Jump to content


Photo

Please Review My Log


  • Please log in to reply
8 replies to this topic

#1 StumpedNeedHelp

StumpedNeedHelp

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 July 2004 - 01:29 AM

I experienced some weird downloads and now a lot of little processes and unknown activity seems to be sneaking its way onto my computer. I have done my best to clean it up using Ad-aware, Spybot, hijackthis, and cwshredder. There were hundreds of problems to be fixed.

Unfortunately, i can't run TrojanHunter anymore, since it keeps telling me my trial period has expired (even when i reinstalled).

So, please review my Hijackthis log and tell me what seems out of place.

And..um.. if you can, tell me if i am missing something, i might have deleted too much. if something i should have seems MIA, please let me know where i can get it from.

PS- I seem to have lost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
How can i get it back?

Logfile of HijackThis v1.97.7
Scan saved at 11:28:50 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\Olu59bR.exe
C:\WINDOWS\System32\VcbNV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\Rem4.exe
C:\Documents and Settings\John\My Documents\For Bill\HijackThis.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [4LQHPC64W54N#N] C:\WINDOWS\System32\Fah1q5.exe
O4 - HKLM\..\Run: [MATHGLOBAL] C:\PROGRA~1\Each Heart Curb\Second Wait.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by StumpedNeedHelp, 28 July 2004 - 01:54 AM.


#2 StumpedNeedHelp

StumpedNeedHelp

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 July 2004 - 02:38 AM

ok. Its late and i was a little vague with my original post. Let me try to clerify a couple things.

I am mainly experiencing random pop-ups. Usually ads for well.. getting rid of unwanted ads. But i am also getting pretty much any other little malware feature you can think of. Redirected sites. Little blue search bar at top of screen that won't go away. Blue search panel at bottom of Browser window that can be closed.
One of the browser redirectors/popups/hijackers seems to be azoogleads.com if that means anything to you.

And the more i try to fix, the more these things keep coming back and more with them. I tried to do that housecall thing for a virus. but there was an error and my browser closed.

And on my Hijackthis log there are some unknown dll looking files with 10 in front of them. i can't get rid of those.

I hope this helps. anything else you need, i'll try to get it. but i have to go to bed for tonight.

Please. help.

My hijackthis log has changed every time i look at it. if you want me to post the latest, let me know. But the basics are probably still the same.

#3 StumpedNeedHelp

StumpedNeedHelp

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 July 2004 - 11:48 PM

*bump*

Ok, anyone please, i need suggestions. Step by step if need be. I have repeatedly tried updating and running ad-aware, spybot, and hijackthis to pick out the nasty looking ones. Trojanhunter won't run any more on my computer since i am outside the free trial. And i feel that i am in the grips of an evil trojan.

Every time i clear out some of my hijackthis guys they return in a few moments under a different name. every reboot, or at random times, i get pop ups and redirects and browser hijacks. It might be lop.com, but i can't seem to detect it with any of my checkers. It seems to be a trojan or something worse.. maybe a lot somethings.

I killed all my cookies, deleted any unknown program from my control panel add/remove, and have continually checked and rechecked with all the removers. one moment, they find nothing. a few minutes into browsing or internet activity, and i am hit with popups and the checkers find all kinds of malware back on my computer.

so PLEASE.. i need help.

I am reposting my Hijackthis log. I am not sure if it will help. but its all i can do. if i have to buy programs to clean out my system, i will need suggestions on what programs to get. but i hate the thought of using money when these horrid hijacks hit me for free.

Ok, here is the most recent log:

Logfile of HijackThis v1.97.7
Scan saved at 9:47:16 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\Paa53i.exe
C:\WINDOWS\System32\VcbNV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\My Documents\For Bill\HijackThis.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [4LQHPC64W54N#N] C:\WINDOWS\System32\Fah1q5.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8196.0132060185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

I should note that all the .exe files with weird letters "VcbNV.exe" etc. can be stopped (as a process) and fixed (in hijackthis), but always return with different letters in front of the .exe.

#4 StumpedNeedHelp

StumpedNeedHelp

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 July 2004 - 01:50 PM

*bump*

Sorry for the bump. But i still need help. My problem may be a Coolweb that isn't taken care of by the shredder anymore. One of the things that keeps appearing in my ad-aware scan no matter how many times i delete it are some coolweb files. I'lll need help to remove it.

#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 29 July 2004 - 05:56 PM

Your latest log is notably shorter than the first one you posted.

