Blazefind and other trojan horses

B

Brad

Have a computer that has been taken over by blazefind and
others. Have run CWShredder and Spybot, but it is not
fixing the problem. Run Hijack This and get the
following.....any suggestions?

Logfile of HijackThis v1.98.0
Scan saved at 11:29:15 AM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\WINDOWS\System32\vysbei.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant
Updater\RuLaunch.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\MBSFtpServer\MBSFtpServer.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Brad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.usatoday.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http://firstcom:80
F2 - REG:system.ini: UserInit=C:\Windows\System32
\wsaupdater.exe,
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-
76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-
E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WindUpdates] C:\Program
Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [fcwtzftlsbb] C:\WINDOWS\System32
\vysbei.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program
Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program
Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\RunOnce: [SideStepDllDelete] cmd.exe /q /c
del /f /q "C:\WINDOWS\Downloaded Program
Files\SbCIe028.dll" "C:\WINDOWS\Downloaded Program
Files\SbCIe028.inf"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run:
[McAfee.InstantUpdate.Monitor] "C:\Program
Files\McAfee\McAfee Shared Components\Instant
Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\Launcher.exe
O4 - Global Startup: FTP Server.lnk =
C:\MBSFtpServer\MBSFtpServer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://public.windupdates.com/get_file.php?
bt=ie&p=e92d611de8be57b7ce0f6e65a59b4aabd25fab1eca95e95258
b5129dfa48e612c92bffd188f98fcbfa72f978f19fb906cb2e72:5e17f
82db4671e0d17ebad4bf17236ad
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000}
(CInstall Class) -
http://www.spywarestormer.com/files2/Install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9307FC69-F5AC-
4C4E-BFBE-93119F9F630D}: NameServer =
64.22.192.4,64.22.192.3
 
H

H Leboeuf

Wrong place to post this log. Any un trained person can give you advice and
kill your computer.

Please' post your Hijack This Logs, in any of the following "Expert Forums"
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.net-integration.net/index.php?s=853f186bf90302d57a6840f00475ff6b&showforum=32
http://forums.spywareinfo.com/index.php?s=1413794b9fe306155560c99576acc3a8&showforum=11
http://www.lavasoftsupport.com/index.php?s=c0d583c0e136d2133506ec492cb6bd40&showforum=44
http://www.cybertechhelp.com/forums/forumdisplay.php?f=19
http://boards.cexx.org/viewforum.php?f=1&sid=0b5c7c42dc70e12ffe32f4a0807ff6a3
http://www.dslreports.com/forum/security,1

--

Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
===
Brad said:
Have a computer that has been taken over by blazefind and
others. Have run CWShredder and Spybot, but it is not
fixing the problem. Run Hijack This and get the
following.....any suggestions?

Logfile of HijackThis v1.98.0
Scan saved at 11:29:15 AM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\WINDOWS\System32\vysbei.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant
Updater\RuLaunch.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\MBSFtpServer\MBSFtpServer.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Brad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.usatoday.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http://firstcom:80
F2 - REG:system.ini: UserInit=C:\Windows\System32
\wsaupdater.exe,
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-
76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-
E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WindUpdates] C:\Program
Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [fcwtzftlsbb] C:\WINDOWS\System32
\vysbei.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program
Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program
Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\RunOnce: [SideStepDllDelete] cmd.exe /q /c
del /f /q "C:\WINDOWS\Downloaded Program
Files\SbCIe028.dll" "C:\WINDOWS\Downloaded Program
Files\SbCIe028.inf"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run:
[McAfee.InstantUpdate.Monitor] "C:\Program
Files\McAfee\McAfee Shared Components\Instant
Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\Launcher.exe
O4 - Global Startup: FTP Server.lnk =
C:\MBSFtpServer\MBSFtpServer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://public.windupdates.com/get_file.php?
bt=ie&p=e92d611de8be57b7ce0f6e65a59b4aabd25fab1eca95e95258
b5129dfa48e612c92bffd188f98fcbfa72f978f19fb906cb2e72:5e17f
82db4671e0d17ebad4bf17236ad
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000}
(CInstall Class) -
http://www.spywarestormer.com/files2/Install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9307FC69-F5AC-
4C4E-BFBE-93119F9F630D}: NameServer =
64.22.192.4,64.22.192.3
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Browser Hijacked 5
IE searches re directed to Morwill 1
Browser has been hijacked 5
IE NOT RESPONDING 1
IE 6 becomes unstable, eventually locking up computer 1
IE6 slow and hangs when launched 4
Weird Behavior 1
Windows XP Rundll32.exe not responding while shutting down 2

Top