Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

hijack this log [RESOLVED]

Started by simplicity , Aug 09 2005 01:54 PM

This topic is locked

#1
simplicity

Posted 09 August 2005 - 01:54 PM

Member

Member
21 posts

I've been getting a lot of pop ups lately, and some programs are installing on my computer by itself. .. (ex: surf side kick, search assistant, etc). I think it might be spyware.

I ran adaware, spybot and norton antivirus and I also have an pop up blocker from google.

I've also done some online scans from housecall and panda active scan (log included below)

Can someone look at my logs? Thanks in advance

Logfile of HijackThis v1.99.1
Scan saved at 3:54:10 PM, on 8/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\NETGEAR WG311V2 ADAPTER\WLANCFG5.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: Yahoo! Literati -
O16 - DPF: Yahoo! Pool 2 -

---------------------------------------------------------
Panda active scan log

Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VARSION.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RACLTC5.DLL
Adware:adware/adlogix No disinfected C:\WINDOWS\SYSTEM\sp32.xml
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.008
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM\stlb2.xml
Adware:adware/searchtheweb No disinfected C:\WINDOWS\SYSTEM\Cache\mswinstall.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\supdate.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\redit.cpl
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavF3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav393.TMP

Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\Application Data\Sskknwrd.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\Helper101.dll
Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe
Possible Virus. No disinfected C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg_exe.vir
Virus:Trj/Downloader.BYN Disinfected C:\Program Files\Windows Media Player\wmplayer.exe

#2
greyknight17

Posted 09 August 2005 - 02:00 PM

Malware Expert

Visiting Consultant
16,560 posts

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINDOWS\SYSTEM\sp32.xml
C:\WINDOWS\SYSTEM\winupdt.008
C:\WINDOWS\SYSTEM\stlb2.xml
C:\WINDOWS\SYSTEM\Cache\mswinstall.exe
C:\WINDOWS\SYSTEM\supdate.dll
C:\WINDOWS\SYSTEM\redit.cpl
C:\WINDOWS\Application Data\Sskknwrd.dll
C:\WINDOWS\Helper101.dll
C:\WINDOWS\ru.exe
C:\Program Files\Windows Media Player\wmplayer.exe

Upload this file (C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg_exe.vir) to http://virusscan.jotti.org and report back what it found.

Please download l2m9xfix at http://www.geekstogo...ds/l2m9xfix.exe

Save it to the desktop and run it. Extract the files. Then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then restart your computer, and post a new HijackThis log as well as the log.txt file which should be in the same folder as RunThis.bat.

Also run a new Panda scan and post that log.

#3
simplicity

Posted 10 August 2005 - 11:34 AM

Member

Topic Starter
Member
21 posts

thanks for your help so far. :tazz:

heres my virusscan, l2m9xfix, hijack this, and panda active scan logs.

-------------------------------

File: MTE2NzY6ODoxNg_exe.vir
Status: INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
MD5 cd1aab2b35068f89d07210078b72ccae
Packers detected: UPX

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.ToolBar.ISearch.d
NOD32 Found probably a variant of Win32/Adware.ISearch application (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

----------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:42:29 PM, on 8/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NETGEAR WG311V2 ADAPTER\WLANCFG5.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: Yahoo! Literati -
O16 - DPF: Yahoo! Pool 2 -

---------------------------------------------------------------------

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix

************

Files found:

C:\WINDOWS\system\PYWEROLD.DLL
C:\WINDOWS\system\PYWEROLD.DLL
C:\WINDOWS\system\PYWEROLD.DLL
C:\WINDOWS\system\PYWEROLD.DLL
C:\WINDOWS\system\VARSION.DLL
C:\WINDOWS\system\VARSION.DLL
C:\WINDOWS\system\VARSION.DLL
C:\WINDOWS\system\VARSION.DLL

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{CA739355-0EF1-43CF-8C78-9F77F78E8A3F}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\VARSION.DLL"
[HKEY_CLASSES_ROOT\CLSID\{CA739355-0EF1-43CF-8C78-9F77F78E8A3F}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\VARSION.DLL"
[HKEY_CLASSES_ROOT\CLSID\{CA739355-0EF1-43CF-8C78-9F77F78E8A3F}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\VARSION.DLL"
[HKEY_CLASSES_ROOT\CLSID\{CA739355-0EF1-43CF-8C78-9F77F78E8A3F}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\VARSION.DLL"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{94234CD9-9E0E-69A7-20F1-7D8C70A5CC1E}"=""

************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!

Finished!

----------------------------------------------------------------------------
Panda active scan log

Incident Status Location
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.bin
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\PYWEROLD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\VARSION.DLL Possible Virus. No disinfected C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg_exe.vir

#4
greyknight17

Posted 10 August 2005 - 06:30 PM

Malware Expert

Visiting Consultant
16,560 posts

#5
simplicity

Posted 11 August 2005 - 08:58 AM

Member

Topic Starter
Member
21 posts

thanks for your help :tazz:

I don't get anymore pop ups + programs installing by itself, but I have a question.
In control panel>add remove programs, a program named "command" is there and I don't remember seeing it there previously.

When I tried removing it, a window popped up saying " can not find script file "c:\\windows\\VXNlcgAA\\KAfj8q.vbs "

Is this supposed to be there or is it one of the programs that installed by itself?

Edited by simplicity, 11 August 2005 - 08:59 AM.

#6
greyknight17

Posted 11 August 2005 - 09:45 AM

Malware Expert

Visiting Consultant
16,560 posts

It's bad

See if you can find and delete this folder:

c:\windows\VXNlcgAA\

Go into HijackThis->Config->Misc Tools->Open Uninstall Manager and look for that command entry. Click on it once and then click on the Delete button in HijackThis. That should get rid of it

Any other problems/questions before I close this topic?

#7
simplicity

Posted 11 August 2005 - 05:15 PM

Member

Topic Starter
Member
21 posts

i deleted the file successfully. thank you again for your time and help. :tazz:

#8
greyknight17

Posted 12 August 2005 - 07:24 AM

Malware Expert

Visiting Consultant
16,560 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.