Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijack this log [RESOLVED]


  • This topic is locked This topic is locked

#1
simplicity

simplicity

    Member

  • Member
  • PipPip
  • 21 posts
I've been getting a lot of pop ups lately, and some programs are installing on my computer by itself. .. (ex: surf side kick, search assistant, etc). I think it might be spyware.

I ran adaware, spybot and norton antivirus and I also have an pop up blocker from google.

I've also done some online scans from housecall and panda active scan (log included below)

Can someone look at my logs? Thanks in advance

Logfile of HijackThis v1.99.1
Scan saved at 3:54:10 PM, on 8/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\NETGEAR WG311V2 ADAPTER\WLANCFG5.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: Yahoo! Literati -
O16 - DPF: Yahoo! Pool 2 -

---------------------------------------------------------
Panda active scan log

Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VARSION.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RACLTC5.DLL
Adware:adware/adlogix No disinfected C:\WINDOWS\SYSTEM\sp32.xml
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.008
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM\stlb2.xml
Adware:adware/searchtheweb No disinfected C:\WINDOWS\SYSTEM\Cache\mswinstall.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\supdate.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\redit.cpl
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavF3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav393.TMP

Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\Application Data\Sskknwrd.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\Helper101.dll
Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe
Possible Virus. No disinfected C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg_exe.vir
Virus:Trj/Downloader.BYN Disinfected C:\Program Files\Windows Media Player\wmplayer.exe

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINDOWS\SYSTEM\sp32.xml
C:\WINDOWS\SYSTEM\winupdt.008
C:\WINDOWS\SYSTEM\stlb2.xml
C:\WINDOWS\SYSTEM\Cache\mswinstall.exe
C:\WINDOWS\SYSTEM\supdate.dll
C:\WINDOWS\SYSTEM\redit.cpl
C:\WINDOWS\Application Data\Sskknwrd.dll
C:\WINDOWS\Helper101.dll
C:\WINDOWS\ru.exe
C:\Program Files\Windows Media Player\wmplayer.exe


Upload this file (C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg_exe.vir) to http://virusscan.jotti.org and report back what it found.

Please download l2m9xfix at http://www.geekstogo...ds/l2m9xfix.exe

Save it to the desktop and run it. Extract the files. Then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then restart your computer, and post a new HijackThis log as well as the log.txt file which should be in the same folder as RunThis.bat.

Also run a new Panda scan and post that log.
  • 0

#3
simplicity

simplicity

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
thanks for your help so far. :tazz:

heres my virusscan, l2m9xfix, hijack this, and panda active scan logs.


-------------------------------

File: MTE2NzY6ODoxNg_exe.vir
Status: INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
MD5 cd1aab2b35068f89d07210078b72ccae
Packers detected: UPX

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.ToolBar.ISearch.d
NOD32 Found probably a variant of Win32/Adware.ISearch application (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


----------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:42:29 PM, on 8/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NETGEAR WG311V2 ADAPTER\WLANCFG5.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: Yahoo! Literati -
O16 - DPF: Yahoo! Pool 2 -

---------------------------------------------------------------------

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix

************

Files found:

C:\WINDOWS\system\PYWEROLD.DLL
C:\WINDOWS\system\PYWEROLD.DLL
C:\WINDOWS\system\PYWEROLD.DLL
C:\WINDOWS\system\PYWEROLD.DLL
C:\WINDOWS\system\VARSION.DLL
C:\WINDOWS\system\VARSION.DLL
C:\WINDOWS\system\VARSION.DLL
C:\WINDOWS\system\VARSION.DLL

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{CA739355-0EF1-43CF-8C78-9F77F78E8A3F}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\VARSION.DLL"
[HKEY_CLASSES_ROOT\CLSID\{CA739355-0EF1-43CF-8C78-9F77F78E8A3F}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\VARSION.DLL"
[HKEY_CLASSES_ROOT\CLSID\{CA739355-0EF1-43CF-8C78-9F77F78E8A3F}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\VARSION.DLL"
[HKEY_CLASSES_ROOT\CLSID\{CA739355-0EF1-43CF-8C78-9F77F78E8A3F}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\VARSION.DLL"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{94234CD9-9E0E-69A7-20F1-7D8C70A5CC1E}"=""


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!

----------------------------------------------------------------------------
Panda active scan log

Incident Status Location
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.bin
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\PYWEROLD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\VARSION.DLL Possible Virus. No disinfected C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg_exe.vir

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINDOWS\SYSTEM\winupdt.bin
C:\WINDOWS\Desktop\l2m9xfix\backups\PYWEROLD.DLL
C:\WINDOWS\Desktop\l2m9xfix\backups\VARSION.DL
C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg_exe.vir


Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#5
simplicity

simplicity

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
thanks for your help :tazz:
I don't get anymore pop ups + programs installing by itself, but I have a question.
In control panel>add remove programs, a program named "command" is there and I don't remember seeing it there previously.

When I tried removing it, a window popped up saying " can not find script file "c:\\windows\\VXNlcgAA\\KAfj8q.vbs "

Is this supposed to be there or is it one of the programs that installed by itself?

Edited by simplicity, 11 August 2005 - 08:59 AM.

  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It's bad :tazz:

See if you can find and delete this folder:

c:\windows\VXNlcgAA\

Go into HijackThis->Config->Misc Tools->Open Uninstall Manager and look for that command entry. Click on it once and then click on the Delete button in HijackThis. That should get rid of it ;)

Any other problems/questions before I close this topic?
  • 0

#7
simplicity

simplicity

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
i deleted the file successfully. thank you again for your time and help. :tazz:
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP