?
Solved

Hijack troubles: please read the following HijackThis logfile

Posted on 2005-02-27
4
Medium Priority
?
490 Views
Last Modified: 2013-12-04
Hi,

can you guys help me. My computer sends and recieves data all the time. I can't figure it out what's wrong.
This is the HijackThis logfile
Logfile of HijackThis v1.99.1
Scan saved at 13:29:40, on 27/02/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\rundll32.exe
D:\Program Files\KMaestro\KMaestro.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\ballin.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Plaxo\2.2.0.81\InstallStub.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\System32\wzdsvc.exe
C:\WINDOWS\System32\wzdsvc.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
D:\Program Files\KMaestro\WTS_KEY.EXE
D:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\dynitora.exe
E:\backup\documents and settings\downloads\security\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [BtcMaestro] D:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Service Pack Auto Update] C:\ballin.exe
O4 - HKLM\..\Run: [Dynamic Dns Binary] dynitora.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunServices: [Windows Registers] winservicess.exe
O4 - HKLM\..\RunServices: [Microsoft Updates Resources] WinFixID.exe
O4 - HKLM\..\RunServices: [Dynamic Dns Binary] dynitora.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.2.0.81\InstallStub.exe -a
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Dynamic Dns Binary] dynitora.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097335650408
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://karl-xp-home.vbsjabbeke.be/VirtualServer/activex/VMRCActiveXClient.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vbsjabbeke.be
O17 - HKLM\Software\..\Telephony: DomainName = vbsjabbeke.be
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA95FFA8-749A-465F-A13E-BB28B45AB033}: NameServer = 193.74.208.65 193.121.171.135
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vbsjabbeke.be
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vbsjabbeke.be
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GFI LANguard N.S.S. 5.0 attendant service - Unknown owner - D:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Zero Daemon (WZDSVC) - Unknown owner - C:\WINDOWS\System32\wzdsvc.exe



What should I do?

Thanks in advance,
kGenius
0
Comment
Question by:kGenius
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 13413739
Browser Hijacking/Spyware/Adware/Malware Removal instructions

Full removal and Prevention instructions are available on my website,

http://www.petenetlive.com/Tech/Browsers/hijack.htm

Please don't "Gum up" the TA's here by posting Hijack This Logs
go here and have it analysed.
http://www.hijackthis.de/index.php?langselect=english

The EE Official Link to info is,
 http:Q_20975384.html#10973783
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13413741
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13413875
Hi!

Some info on what your log shows:
These entries:
C:\WINDOWS\System32\wzdsvc.exe
C:\WINDOWS\System32\wzdsvc.exe
Information here:
http://www.bleepingcomputer.com/startups/wzdsvc.exe-7277.html
-------
O4 - HKLM\..\RunServices: [Windows Registers] winservicess.exe
Info here:
http://fr.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.A
-------
Can find No info on ballin.exe or dynitora - suspicious!
It's not a good sign to see something running directly from the C: drive.
C:\ballin.exe
O4 - HKLM\..\Run: [Windows Service Pack Auto Update] C:\ballin.exe
O4 - HKLM\..\RunServices: [Dynamic Dns Binary] dynitora.exe

Good luck!

RF
0
 
LVL 15

Accepted Solution

by:
greyknight17 earned 800 total points
ID: 13426011
Please print out or copy this page to Notepad.  Make sure to work through the fixes in the exact order it is mentioned below.  If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.  You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.  Also make sure that Display the contents of System Folders' is checked.  Windows XP's search feature is a little different.  When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom.  Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean.  If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.  Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro (http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php). Just follow the instructions on the site to run the online scan.  Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode (hit F8 key until menu shows up).  Make sure to close any open browsers.  Go into HijackThis->Config->Misc. Tools->Open process manager.  Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\ballin.exe
C:\WINDOWS\System32\wzdsvc.exe
C:\WINDOWS\System32\wzdsvc.exe
C:\WINDOWS\System32\dynitora.exe

Run a scan in HijackThis.  Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Windows Service Pack Auto Update] C:\ballin.exe
O4 - HKLM\..\Run: [Dynamic Dns Binary] dynitora.exe
O4 - HKLM\..\RunServices: [Windows Registers] winservicess.exe
O4 - HKLM\..\RunServices: [Microsoft Updates Resources] WinFixID.exe
O4 - HKLM\..\RunServices: [Dynamic Dns Binary] dynitora.exe
O4 - HKCU\..\Run: [Dynamic Dns Binary] dynitora.exe
O23 - Service: Wireless Zero Daemon (WZDSVC) - Unknown owner - C:\WINDOWS\System32\wzdsvc.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\ballin.exe
C:\WINDOWS\System32\wzdsvc.exe
C:\WINDOWS\System32\dynitora.exe
WinFixID.exe - do a search for this file and delete if found - should be in c:\windows\system32 or c:\windows folder
winservicess.exe - same as above - search and delete if found

Reboot into Normal Mode run a new HijackThis scan.  Save the log and analyze the log at http://www.hijackthis.de.  Post the analyzed log link here.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses
Course of the Month10 days, 4 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question