Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help with Hijack log, please[RESOLVED]

Started by brahms , May 09 2005 10:14 AM

  • This topic is locked This topic is locked

#1
brahms
Posted 09 May 2005 - 10:14 AM

brahms

    New Member

  • Member
  • Pip
  • 5 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:08:16 AM, on 5/9/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
E:\programs\plextor2000\PLXTASK.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\CTHELPER.EXE
E:\downloads\qttask.exe
C:\WINNT\System32\wfxsnt40.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\msas32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
E:\Programs\hotburn\Autolaunch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Programs\winfax\WFXCTL32.EXE
E:\Programs\WinZip\WZQKPICK.EXE
E:\Programs\efax\J2GDllCmd.exe
E:\Programs\efax\J2GTray.exe
C:\Palm\hotsync.exe
E:\Programs\Firefox\firefox.exe
C:\WINNT\system32\apizs.exe
C:\DOCUMENTS AND SETTINGS\GARY1\DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jhukh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jhukh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jhukh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jhukh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jhukh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BFDF7714-686C-2193-42A9-845A22A979FE} - C:\WINNT\addpk32.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PLXSTART] e:\programs\plextor2000\PLXSTART.EXE
O4 - HKLM\..\Run: [PLXTASK] e:\programs\plextor2000\PLXTASK.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\downloads\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [qjktzazydnx] C:\WINNT\System32\vkgjuw.exe
O4 - HKLM\..\Run: [ietg.exe] C:\WINNT\system32\ietg.exe
O4 - HKLM\..\Run: [appvs32.exe] C:\WINNT\system32\appvs32.exe
O4 - HKLM\..\Run: [netzb.exe] C:\WINNT\system32\netzb.exe
O4 - HKLM\..\Run: [msas32.exe] C:\WINNT\system32\msas32.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "E:\Programs\hotburn\Autolaunch.exe"
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [javatf.exe] C:\WINNT\system32\javatf.exe
O4 - HKLM\..\RunOnce: [apizs.exe] C:\WINNT\system32\apizs.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - Startup: eFax Live Menu 3.4.lnk = E:\Programs\efax\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.4.lnk = E:\Programs\efax\J2GTray.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Controller.LNK = E:\Programs\winfax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Programs\WinZip\WZQKPICK.EXE
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-...sapplet-epf.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {640373B0-6978-4FA5-A9FC-420ECBBC61C7} (Web Viewer Class) - http://www.tekla.com...dll/zkitlib.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B3D8F1D-5DAE-49DC-8B40-EFB7CD7A4F89} (VNLive Control) - http://www.scalado.c...s/vnpanoctl.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.skibanff....sCamControl.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://lopes.armstro...timage40803.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://webexevents....674/ieatgpc.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\mfceq32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  • 0

Advertisements

#2
miekiemoes
Posted 09 May 2005 - 10:45 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

°Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download CWShredder. Don't let it run yet!

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

*It's better to print out these instructions out, because you have a lot of steps to take, so you have a better look on it and this page wouldn't be available all the time.

°First, we will make your hidden files and folders visible.
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide file extensions for known file types.
* Click Yes to confirm.
* Click OK.

*Please reboot your system into SAFE MODE.
°To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

*Start hijackthis and click scan and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jhukh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jhukh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jhukh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jhukh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jhukh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BFDF7714-686C-2193-42A9-845A22A979FE} - C:\WINNT\addpk32.dll
O4 - HKLM\..\Run: [qjktzazydnx] C:\WINNT\System32\vkgjuw.exe
O4 - HKLM\..\Run: [ietg.exe] C:\WINNT\system32\ietg.exe
O4 - HKLM\..\Run: [appvs32.exe] C:\WINNT\system32\appvs32.exe
O4 - HKLM\..\Run: [netzb.exe] C:\WINNT\system32\netzb.exe
O4 - HKLM\..\Run: [msas32.exe] C:\WINNT\system32\msas32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [javatf.exe] C:\WINNT\system32\javatf.exe
O4 - HKLM\..\RunOnce: [apizs.exe] C:\WINNT\system32\apizs.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-...sapplet-epf.cab
O16 - DPF: {640373B0-6978-4FA5-A9FC-420ECBBC61C7} (Web Viewer Class) - http://www.tekla.com...dll/zkitlib.dll
O16 - DPF: {7B3D8F1D-5DAE-49DC-8B40-EFB7CD7A4F89} (VNLive Control) - http://www.scalado.c...s/vnpanoctl.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://lopes.armstro...timage40803.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\mfceq32.exe (file missing)

*Close all open windows except hijackthis and click 'Fix Checked'.

*Navigate to and delete the following files if present:

C:\WINNT\system32\msas32.exe
C:\WINNT\system32\apizs.exe
C:\WINNT\system32\jhukh.dll
C:\WINNT\addpk32.dll
C:\WINNT\System32\vkgjuw.exe
C:\WINNT\system32\ietg.exe
C:\WINNT\system32\appvs32.exe
C:\WINNT\system32\netzb.exe
C:\WINNT\System32\spoolsrv32.exe
C:\WINNT\system32\javatf.exe
C:\WINNT\system32\mfceq32.exe
C:\WINNT\System32\srpcsrv32.dll
C:\WINNT\System32\txfdb32.dll
C:\WINNT\Web\desktop.html

*Start Aboutbuster and let it scan. Click Ok/yes for every instruction that aboutbuster is giving you.
Let it scan a second time to make sure it can get rid of everything.
When finished, click 'save log'

*Start Cwshredder and click FIX

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

*Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

*Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.


Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there

*Reboot your PC back to normal.

*Perform an online virusscan:TrendMicro Housecall.

*Post a new hijackthis-log + log aboutbuster
  • 0

#3
brahms
Posted 09 May 2005 - 07:41 PM

brahms

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
rough start

error ocurrs when updating aboutbuster: "corrupt or missing database"

_G
  • 0

#4
miekiemoes
Posted 09 May 2005 - 11:43 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

I think you unpacked aboutbuster in the wrong way..
Create a new folder and name it ab
Now move aboutbuster.exe AND reflist.dll which is also present in the aboutbuster.zip to that new folder ab
So, in that folder, the two files must be there together: reflist.dll and aboutbuster.exe
If you try to update aboutbuster now.. it'll work.
  • 0

#5
brahms
Posted 10 May 2005 - 10:55 PM

brahms

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Things are looking up...

then trendmicro detected a trojan

cleaned and deleted all 77 files excpet one... c:\wp.exe
systems says the file is in use and can not be deleted
I'm getting an system warning as my wallpaper

here is the latest Hijack log
Logfile of HijackThis v1.99.1
Scan saved at 9:51:08 PM, on 5/10/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
E:\programs\plextor2000\PLXTASK.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\CTHELPER.EXE
E:\downloads\qttask.exe
C:\WINNT\System32\wfxsnt40.exe
c:\program files\mcafee.com\agent\mcagent.exe
E:\Programs\hotburn\Autolaunch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\wp.exe
E:\Programs\winfax\WFXCTL32.EXE
E:\Programs\WinZip\WZQKPICK.EXE
E:\Programs\efax\J2GDllCmd.exe
E:\Programs\efax\J2GTray.exe
C:\Palm\hotsync.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Gary1\Desktop\HijackThis.exe

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PLXTASK] e:\programs\plextor2000\PLXTASK.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\downloads\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "E:\Programs\hotburn\Autolaunch.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - Startup: eFax Live Menu 3.4.lnk = E:\Programs\efax\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.4.lnk = E:\Programs\efax\J2GTray.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Controller.LNK = E:\Programs\winfax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Programs\WinZip\WZQKPICK.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.skibanff....sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://webexevents....674/ieatgpc.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

here is the aboutbuster log
ed at: 9:02:09 PM on: 5/10/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINNT\Adobe PSEle2 Lang Installer.log:xaobu
C:\WINNT\apifk32.dll:bujjm
C:\WINNT\AUTOLNCH.REG:mvnbj
C:\WINNT\AUTOLNCH.REG:mvnbj
C:\WINNT\delttsul.exe:kujpu
C:\WINNT\discover.exe:pkvjt
C:\WINNT\explorer.exe:uweqs
C:\WINNT\NDNuninstall5_20.exe:zphve
C:\WINNT\NDNuninstall5_20.exe:zphve
C:\WINNT\NDNuninstall5_48.exe:nszcc
C:\WINNT\netnd.dll:ylnfq
C:\WINNT\nscstiu_error.txt:ahcpf
C:\WINNT\ntxg.exe:kiuvh
C:\WINNT\n_qmzzye.txt:rseai
C:\WINNT\n_utcprv.log:ctpke
C:\WINNT\patchw32.dll:mmqgc
C:\WINNT\pedaa.drv:uueak
C:\WINNT\readme.ico:ognyq
C:\WINNT\River Sumida.bmp:gzxdn
C:\WINNT\SexNow.exe:mcaqk
C:\WINNT\winja.dll:nagqt


