I have been showed some emails that show my computer is infected by EBLASTER
I have ran HIJACK THIS and I cant seem to find the files. does anyone know what to look for.
Full Version: EBLASTER
What kind of emails? Form other people on your contacts list? OR are these emails telling you to visit a site for help? If so, do not click on any links in any emails. they often try to lure you to a site where just by visiting, you will be infected with Spyware and / or other malware.
Let me know please.
We should check your system out though.
Post a hijackthis log please. Download and then extract Hijackthis.exe to a new folder. Do not run it from the zip the desktop or a temp folder.
Here's a link:
http://www.merijn.org/files/hijackthis.zip
Do not remove anything using HijackThis. Save the log and then copy and paste the contents into your next reply here in this same topic. It lists many types of entries. Some are good, and others need to be removed. We will help you sort it out.
Let me know please.
We should check your system out though.
Post a hijackthis log please. Download and then extract Hijackthis.exe to a new folder. Do not run it from the zip the desktop or a temp folder.
Here's a link:
http://www.merijn.org/files/hijackthis.zip
Do not remove anything using HijackThis. Save the log and then copy and paste the contents into your next reply here in this same topic. It lists many types of entries. Some are good, and others need to be removed. We will help you sort it out.
QUOTE (Mosaic1 @ Jun 29 2005, 01:44 PM)
What kind of emails? Form other people on your contacts list? OR are these emails telling you to visit a site for help? If so, do not click on any links in any emails. they often try to lure you to a site where just by visiting, you will be infected with Spyware and / or other malware.
Let me know please.
We should check your system out though.
Post a hijackthis log please. Download and then extract Hijackthis.exe to a new folder. Do not run it from the zip the desktop or a temp folder.
Here's a link:
http://www.merijn.org/files/hijackthis.zip
Do not remove anything using HijackThis. Save the log and then copy and paste the contents into your next reply here in this same topic. It lists many types of entries. Some are good, and others need to be removed. We will help you sort it out.
Let me know please.
We should check your system out though.
Post a hijackthis log please. Download and then extract Hijackthis.exe to a new folder. Do not run it from the zip the desktop or a temp folder.
Here's a link:
http://www.merijn.org/files/hijackthis.zip
Do not remove anything using HijackThis. Save the log and then copy and paste the contents into your next reply here in this same topic. It lists many types of entries. Some are good, and others need to be removed. We will help you sort it out.
Here is my log thanks
Logfile of HijackThis v1.99.1
Scan saved at 5:54:11 PM, on 6/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Documents and Settings\Kristi\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Kristi\Application Data\Mozilla\Profiles\default\jyqle5wa.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kristi\Application Data\Mozilla\Profiles\default\jyqle5wa.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/EN/mdldetect/VaioInfo.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O21 - SSODL: Machtm - {A4E04D97-92EB-4C1D-96C7-2CB4B6D58704} - C:\WINDOWS\system32\uniutil.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
You're welcome.
Information about EBlaster here: (But it has changed! Do not attempt to follow the removal instructions they give. )
http://securityresponse.symantec.com/avcen...e.eblaster.html
Got it, but the file has changed its name and more. I would like a sample to give to the Anti Virus companies for analysis please.
Find this file:
C:\WINDOWS\system32\uniutil.dll
Right click on it and click Sendto >Compressed
Send to me as an attachment.
MY email is
Katie_3232 @hotmail.com
I have added an extra space to the address. Remove it and the email will work. Thanks.
---------------------------
Go to Add Remove Programs and uninstall Viewpoint Manager. (Not related to EBlaster)
-------------
Close All Internet Explorer and Windows Explorer Windows. Select the following items and press Fix checked:
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O21 - SSODL: Machtm - {A4E04D97-92EB-4C1D-96C7-2CB4B6D58704} - C:\WINDOWS\system32\uniutil.dll
Restart the computer.
Delete this file:
C:\WINDOWS\system32\uniutil.dll
Go for free online Virus scans here:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/
Allow them to clean
Panda will have the option to create a log afer the scan has finished. Click the See Report button. Then click the save Report button. IT will be saved inder the name activescan.txt Do that and post that log into your next reply here.
Run Hijackthis again and post the new log too.
Post a startuplist too please. In Hijackthis press the Config Button
Click Misc Tools
Check both boxes next to the Generate StartupList log and then click the generate startuplist log button.
Paste the contents into your next reply here.
Information about EBlaster here: (But it has changed! Do not attempt to follow the removal instructions they give. )
http://securityresponse.symantec.com/avcen...e.eblaster.html
Got it, but the file has changed its name and more. I would like a sample to give to the Anti Virus companies for analysis please.
Find this file:
C:\WINDOWS\system32\uniutil.dll
Right click on it and click Sendto >Compressed
Send to me as an attachment.
MY email is
Katie_3232 @hotmail.com
I have added an extra space to the address. Remove it and the email will work. Thanks.
---------------------------
Go to Add Remove Programs and uninstall Viewpoint Manager. (Not related to EBlaster)
-------------
Close All Internet Explorer and Windows Explorer Windows. Select the following items and press Fix checked:
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O21 - SSODL: Machtm - {A4E04D97-92EB-4C1D-96C7-2CB4B6D58704} - C:\WINDOWS\system32\uniutil.dll
Restart the computer.
Delete this file:
C:\WINDOWS\system32\uniutil.dll
Go for free online Virus scans here:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/
Allow them to clean
Panda will have the option to create a log afer the scan has finished. Click the See Report button. Then click the save Report button. IT will be saved inder the name activescan.txt Do that and post that log into your next reply here.
Run Hijackthis again and post the new log too.
Post a startuplist too please. In Hijackthis press the Config Button
Click Misc Tools
Check both boxes next to the Generate StartupList log and then click the generate startuplist log button.
Paste the contents into your next reply here.
We are expecting some storms. I am going to sign off and will not be back for a while. Please do email me the file. I will be back either later tonight or tomorrow to help you finish the cleanup. We'll have to do some digging for other files involved. The main infection should be inactive if the instructoins worked.
QUOTE (Mosaic1 @ Jun 29 2005, 06:35 PM)
We are expecting some storms. I am going to sign off and will not be back for a while. Please do email me the file. I will be back either later tonight or tomorrow to help you finish the cleanup. We'll have to do some digging for other files involved. The main infection should be inactive if the instructoins worked.
just let me know when you can help
Did you follow the directions in my last post yet? You need to do that first. After you post the results and logs I requested and after I get that file sample, I'll then have an idea of what to do next.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.