If you have removed anything, please post back, and say what entries you removed.
.
It looks as if you removed the O10 items. This should never be done using Hijack this, as irrepairable damage can be done to the LSP chain.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#6 StumpedNeedHelp

StumpedNeedHelp

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 30 July 2004 - 12:09 AM

Ok.

Well. During the time i was waiting for any info on this forum, i was constantly looking through other posts and some other sources for ways to remove what was happening to me.

I found spyferret, tried it.. discovered it wasn't so grand. deleted it.

I continually searched my drives for cookies and other elements of the hijack i could remove. Such as several things in add/remove programs that should never have been there. and i even had to clear out my favorites several times due to the fact that a lot of casino and general search 'favorites' were added without my adding them. (i am sorry, but there had been so many little things, mainly coolweb files and istbar and other well known baddies that i just cept deleting. at one time i had 200 found in ad-aware. so i can't be specific about which ones i took out. in hijackthis, i only tried to remove ones i knew were bad BHOs, the only exe files i have tried to remove, keep coming back. Very sorry i didn't keep a better record. my mistake)

As for the 010 items from hijackthis. I was browsing this forum system and came across information on a program called lspfix. Since i never had any 010 things appear in my hijackthis scan before this particular hijack, i decided to use the lspfix and clear them out. It looked like it worked.
(however, by habbit, i did try to remove the 010s with hijackthis, but was unable to do so. I hope that my unsuccessful attempts did not ruin something.)

As far as any other 'shortening' of the hijackthis log. I have been running ad-aware and spybot a number of times. usually to clean up the little hijacks that the big (unremovable) trojan/hijack keeps installing. It is possible that one of my scans did remove some things that didn't get removed the first times i tried.

Also, i beleive i adjusted ad-aware to scan deeper. So that could account for some of the difference between the logs too.

However, since my last log (july 28) i have not done any major clean ups.

Any tiny file variation is probably due to this trojan renaming the file whenever i tried to delete it with hijack this. normally, as i said above, with .exe files.

I have also browsed my regedit to see if anything stood out as 'hijack' seeming. i am nervous about the regedit so i did NOT adjust anything in there. But i did see win-tools. which raised an eyebrow.

I am very happy you responded. please let me know what you think i should do. Thank you very much.

Edited by StumpedNeedHelp, 30 July 2004 - 12:13 AM.


#7 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 30 July 2004 - 05:58 PM

Please post an updated Hijack this log.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#8 StumpedNeedHelp

StumpedNeedHelp

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 01 August 2004 - 12:15 AM

Ok Here is my newest log.

I have a couple new symptoms to report. Several times over the last week i have been unable to use the internet on the infected computer to reach these forums. However, after running ad-aware and manually deleting a number of cookies (found by using 'search' in the start menu) I was able to return here and check the forums.

This log appears as it did after my last ad-aware run and spybot run. I had to run those in order to return to this forum.

Also, i usually 'fix' all the R1 and R0 elements found in the hijack this as they appear. i left them in this one so you would see them.

Logfile of HijackThis v1.98.0
Scan saved at 10:12:21 PM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\VcbNV.exe
C:\WINDOWS\System32\VcbNV.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\My Documents\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {121359EE-0645-43B7-8991-4E04BADAD2E5} - C:\WINDOWS\System32\mhofnaa.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [4LQHPC64W54N#N] C:\WINDOWS\System32\Cjz1K.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O18 - Filter: text/html - {61424F51-1BA9-4FE1-B841-7DD195228E30} - C:\WINDOWS\System32\mhofnaa.dll
O18 - Filter: text/plain - {61424F51-1BA9-4FE1-B841-7DD195228E30} - C:\WINDOWS\System32\mhofnaa.dll

Again, thank you very much for your attention in this matter.

#9 StumpedNeedHelp

StumpedNeedHelp

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 August 2004 - 09:30 PM

*bump*

Its been almost a week since i was able to get on to these forums. Perhaps due to something in my computer. Just couldn't make a connection.

Anyways. I still need help. If anything, i would love to hear a recommended virus program to clean out the trojans. Note: Housecall does not work.. always get error reports at their site and iexplorer shuts down.

Oh, if it will help, here's yet another log.

Logfile of HijackThis v1.98.0
Scan saved at 7:30:51 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\nvsvc32.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\My Documents\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nvkbwlove...85tt0o3Zt0.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MATHGLOBAL] C:\PROGRA~1\EACHHE~1\Second Wait.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button