Removed! : C:\WINNT\appcu.exe
Removed! : C:\WINNT\appiq32.exe
Removed! : C:\WINNT\d3eq.exe
Removed! : C:\WINNT\dkqxg.dat
Removed! : C:\WINNT\gozdx.dat
Removed! : C:\WINNT\iess32.exe
Removed! : C:\WINNT\ieurb.dat
Removed! : C:\WINNT\ipkn.exe
Removed! : C:\WINNT\mhpxx.dat
Removed! : C:\WINNT\ntlz.exe.bak
Removed! : C:\WINNT\sysjs32.exe
Removed! : C:\WINNT\wingz32.exe
Removed! : C:\WINNT\xvwqj.dat
Removed! : C:\WINNT\zprua.dat
Removed! : C:\WINNT\System32\appps32.exe
Removed! : C:\WINNT\System32\crmb.exe
Removed! : C:\WINNT\System32\kbara.dat
Removed! : C:\WINNT\System32\lgoae.dat
Removed! : C:\WINNT\System32\mfcic.exe
Removed! : C:\WINNT\System32\muuyd.dat
Removed! : C:\WINNT\System32\netjk32.exe
Removed! : C:\WINNT\System32\netkv32.exe
Removed! : C:\WINNT\System32\ovsqe.dat
Removed! : C:\WINNT\System32\oygre.dat
Removed! : C:\WINNT\System32\sdkpi32.exe
Removed! : C:\WINNT\System32\sdkuk.exe
Removed! : C:\WINNT\System32\tlrlo.dat
Removed! : C:\WINNT\System32\zjnru.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINNT\Adobe PSEle2 Lang Installer.log:xaobu
C:\WINNT\apifk32.dll:bujjm
C:\WINNT\AUTOLNCH.REG:mvnbj
C:\WINNT\AUTOLNCH.REG:mvnbj
C:\WINNT\delttsul.exe:kujpu
C:\WINNT\discover.exe:pkvjt
C:\WINNT\explorer.exe:uweqs
C:\WINNT\NDNuninstall5_20.exe:zphve
C:\WINNT\NDNuninstall5_20.exe:zphve
C:\WINNT\NDNuninstall5_48.exe:nszcc
C:\WINNT\netnd.dll:ylnfq
C:\WINNT\nscstiu_error.txt:ahcpf
C:\WINNT\ntxg.exe:kiuvh
C:\WINNT\n_qmzzye.txt:rseai
C:\WINNT\n_utcprv.log:ctpke
C:\WINNT\patchw32.dll:mmqgc
C:\WINNT\pedaa.drv:uueak
C:\WINNT\readme.ico:ognyq
C:\WINNT\River Sumida.bmp:gzxdn
C:\WINNT\SexNow.exe:mcaqk
C:\WINNT\winja.dll:nagqt


Attempted Clean Of Temp folder.
Pages Reset... Done!


Aside from the trojan I seemed to have regained control of IE.. :tazz:
  • 0

#6
miekiemoes
Posted 11 May 2005 - 01:04 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
We made progress! Good!

Now let's deal with another desktop hijacker which wasn't present before.

Reboot in SAFE mode

search next files/folder and delete them if present:

C:\wp.exe
C:\wp.bmp
C:\WINNT\System32\wldr.dll
C:\Program Files\Security IGuard <== folder

Still in safe mode, run aboutbuster again, because I think there will be still files found and save the log.

Check and fix next line in hijackthis:

O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe

Reboot back to normal mode and download this registryfix:
http://www.bleepingc...g/smitfraud.reg and save it on your desktop
Doubleclick on it and when it asks you if you want to add the content to the registry, click yes/ok.

It could be possible that this hijacker deleted some files, so check if the following are still present:

°Control.exe: Is in your C:\WINNT\system32. Download here when missing.

°Hosts: C:\WINNT\SYSTEM32\DRIVERS\ETC .Download here when missing.
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK. Close the program.

°Shell.dll: C:\WINNT\SYSTEM32 Download here when missing

°SDHelper.dll:
If you are using Spybot Search & Destroy, this hijacker can also delete SDHelper.dll.
Download SDHelper.dll.
Place the file in the Spybot Search & Destroy-folder. Most probably, this ist C:\Program Files\Spybot - Search & Destroy

Reboot once again and post a new hijackthislog together with the log from aboutbuster.
  • 0

#7
brahms
Posted 11 May 2005 - 09:39 AM

brahms

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Its hard to believe..my system seems to be mine again

could it be true?

Logfile of HijackThis v1.99.1
Scan saved at 8:38:02 AM, on 5/11/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
E:\programs\plextor2000\PLXTASK.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\CTHELPER.EXE
E:\downloads\qttask.exe
C:\WINNT\System32\wfxsnt40.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\Programs\hotburn\Autolaunch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Programs\winfax\WFXCTL32.EXE
E:\Programs\WinZip\WZQKPICK.EXE
E:\Programs\efax\J2GDllCmd.exe
E:\Programs\efax\J2GTray.exe
C:\Palm\hotsync.exe
C:\Documents and Settings\Gary1\Desktop\HijackThis.exe

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PLXTASK] e:\programs\plextor2000\PLXTASK.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\downloads\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "E:\Programs\hotburn\Autolaunch.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: eFax Live Menu 3.4.lnk = E:\Programs\efax\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.4.lnk = E:\Programs\efax\J2GTray.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Controller.LNK = E:\Programs\winfax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Programs\WinZip\WZQKPICK.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.skibanff....sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://webexevents....674/ieatgpc.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
  • 0

#8
miekiemoes
Posted 11 May 2005 - 09:59 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

You may fix next line too, because it seems like the file is missing.

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll (file missing)

That log looks clean again -- Well done!!

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Kaspersky online and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap http://windowsupdate.microsoft.com/ to install all the updates!

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!
  • 0

#9
brahms
Posted 11 May 2005 - 04:13 PM

brahms

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you so much for all of the help.
Your prompt, personal service is commended.

:tazz:
  • 0

#10
miekiemoes
Posted 11 May 2005 - 04:14 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help you.

Happy surfing again!! :tazz:
  • 0

#11
miekiemoes
Posted 15 May 2005 - 05:49 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP