Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help with HijackThis log?[RESOLVED]


  • This topic is locked This topic is locked

#16
clintbrass

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Congrats, and thanks, that seemed to work... although... something weird came up, and I had to make a difficult decision. (I'll talk about this first and then post the logs.)

After I ran SpSeHjFix, I was confronted with a DOS screen, or a DOS-like screen. Unfortunately, I didn't record everything it said, but it said something to the effect:

C:\<REM>
This directory will be deleted!
Do you want the directory deleted? y/n

Because I had no idea if this was a last gasp of the malware (e.g., I was scared it would delete the contents of the C: drive??), I typed "n". Then the machine restarted. I hope I didn't screw up here.

After the machine rebooted, I was able to install SpywareBlaster. I've not browsed around the web yet to test things, but the application had no problems installing. Due to the possible screw up in typing "n", above, I re-ran SpSeHjfix, and it gave me a clean log, also below. So, if I did mess up in not typing "y", it appears this software isn't picking it up. I re-ran both Norton AV and Adaware just in case.

One question before I post the logs... what the h_ll was on my machine? It seems particularly nasty.

Here are the logs:

****
SpSeHjFix
****

(first run, leading up to the strange DOS screen)

(4/6/05 10:55:49 PM) SPSeHjFix started v1.1.1
(4/6/05 10:55:49 PM) OS: Win98SE A (4.10.2222)
(4/6/05 10:55:49 PM) Language: english
(4/6/05 10:56:00 PM) Disinfection started
(4/6/05 10:56:00 PM) Bad-Dll(IEP): (not found)
(4/6/05 10:56:00 PM) Bad-Dll(IEP) in BHO: (not found)
(4/6/05 10:56:00 PM) UBF: 4
(4/6/05 10:56:00 PM) UBB: 1
(4/6/05 10:56:00 PM) UBR: 19
(4/6/05 10:56:00 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(4/6/05 10:56:00 PM) Stealth-String found: C:\WINDOWS\NPS72X5.ICO
(4/6/05 10:56:00 PM) Temp-Files delete on Reboot
(4/6/05 10:56:00 PM) File added to delete: c:\windows\nps72x5.ico
(4/6/05 10:56:00 PM) File added to delete: c:\windows\temp\lcfinstall\lcfinstall.log
(4/6/05 10:56:00 PM) File added to delete: c:\windows\temp\~df67c8.tmp
(4/6/05 10:56:00 PM) File added to delete: c:\windows\temp\lcfinstall
(4/6/05 10:56:00 PM) Reboot
(4/6/05 10:59:17 PM) SPSeHjFix 2nd Step
(4/6/05 10:59:17 PM) Stealth-String not present. Disinfection succesfully
(4/6/05 10:59:45 PM) Cleaned

(second run, after next reboot)

(4/6/05 11:39:05 PM) SPSeHjFix started v1.1.1
(4/6/05 11:39:05 PM) OS: Win98SE A (4.10.2222)
(4/6/05 11:39:05 PM) Language: english
(4/6/05 11:39:08 PM) Disinfection started
(4/6/05 11:39:08 PM) Bad-Dll(IEP): (not found)
(4/6/05 11:39:08 PM) Bad-Dll(IEP) in BHO: (not found)
(4/6/05 11:39:08 PM) UBF: 4
(4/6/05 11:39:08 PM) UBB: 1
(4/6/05 11:39:08 PM) UBR: 19
(4/6/05 11:39:08 PM) Bad IE-pages: (none)
(4/6/05 11:39:08 PM) Stealth-String not found
(4/6/05 11:39:08 PM) Not infected->END



****
HJT log
****
Logfile of HijackThis v1.99.1
Scan saved at 12:35:10 AM, on 4/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\CBA\PDS.EXE
C:\WINDOWS\SYSTEM\CBA\XFR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSGSYS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PNY ATTACHé\SHWICON.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~4\VPTRAY.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShowIcon_PNY_PNY Attaché] "C:\Program Files\PNY Attaché\shwicon.exe" -t"PNY\PNY Attaché"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~4\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~4\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [Intel PDS] c:\windows\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] c:\windows\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [TMA Distribution] c:\windows\system\cba\lcfinst.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRAM FILES\CLEANUP!\CLEANUP.exe /WindowsRestart
O4 - HKCU\..\RunServicesOnce: [CleanUp!] C:\PROGRAM FILES\CLEANUP!\CLEANUP.exe /WindowsRestart
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\IomegaWare\Commander.exe
O4 - Startup: Iomega QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QuikSync.exe
O4 - Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
  • 0

Advertisements


#17
clintbrass

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
One other factoid...

I noticed that SpSeHjFix seemed to mark the LCFINSTALL directory and a couple files in the WINDOWS\TEMP directory for elimination.

Well, the LCFINSTALL directory reappears after I reboot, along with a .tmp file called 8a56eab7.tmp.

I'm not sure if that's anything to worry about, or not.
  • 0

#18
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Great News Clint!!!!

You had a variant of IEPlugin,
Give Cleanup! another run, Run it from Normal mode and let it reboot,, Good idea to run every so often to keep your Temp folders clean,

After you have browsed around a few days post back and let us know how it is running,,,
Seeing as you were trying to install spyware balster you seem to have a good start on preventing this from happening again,

To follow is some recommendations in helping to prevent reinfection,



Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep Ad-aware and Spybot handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Remeber to Check Windows for updates
  • 0

#19
clintbrass

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Don, no problems at all since then. Thank you so much, to you and any colleagues who worked with you!
Clint
  • 0

#20
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Good deal clint, thanks for the update....
  • 0

#21
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP