Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dave's Hijack this log 92805 [CLOSED]


  • This topic is locked This topic is locked

#1
hometown boy dave

hometown boy dave

    New Member

  • Member
  • Pip
  • 3 posts
We have a site that keeps getting popups and rebooting on its own.

We've ran Microsoft antispyware, ewido, trendmicro/housecall, adaware
with no luck getting rid of it all.

So I thought I'd come to the experts.

The pc originally had sidekick which i was able to remove, but it seems
to have some aurora or a better internet.

Thanks,
dave

Here's my hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 4:26:32 PM, on 9/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Winnt\System32\smss.exe
C:\Winnt\system32\winlogon.exe
C:\Winnt\system32\services.exe
C:\Winnt\system32\lsass.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\system32\LEXBCES.EXE
C:\Winnt\system32\spoolsv.exe
C:\Winnt\system32\LEXPPS.EXE
D:\Micros\RES\POS\Bin\3700d.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
D:\Micros\RES\POS\Bin\DbUpdateServer.exe
D:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Winnt\system32\vush\mebitoe.exe
C:\Winnt\system32\rundll32.exe
D:\MICROS\COMMON\Bin\CALSrv.exe
C:\Winnt\Explorer.exe
D:\Micros\COMMON\Bin\DSM.exe
C:\Winnt\system32\regsvc.exe
C:\Winnt\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\MICROS\res\pos\Bin\ConnAdvisor.exe
D:\MICROS\res\pos\Bin\MDSHTTPService.exe
C:\Winnt\system32\stisvc.exe
D:\Micros\COMMON\Bin\CMS.exe
D:\MICROS\COMMON\Bin\RunDBMS.exe
C:\Winnt\system32\ajpblsn\cyef.exe
C:\Winnt\system32\gxnxef\bvuw.exe
C:\Winnt\System32\WBEM\WinMgmt.exe
C:\Winnt\system32\haadvyad\idxxub.exe
C:\Winnt\system32\mspmspsv.exe
C:\Winnt\system32\xadafy\svfmi.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\system32\inetsrv\inetinfo.exe
C:\Winnt\system32\nbtnrn.exe
C:\Program Files\amro\wart.exe
D:\Micros\COMMON\Bin\CMSC.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Winnt\system32\??sks\arpa.exe
C:\Winnt\system32\nbtnrn.exe
C:\Winnt\system32\cmd.exe
D:\Micros\RES\POS\Bin\CPanel.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\MICROS\DATABASE\SYBASE\Adaptive Server Anywhere 6.0\Win32\dbsrv6.exe
D:\MICROS\res\pos\Bin\resdbs.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ei.exe
D:\Micros\Res\Pos\bin\OPS.exe
D:\Micros\Res\Pos\bin\IFS.exe
D:\Micros\Res\Pos\bin\PControl.exe
D:\MICROS\COMMON\Bin\AutoSeqServ.exe
D:\Micros\Res\Pos\bin\CCS.exe
E:\Service Packs\HijackThis.exe

R3 - URLSearchHook: (no name) - {093DDBB5-E7B2-DC0E-CCC4-6ECD9904F4E3} - C:\Winnt\Wdoinpfw.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {1C7E6A8B-8B1D-DECB-4E45-AD2FF094ACE8} - C:\Winnt\system32\uwyoru.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {555DD3E0-3286-F081-73D8-1CB3BB5E9D5B} - C:\Winnt\Wdoinpfw.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Search - {3FED503A-5CC6-390F-536F-76E6E4CF33AE} - C:\Winnt\Wdoinpfw.dll
O4 - HKLM\..\Run: [mebitoe] C:\Winnt\system32\vush\mebitoe.exe
O4 - HKLM\..\Run: [cyef] C:\Winnt\system32\ajpblsn\cyef.exe
O4 - HKLM\..\Run: [bvuw] C:\Winnt\system32\gxnxef\bvuw.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [egak] C:\Winnt\system32\qjbuy\egak.exe
O4 - HKLM\..\Run: [idxxub] C:\Winnt\system32\haadvyad\idxxub.exe
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [YourMonitor] C:\Winnt\YourMonitor
O4 - HKLM\..\Run: [svfmi] C:\Winnt\system32\xadafy\svfmi.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Larc] C:\Program Files\amro\wart.exe
O4 - HKCU\..\Run: [Umld] C:\Winnt\system32\??sks\arpa.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [YourMonitor] C:\Winnt\YourMonitor.exe
O4 - HKCU\..\Run: [lmhtiv] C:\Winnt\system32\lmhtiv.exe
O4 - HKCU\..\Run: [nbtnrn] C:\Winnt\system32\nbtnrn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126549105968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126549206890
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O20 - Winlogon Notify: igfxcui - C:\Winnt\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Shell Extensions - C:\Winnt\system32\LCXBCE.DLL
O23 - Service: MICROS 3700 System (3700d) - MICROS Systems, Inc. - D:\Micros\RES\POS\Bin\3700d.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: MICROS Caller ID Service (CISERVICE) - MICROS Systems, Inc. - D:\Micros\RES\GSS\Bin\CIService.exe
O23 - Service: MICROS DB Update Service (DbUpdateServer) - MICROS Systems, Inc. - D:\Micros\RES\POS\Bin\DbUpdateServer.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\Winnt\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Winnt\system32\LEXBCES.EXE
O23 - Service: mebitoevush - Unknown owner - C:\Winnt\system32\vush\mebitoe.exe
O23 - Service: MICROS Backup Server - MICROS Systems, Inc. - D:\MICROS\res\pos\Bin\resbsm.exe
O23 - Service: MICROS CAL Service - Unknown owner - D:\MICROS\COMMON\Bin\CALSrv.exe
O23 - Service: MICROS Database Service - MICROS Systems, Inc. - D:\MICROS\res\pos\Bin\resdbs.exe
O23 - Service: MICROS Distributed Service Manager - MICROS Systems, Inc. - D:\Micros\COMMON\Bin\DSM.exe
O23 - Service: MICROS Cash Management COM Server (MicrosCashManagementComServer) - MICROS Systems, Inc. - D:\Micros\COMMON\Bin\CMSC.exe
O23 - Service: MICROS Secure Desktop (MicrosDesk) - MICROS Systems, Inc. - D:\Micros\COMMON\Bin\MicrosDsk.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: sqlMICROS1 (SQLANYs_sqlMICROS1) - Sybase, Inc. - D:\MICROS\DATABASE\SYBASE\Adaptive Server Anywhere 6.0\Win32\dbsrv6.exe
O23 - Service: MICROS Connection Advisor (srvConnAdvisor) - MICROS Systems, Inc. - D:\MICROS\res\pos\Bin\ConnAdvisor.exe
O23 - Service: MICROS MDS HTTP Service (srvMDSHTTPService) - MICROS Systems, Inc. - D:\MICROS\res\pos\Bin\MDSHTTPService.exe
O23 - Service: MICROS Cash Management (svcCashManager) - MICROS Systems, Inc. - D:\Micros\COMMON\Bin\CMS.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\Winnt\svcproc.exe (file missing)
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Dave and welcome to GTG.

