO: (no name) - {AA1485D7-515B-7E22-9DA5-B4E151317124} - (no file)
O2 - BHO: (no name) - {AB6E0FF3-5C24-433E-F0F0-97AEB24D486A} - (no file)
O2 - BHO: (no name) - {AC4257E2-6DD2-AEC4-FFD6-D5E44CC39DBE} - (no file)
O2 - BHO: Class - {B57D4547-53A2-CE5F-B929-72FEAA007FF8} - C:\WINDOWS\ieic32.dll (file missing)
O2 - BHO: (no name) - {B83AC734-1261-571F-007C-D7C45405AF82} - (no file)
O2 - BHO: (no name) - {B94286B3-9087-D351-F81A-C5079026EC35} - (no file)
O2 - BHO: (no name) - {CE40FC76-6F48-E648-5F16-33EAEF4DA9CF} - (no file)
O2 - BHO: (no name) - {D1744B02-F606-64E4-BBEF-78430821F6F7} - (no file)
O2 - BHO: Class - {E655DD60-AB14-D8EA-6258-0B4A7FC5B627} - C:\WINDOWS\ietd32.dll (file missing)
O2 - BHO: (no name) - {EDA3C39C-C507-6E06-432C-F1C75E92B6F7} - (no file)
O2 - BHO: (no name) - {EDB1B83C-64AB-D985-F976-8699D7564855} - (no file)
O2 - BHO: (no name) - {EDB378BA-2AB8-3380-1522-B4A69CBB3F3F} - (no file)
O2 - BHO: (no name) - {F9538E86-36EE-4A7E-6596-B6F8EAA229D9} - (no file)
O2 - BHO: (no name) - {F9DE2FD1-D201-F180-75AC-500B7D9A8F17} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165739165500
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl99bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O16 - DPF: {CT} -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E cellSpacing=5 cellPadding=3 width=400} -
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/gba2218.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EBA4436-3253-496A-A24F-D9DF3AB19720}: NameServer = 212.74.112.66,212.74.112.67
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EBA4436-3253-496A-A24F-D9DF3AB19720}: NameServer = 212.74.112.66,212.74.112.67
O17 - HKLM\System\CS2\Services\Tcpip\..\{0EBA4436-3253-496A-A24F-D9DF3AB19720}: NameServer = 212.74.112.66,212.74.112.67
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
 
Last edited:
tZnYPxpV_magnet.jpg


rePXrLc0_hdd.jpg


Sorted :rolleyes: :p

But seriously, to get it right again just backup all the important stuff (all exes will probably be infected :rolleyes: ), format & reinstall Windows.
 
yup

use that site

just remove almost all of the entries, google each program name its usually obvious what is needed by the system

and for god sake, install sp2!
 
Delete these ones:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0AB844A3-59F7-B49D-2CE3-649396BA8F19} - (no file)
O2 - BHO: (no name) - {0F0643E6-66C9-84AC-D29E-41B9B31BF9E6} - (no file)
O2 - BHO: (no name) - {0F8C2FF8-B84B-1234-32EF-FBA2FFCC592C} - (no file)
O2 - BHO: (no name) - {1433BDB4-D628-3EC4-BB12-57F1E0CFC5E7} - (no file)
O2 - BHO: (no name) - {1519816D-1FF0-3229-FF9F-3750CC369B91} - (no file)
O2 - BHO: (no name) - {17FC5AF7-0C0F-B62B-EE7D-6FB2FEABA69B} - (no file)
O2 - BHO: (no name) - {3897A705-7679-6536-79CB-574573A6CBC0} - (no file)
O2 - BHO: (no name) - {3AD12656-0FD3-1764-2D8E-76287329A8BC} - (no file)
O2 - BHO: (no name) - {477B7AAD-0649-5E89-9CE8-C2D797FBBFCE} - (no file)
O2 - BHO: (no name) - {49B2AC5F-DF52-2AA0-9B7C-1E928535C509} - (no file)
O2 - BHO: (no name) - {55AC4EE7-4B4F-A677-88EE-C19AD29C7B4D} - (no file)
O2 - BHO: (no name) - {62AD4EF2-C738-EB7A-35B8-F6BCD27B9F70} - (no file)
O2 - BHO: (no name) - {9DE118DF-4921-D35F-0ACA-DA210E65232D} - (no file)
O2 - BHO: (no name) - {AA1485D7-515B-7E22-9DA5-B4E151317124} - (no file)
O2 - BHO: (no name) - {AB6E0FF3-5C24-433E-F0F0-97AEB24D486A} - (no file)
O2 - BHO: (no name) - {AC4257E2-6DD2-AEC4-FFD6-D5E44CC39DBE} - (no file)
O2 - BHO: Class - {B57D4547-53A2-CE5F-B929-72FEAA007FF8} - C:\WINDOWS\ieic32.dll (file missing)
O2 - BHO: (no name) - {B83AC734-1261-571F-007C-D7C45405AF82} - (no file)
O2 - BHO: (no name) - {B94286B3-9087-D351-F81A-C5079026EC35} - (no file)
O2 - BHO: (no name) - {CE40FC76-6F48-E648-5F16-33EAEF4DA9CF} - (no file)
O2 - BHO: (no name) - {D1744B02-F606-64E4-BBEF-78430821F6F7} - (no file)
O2 - BHO: Class - {E655DD60-AB14-D8EA-6258-0B4A7FC5B627} - C:\WINDOWS\ietd32.dll (file missing)
O2 - BHO: (no name) - {EDA3C39C-C507-6E06-432C-F1C75E92B6F7} - (no file)
O2 - BHO: (no name) - {EDB1B83C-64AB-D985-F976-8699D7564855} - (no file)
O2 - BHO: (no name) - {EDB378BA-2AB8-3380-1522-B4A69CBB3F3F} - (no file)
O2 - BHO: (no name) - {F9538E86-36EE-4A7E-6596-B6F8EAA229D9} - (no file)
O2 - BHO: (no name) - {F9DE2FD1-D201-F180-75AC-500B7D9A8F17} - (no file)

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe (This one looks dodgy, delete the file as well)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab (Then delete this file in safe mode after a reboot)
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1165739165500
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl99bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O16 - DPF: {CT} -

O16 - DPF: {E cellSpacing=5 cellPadding=3 width=400} -
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/content...er/imloader.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/gba2218.exe looks bad to me - will try and run a dodgy file off the net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EBA4436-3253-496A-A24F-D9DF3AB19720}: NameServer = 212.74.112.66,212.74.112.67
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EBA4436-3253-496A-A24F-D9DF3AB19720}: NameServer = 212.74.112.66,212.74.112.67
O17 - HKLM\System\CS2\Services\Tcpip\..\{0EBA4436-3253-496A-A24F-D9DF3AB19720}: NameServer = 212.74.112.66,212.74.112.67
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)

O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)

Not all are bad but most you don't need in the background. There are a few files hiding viruses in there which you can delete after a reboot. You may need to do it in safe mode.

Once you've rebooted and deleted the files above re-run Spybot (make sure it's updated) and it will be able to tidy up all the last little bits. Don't install SP2 until you've got it clean in case Windows hides any of the junk in the archived files. Hope that helps.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom