Author Topic: need help... polall1 trojan :G (Read 3487 times)

kalem154 · « **on:** December 22, 2004, 04:41:36 AM »

hi guys. this virus won't leave me alone... i can delete it, but it comes back, repeatedly. i don't know if it's dangerous or what - i just got hijackthis to try out and i'm not sure what to do next... but here's my info.

i'm only running Avast.

Logfile of HijackThis v1.99.0
Scan saved at 9:34:05 PM, on 21/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ezSP_Px.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=144940
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=144940
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nfl.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=144940
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nfl.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [yqiouwljmdkb] C:\WINNT\system32\pjfyosq.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/03c81b31c555f7231200/netzip/RdxIE601.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

please help...

Eddy · « **Reply #1 on:** December 22, 2004, 06:00:10 AM »

Visit the malware removal section on the website in my sugnature and do as explained there.

This is the result my HijackThis Log Analyzer is giving:

--------------------------------------------------------------------------------
CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:
--------------------------------------------------------------------------------
You are using the latest version of HijackThis.
You are using the latest version of Internet Explorer.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

--------------------------------------------------------------------------------
THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :
--------------------------------------------------------------------------------
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://www.couldnotfind.com/search_page.html?&account_id=144940
r1 - hkcu\software\microsoft\internet explorer\main,search page = http://www.couldnotfind.com/search_page.html?&account_id=144940
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = http://www.couldnotfind.com/search_page.html?&account_id=144940
r0 - hklm\software\microsoft\internet explorer\main,local page =
r3 - urlsearchhook: (no name) - _{00d6a7e7-4a97-456f-848a-3b75bf7554d7} - (no file)
o2 - bho: localnrdobj class - {00320615-b6c2-40a6-8f99-f1c52d674fad} - c:\winnt\localnrd.dll
o2 - bho: naverrredir class - {00d6a7e7-4a97-456f-848a-3b75bf7554d7} - (no file)
o4 - hklm\..\run: [yqiouwljmdkb] c:\winnt\system32\pjfyosq.exe
o4 - hklm\..\run: [conscorr] c:\winnt\conscorr.exe
o4 - hklm\..\run: [power scan] c:\program files\power scan\powerscan.exe
o4 - hklm\..\run: [satmat] c:\winnt\satmat.exe
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\winnt\web\related.htm
o9 - extra 'tools' menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\winnt\web\related.htm
o16 - dpf: {1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} - http://imgfarm.com/images/nocache/funwebproducts/ei/popularscreensaversinitialsetup1.0.0.8.exe
o16 - dpf: {386a771c-e96a-421f-8ba7-32f1b706892f} (installer class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/quicktimefullinstaller.exe
o16 - dpf: {56336bcb-3d8a-11d6-a00b-0050da18de71} (rdxie class) - http://software-dl.real.com/03c81b31c555f7231200/netzip/rdxie601.cab
o16 - dpf: {75d1f3b2-2a21-11d7-97b9-0010dc2a6243} (securelogin.securecontrol) - http://secure2.comned.com/signuptemplates/activesecurity.cab
o16 - dpf: {ab86ce53-ac9f-449f-9399-d8abca09ec09} (get_activex control) - https://h17000.www1.hp.com/ewfrf-java/secure/hpgetdownloadmanager.ocx
o16 - dpf: {b9191f79-5613-4c76-aa2a-398534bb8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
o16 - dpf: {d27cdb6e-ae6d-11cf-96b8-444553540000} (shockwave flash object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
--------------------------------------------------------------------------------
o4 - hklm\..\run: [internet optimizer] "c:\program files\internet optimizer\optimize.exe"
o4 - hklm\..\run: [share-to-web namespace daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
o4 - hkcu\..\run: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
o4 - global startup: winzip quick pick.lnk = c:\program files\winzip\wzqkpick.exe

kalem154 · « **Reply #2 on:** December 22, 2004, 07:36:35 AM »

i'm going to try to fix/remove those files... i'm currently installing the programs from the malware removal site.

what do i do about the ones you said were:
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

am i supposed to get rid of them?

kalem154 · « **Reply #3 on:** December 22, 2004, 08:05:23 AM »

im running Microsoft Windows 2000 Professional... i'm unsure as to how i turn off my system recovery (as per the website instructions).

please advise...

whocares · « **Reply #4 on:** December 22, 2004, 09:04:18 AM »

Hi,

Win2000 doesn't have system RESTORE funcion (only ME & XP have), so for you there's no need to turn it off

unneeded items: remove them (checkmark & fix in hijackthis) or leave them, if you think you need/want them

first fix the other stuff and then come back with a new Log after reboot

if again avast alerts you to malware, next time post the complete location (path/folder/filename, e.g. C:\winnt\system32\badfile.exe) and exact virus-name

Author Topic: need help... polall1 trojan :G (Read 3487 times)

kalem154

need help... polall1 trojan :G

Eddy

Re:need help... polall1 trojan :G

kalem154

Re:need help... polall1 trojan :G

kalem154

Re:need help... polall1 trojan :G

whocares

Re:need help... polall1 trojan :G