Jump to content


Photo

Need Analysis of Hijackthis log


  • Please log in to reply
1 reply to this topic

#1 kolut

kolut

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 09:58 AM

I have a user that has been logging in from home and had so many adware problems it is simply scary. His browser address bar is even grayed out and can't be typed in. I've had him run ad-aware, spybot, and cwshredder. He's still got some wtools problems and spybot can't seem to remove a couple of the things he's found. I had him create a hijackthis log and send it to me and this is what it is. I saw some of these things and knew they needed to be fixed, but have no idea about some of the others. Can anybody show me exactly which of these needs to be repaired by hijackthis for this guy to be able to work again. Thanks a ton!!!




Logfile of HijackThis v1.97.7
Scan saved at 2:16:05 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\windows\temp\EJJWoY.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
C:\WINDOWS\addins\vbwave.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\Harllee\Application Data\soba.exe
C:\WINDOWS\System32\wapicc.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\System32\QvvpP4T.exe
C:\WINDOWS\3m74qf0t.exe
C:\WINDOWS\System32\TklMyPCB.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50094
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://northernvirginia.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50094
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50094
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [UBEILBFI] C:\WINDOWS\UBEILBFI.exe
O4 - HKLM\..\Run: [havcv] C:\WINDOWS\havcv.exe
O4 - HKLM\..\Run: [EJJWoY] C:\windows\temp\EJJWoY.exe
O4 - HKLM\..\Run: [53RKL3@4QABSCZ] C:\WINDOWS\System32\QmtPCB55.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [ilopcnmite] C:\WINDOWS\System32\ivbndb.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [vbwave] C:\WINDOWS\addins\vbwave.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Htra] C:\Documents and Settings\Harllee\Application Data\soba.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapicc.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: 3m74qf0t.lnk = C:\WINDOWS\3m74qf0t.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8143.5784027778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 06 July 2004 - 02:36 AM

Hello Kolut

You may find it helpful to print out these instructions. This is in something of a mess and its probably going to be easier to deal with it in stages, we'll get rid of the serious infections first and scan out what we can, then deal with the rest.

To remove Adtomi,download this file here (Adtomi Cleanup.zip) by Mosaic1
http://www.wildersse...omi_Cleanup.zip for XP

First If you have a Script Blocking Program enabled, disable it first so the scripts may run.

Unzip it to C:\Windows

See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part
--A web page from Adtomi would appear "-uninstall was succesful!"
then go off line (note not all infections have this icon, so if it isn't there then don't worry)

next press ctrl+ ALT+DEL once to bring up task manager & stop the running process on the funny named file with 8 assorted letters & numbers (3m74qf0t.exe), that will be listed towards the bottom of the running process list in your hijackthis log,and there might also be morze1 running, if so end that process as well

if you don't have any strange named exe files running or you can't stop it running, then DO NOT CONTINUE, please ask for more help first.

Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.***

It will remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder
Uninstall the BHO
Start HijackThis and give you directions on what to remove. (This should be as below)

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O4 - HKLM\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk
O4 - HKCU\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk
O4 - Global Startup: 3m74qf0t.lnk = C:\WINDOWS\3m74qf0t.exe

When you have finished please restart the computer.

You have a Peper infection, click here to download the PeperFix tool, save it to your desktop, doubleclick on it, click 'Find and Fix' and reboot if prompted. Run it again to make sure. Next download this uninstaller and run it.

When this is done, run adaware - make sure it is configured as follows. Screenshot instructions for setup are here if needed.
  • In the main window look in the bottom right corner and click on Check for updates now and download the latest reference files.
  • Make sure the following settings are made and on (ON = GREEN)
  • From main window : Click Start then Activate in-depth scan (recommended)
  • Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.
  • Now click on the Tweak button in that same window. Under Scanning Engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot.
  • Click Proceed to save your settings. Now to scan just click the Next button.
  • When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here. Now run that last uninstaller and ad-aware again to fully remove the remnants then reboot normally.

Go to TrendMicro and perform an online virus scan. Let it fix anything that it finds. Do the same at Pandasoftware.

Please go to sygatetech or TrojanScan and run a free online Trojan scan. Let it delete anything it finds. Then download a free trial of TrojanHunter and perform a scan and clean anything it finds.

You already have Spybot, if you do not have version 1.3 installed, uninstall version 1.2 with the provided uninstaller. Download Spybot1.3 from here. Install it, open it and click the Search for Updates button. When updates are found, put a check mark next to all and click the Download Updates button. Now click the Search & Destroy icon in the left pane, then the Check for problems button at the bottom of the window. When the scan completes, make sure all the items in RED are ticked, then click the Fix Selected Problems button. Screenshot instructions for installation and setup are here if needed.

Close all other windows except for hijackthis, perform a scan and put a check against the following items and click 'fix checked'.

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [53RKL3@4QABSCZ] C:\WINDOWS\System32\QmtPCB55.exe
O4 - HKLM\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk
O4 - HKCU\..\Run: [3m74qf0t.exe] C:\WINDOWS\3m74qf0t.exe /dk
O4 - Global Startup: 3m74qf0t.lnk = C:\WINDOWS\3m74qf0t.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab


Reboot your computer

Next, remove the contents (not the folders themselves) of all these temporary folders:
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
  • Empty your "Recycle Bin"
You are running an outdated version of HiJackThis, please download HijackThis v1.98 here.
Unzip to a convenient permanent folder, for example: C:/HiJackThis/HiJackThis.exe
Double click HijackThis.exe, and hit "Scan". The scan button will turn into "Save Log" copy and paste the fresh log here along with the adtomi.txt file....

Can you also add the answers to these to your reply..
You are running MyWebSearch. This is not technically malware, but it is thought to be bad by many experts and it will bring malware with it. There are safer alternatives available such as the Google toolbar. I recommend that you remove it. If you wish to - let me know in your reply.

Clocksync is a pop-up laden program by WhenU, would you like it removed and replaced with a clean alternative?

Please find this file in windows explorer SysTray.Exe and note down the file path, right click on it and note down all its properties, make sure you do it for every tab.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button