Jump to content


Photo

My Hijackthis log: damn the malware!!!!


  • Please log in to reply
4 replies to this topic

#1 A Friendly Horse

A Friendly Horse

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 July 2004 - 02:27 PM

read the FAQ and the spyware article, i have recognized MOST of the about:blank features that are reinstalling, but truth to tell, i'm a noob at recognizing ALL the insidious scumware. I also run ad-aware 'n webroot at least twice a week.

Logfile of HijackThis v1.97.7
Scan saved at 12:20:10 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Shopper2\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {689FC7D8-7D2F-48F1-8C3E-19F4EA003BA0} - C:\WINDOWS\System32\gmilo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

Edited by A Friendly Horse, 08 July 2004 - 02:30 PM.


#2 viccy

viccy

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 832 posts

Posted 09 July 2004 - 12:26 PM

I am reviewing your log and will get back to you with an answer as soon as possible. Thanks for your patience. I just wanted you to know that your log is being addressed
Keep this forum alive - I'm a volunteer, it's my pleasure to serve, but the SWI site needs your donations to operate. For more information click here. Thank you for your support.

#3 snarbles

snarbles

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 09 July 2004 - 01:13 PM

I have the same one on my system...with the sp.html that wont go away.

#4 viccy

viccy

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 832 posts

Posted 09 July 2004 - 02:08 PM

Snarbles:

You are welcome to monitor the response sent to A friendly Horse by clicking on "track this topic", however, you may have other issues as well. It will be best if you post as a new topic. When you post your log, I will watch for your name and try to address your issues.
Keep this forum alive - I'm a volunteer, it's my pleasure to serve, but the SWI site needs your donations to operate. For more information click here. Thank you for your support.

#5 viccy

viccy

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 832 posts

Posted 09 July 2004 - 02:43 PM

First, Hijack this needs to be in its own folder, because when we fix something, it will save a backup wherever hijackthis.exe resides. In otherwords, your desktop would be covered with the backup files. You can do this: Click My Computer, then C:\
In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Next, please update your version of HijackThis. Double click the exe, go to Config > Misc Tools. Hit Check for update online, & then OK.

(NOTE: Be sure you check the header of your log (EX: Logfile of HijackThis v1.97.7) before you post it here. Your updated version should say: Logfile of HijackThis v1.98.0. If your header does not say 1.98.0, download the updated version from here.)

Please print out the following instructions for easy reference.

There is a special fix for the sp.html that you can download from here:
sphjfix.exe

Here are instructions for removal:

1.) Ensure you have an up to date copy of adaware installed prior to using the sp.html fix. ad aware

Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

2.) Be sure Hijack This is the updated version, and placed in a folder by itself.
3.) Download and install the latest CWS Shredder.
4.) Now run adaware and fix whatever it finds.
5.) Next run the sp.html fix
If you can't read german from that site, just run the exe, follow the instructions. Then the pc will reboot and the fix.exe will appear again do the second part of its job and then just click exit/close.
6.) The fix should have deposited a log file in the same folder you ran the fix from.
7.) Open it in notepad it should say it found "stealth strings" and check to make sure it was completed succesfully as sometimes it will say "Error while deleting Hijack-DLL"
8.) Now run ad aware 6 as it should now find the stealth hidden dll's and maybe a few other items that were hidden by the stealth strings in the registry.

1.) Boot windows into safe mode
2.) Run CWS Shredder and choose “fix”, then run Adaware fix anything it finds find.
3.) Run Hijack this and fix the following:
file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Shopper2\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


O2 - BHO: (no name) - {689FC7D8-7D2F-48F1-8C3E-19F4EA003BA0} - C:\WINDOWS\System32\gmilo.dll

You also need to delete this file C:\WINDOWS\System32\gmilo.dll
(also do a manual search for netdb.exe and netdc.exe and delete them if appear)

Reboot to normal mode and post another log.
Keep this forum alive - I'm a volunteer, it's my pleasure to serve, but the SWI site needs your donations to operate. For more information click here. Thank you for your support.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button