B
Brad
Have a computer that has been taken over by blazefind and
others. Have run CWShredder and Spybot, but it is not
fixing the problem. Run Hijack This and get the
following.....any suggestions?
Logfile of HijackThis v1.98.0
Scan saved at 11:29:15 AM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\WINDOWS\System32\vysbei.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant
Updater\RuLaunch.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\MBSFtpServer\MBSFtpServer.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Brad\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.usatoday.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http://firstcom:80
F2 - REG:system.ini: UserInit=C:\Windows\System32
\wsaupdater.exe,
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-
76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-
E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WindUpdates] C:\Program
Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [fcwtzftlsbb] C:\WINDOWS\System32
\vysbei.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program
Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program
Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\RunOnce: [SideStepDllDelete] cmd.exe /q /c
del /f /q "C:\WINDOWS\Downloaded Program
Files\SbCIe028.dll" "C:\WINDOWS\Downloaded Program
Files\SbCIe028.inf"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run:
[McAfee.InstantUpdate.Monitor] "C:\Program
Files\McAfee\McAfee Shared Components\Instant
Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\Launcher.exe
O4 - Global Startup: FTP Server.lnk =
C:\MBSFtpServer\MBSFtpServer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://public.windupdates.com/get_file.php?
bt=ie&p=e92d611de8be57b7ce0f6e65a59b4aabd25fab1eca95e95258
b5129dfa48e612c92bffd188f98fcbfa72f978f19fb906cb2e72:5e17f
82db4671e0d17ebad4bf17236ad
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000}
(CInstall Class) -
http://www.spywarestormer.com/files2/Install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9307FC69-F5AC-
4C4E-BFBE-93119F9F630D}: NameServer =
64.22.192.4,64.22.192.3
others. Have run CWShredder and Spybot, but it is not
fixing the problem. Run Hijack This and get the
following.....any suggestions?
Logfile of HijackThis v1.98.0
Scan saved at 11:29:15 AM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\WINDOWS\System32\vysbei.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant
Updater\RuLaunch.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\MBSFtpServer\MBSFtpServer.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Brad\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.usatoday.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http://firstcom:80
F2 - REG:system.ini: UserInit=C:\Windows\System32
\wsaupdater.exe,
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-
76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-
E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Alogserv] C:\Program
Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WindUpdates] C:\Program
Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [fcwtzftlsbb] C:\WINDOWS\System32
\vysbei.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program
Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program
Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\RunOnce: [SideStepDllDelete] cmd.exe /q /c
del /f /q "C:\WINDOWS\Downloaded Program
Files\SbCIe028.dll" "C:\WINDOWS\Downloaded Program
Files\SbCIe028.inf"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run:
[McAfee.InstantUpdate.Monitor] "C:\Program
Files\McAfee\McAfee Shared Components\Instant
Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\Launcher.exe
O4 - Global Startup: FTP Server.lnk =
C:\MBSFtpServer\MBSFtpServer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://public.windupdates.com/get_file.php?
bt=ie&p=e92d611de8be57b7ce0f6e65a59b4aabd25fab1eca95e95258
b5129dfa48e612c92bffd188f98fcbfa72f978f19fb906cb2e72:5e17f
82db4671e0d17ebad4bf17236ad
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000}
(CInstall Class) -
http://www.spywarestormer.com/files2/Install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9307FC69-F5AC-
4C4E-BFBE-93119F9F630D}: NameServer =
64.22.192.4,64.22.192.3