Do you know what this program is for?

O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - {093DDBB5-E7B2-DC0E-CCC4-6ECD9904F4E3} - C:\Winnt\Wdoinpfw.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {1C7E6A8B-8B1D-DECB-4E45-AD2FF094ACE8} - C:\Winnt\system32\uwyoru.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {555DD3E0-3286-F081-73D8-1CB3BB5E9D5B} - C:\Winnt\Wdoinpfw.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Search - {3FED503A-5CC6-390F-536F-76E6E4CF33AE} - C:\Winnt\Wdoinpfw.dll
O4 - HKLM\..\Run: [mebitoe] C:\Winnt\system32\vush\mebitoe.exe
O4 - HKLM\..\Run: [cyef] C:\Winnt\system32\ajpblsn\cyef.exe
O4 - HKLM\..\Run: [bvuw] C:\Winnt\system32\gxnxef\bvuw.exe
O4 - HKLM\..\Run: [egak] C:\Winnt\system32\qjbuy\egak.exe
O4 - HKLM\..\Run: [idxxub] C:\Winnt\system32\haadvyad\idxxub.exe
O4 - HKLM\..\Run: [YourMonitor] C:\Winnt\YourMonitor
O4 - HKLM\..\Run: [svfmi] C:\Winnt\system32\xadafy\svfmi.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [Larc] C:\Program Files\amro\wart.exe
O4 - HKCU\..\Run: [Umld] C:\Winnt\system32\??sks\arpa.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe
O4 - HKCU\..\Run: [YourMonitor] C:\Winnt\YourMonitor.exe
O4 - HKCU\..\Run: [lmhtiv] C:\Winnt\system32\lmhtiv.exe
O4 - HKCU\..\Run: [nbtnrn] C:\Winnt\system32\nbtnrn.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O20 - Winlogon Notify: Shell Extensions - C:\Winnt\system32\LCXBCE.DLL
O23 - Service: mebitoevush - Unknown owner - C:\Winnt\system32\vush\mebitoe.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\Winnt\svcproc.exe (file missing)


Locate and delete the following:

C:\Program Files\amro\
C:\Program Files\Common Files\mc-58-12-0000106.exe
C:\Program Files\Common Files\Windows\mc-58-12-0000106.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\DNS\
C:\Program Files\E2G\
C:\WINNT\Nail.exe
C:\Winnt\svcproc.exe
C:\Winnt\system32\??sks\arpa.exe
C:\Winnt\system32\ajpblsn\
C:\Winnt\system32\gxnxef\
C:\Winnt\system32\haadvyad\
C:\Winnt\system32\LCXBCE.DLL
C:\Winnt\system32\lmhtiv.exe
C:\Winnt\system32\nbtnrn.exe
C:\Winnt\system32\qjbuy\
C:\Winnt\system32\uwyoru.dll
C:\Winnt\system32\vush\
C:\Winnt\system32\xadafy\
C:\Winnt\Wdoinpfw.dll
C:\Winnt\YourMonitor
C:\Winnt\YourMonitor.exe


Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis and Ewido.
  • 0

#3
hometown boy dave

hometown boy dave

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I am unable to download findit's.zip from the link , even after registering.

Tagasaurus , I don't know what that is. It's a window that popped up once.

This site is 1 hour away from us, is there anyway to reboot into safemode
with networking so we can do things remotely via pcanywhere.

Thanks,
dave
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Dave, skip that FindIt's step then. For that Tagasaurus program, if you don't know what it's for, uninstall it if listed in the Add/Remove panel and delete the folder for it.

This might not be possible unless the user is there. If you do it in Safe Mode with Networking, the user still has to be there since once you restart all connections will be lost from both sides.

When you are done, give me the log for HijackThis and Ewido.
  • 0

#5
hometown boy dave

hometown boy dave

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I sent my other guy out there and he did almost everything,
but after one reboot the system came up with a blue screen
inaccessible drive error.

We are now reloading a different hard drive.

Thanks for your responses, I'm sure I'll be using this forum
in the future.

I'm actually going to try to load that infected hard drive on
another pc and see whether i can get rid of the spy ware.

thanks again,
dave
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Sorry to hear that. Not sure if it's related or not, but sometimes users get problems like this. The fix shouldn't have caused that...just to let you know :tazz:

So you want to close this topic then? Probably swapping and using the other hard drive right?
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP