Jump to content


Photo

HT log, please help!


  • Please log in to reply
4 replies to this topic

#1 oofreakoo

oofreakoo

    Member

  • New Member
  • Pip
  • 2 posts

Posted 10 June 2004 - 05:51 PM

Please help me, I am having some issue's here on my workstation. This is a company PC so all the suzuki stuff is for our intranet. TIA




Logfile of HijackThis v1.97.7
Scan saved at 3:37:56 PM, on 6/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\system32\IEHost.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Documents and Settings\T0135\Desktop\hijackthis\HijackThis.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cww.suz.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by "American Suzuki Motor Corp."
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://cww.suz.com/
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mhd8Mbt.exe] C:\documents and settings\t0135\local settings\temp\Mhd8Mbt.exe
O4 - HKLM\..\Run: [5A5T@@H2RPMYN9] C:\WINNT\system32\HqpX.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\system32\IEHost.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\T0135\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - Startup: Microsoft Outlook.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://cww.suz.com
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictive...ab/ptrdle23.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1261F19C-18ED-11D3-ADEB-005004718DC0} (ScatReviewBar.reviewbar) - https://www.suzukidc...b/reviewbar.CAB
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thoug...les/install.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {1EEBFE70-1CE8-11D6-8C81-00D0B7E72554} (MailClient Class) - http://siebelweb/eau...tMailClient.cab
O16 - DPF: {2345F907-F5CF-11D3-8E1F-005004718DC0} (scatdp2a.clsSuzuki) - https://www.suzukidc...ab/scatdp2a.CAB
O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) - http://siebelweb/eau.../siebelhtml.cab
O16 - DPF: {2D361311-74CA-11D2-B3F4-0060083BE8BF} (scatdp2.clsSuzuki) - https://www.scat.suz.../cd/Scatdp2.CAB
O16 - DPF: {399548B6-253E-11D2-BE13-000000000000} (VPEngine ActiveX Control Class) - https://www.scat.suz...ab/vpectrl3.cab
O16 - DPF: {439AD9FD-F427-11D3-8E1F-005004718DC0} (Scatdp1a.clsSuzuki) - https://www.scat.suz...cd/Scatdp1a.CAB
O16 - DPF: {4945A5CB-1690-4189-AF3F-44BB7C197374} (CInstaller Object) - http://www.totalvelo...rT_3.0.8_B4.cab
O16 - DPF: {531CD468-D7BF-11D3-9261-00104B6943CA} (Scatdp4.clsSuzuki) - https://www.scat.suz...cab/scatdp4.cab
O16 - DPF: {55E14374-97C6-11D1-BF85-0060083BE8BF} (prjTitlebar2.TitleBar2) - https://www.scat.suz...rjTitlebar2.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} (SpeedCtrl Class) - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {71E098B7-728F-11D2-B3F4-0060083BE8BF} (Scatdp1.clsSuzuki) - https://www.scat.suz...cab/Scatdp1.CAB
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...90/QDow_AS2.cab
O16 - DPF: {87FA653D-4C13-11D3-8E1F-005004718DC0} (ScatUpdater.Updater) - https://www.scat.suz...ScatUpdater.CAB
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - http://siebelweb/eau...lOptionPack.cab
O16 - DPF: {915DB736-2591-11D3-8E1F-005004718DC0} (Scatdp3.clsSuzuki) - https://www.scat.suz...cab/Scatdp3.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8021.3293402778
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com...ActivexTest.ocx
O16 - DPF: {AABEE018-FF3D-11D3-8E1F-005004718DC0} (ctlepc.scatepc) - https://www.scat.suz.../cab/ctlepc.CAB
O16 - DPF: {BDC217C5-ED16-11CD-956C-0000C04E4C0A} (Microsoft Tabbed Dialog Control, version 6.0) - https://www.scat.suz...cd/tabctl32.CAB
O16 - DPF: {C5DE3F86-3376-11D2-BAA4-04F205C10000} (:-) VideoSoft FlexGrid Control) - https://www.scat.suz...Cab/vsflex6.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D4C4A875-FD4E-11D4-AC39-00010262094C} (Scatdp1a.clsSuzuki) - https://www.scat.suz...ab/Scatdp1a.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/AX/AX.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusear.../WUInstSECS.cab
O16 - DPF: {E7133FBD-9BA8-49DF-BC26-5EAC46ED2BBD} (MA01.ctlPart2ModelReference) - https://www.scat.suz.com/cab/MA01.CAB
O16 - DPF: {EA712BDB-7FE5-11D3-8E1F-005004718DC0} (Project1.login) - https://www.scat.suz...ab/cd/login.CAB
O16 - DPF: {F25620FB-9C81-11D1-BF85-0060083BE8BF} (Project1.ctlStatusBox) - https://www.scat.suz...riStatusBox.CAB
O16 - DPF: {F789E003-CC28-11CF-AEF7-444553540000} (VPEngine Control) - https://www.scat.suz...cab/vpectrl.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - https://www.scat.suz...cd/comdlg32.cab
O16 - DPF: {FDC1DAA5-BC3E-11D2-B3F6-0060083BE8BF} (Scatchk1.ScatChk) - https://www.scat.suz...cd/Scatchk1.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = suzukihq.asmc.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = suzukihq.asmc.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = suzukihq.asmc.us

#2 oofreakoo

oofreakoo

    Member

  • New Member
  • Pip
  • 2 posts

Posted 10 June 2004 - 06:20 PM

bump

#3 caruch6392

caruch6392

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 10 June 2004 - 06:40 PM

iehost is a very bad thing to have take it off :

C:\WINNT\system32\IEHost.exe

this next entry is i think a virus? i can't pinpoint it but found a site for removal:
removal instructions

C:\Program Files\Common Files\slmss\slmss.exe

these can go:

C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Common files\WinTools\WToolsA.exe

i'm guessing you were using this while scannin...LEAVE IT ON but next time exit out of those programs for a more clean scan.

C:\Program Files\Microsoft Office\Office10\EXCEL.EXE

take this off:

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll


this first one is un-necessary at startup the second one is just a random file name generator spyware:take both off

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mhd8Mbt.exe] C:\documents and settings\t0135\local settings\temp\Mhd8Mbt.exe


take these ones off:

O4 - HKLM\..\Run: [5A5T@@H2RPMYN9] C:\WINNT\system32\HqpX.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\system32\IEHost.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\T0135\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe


well oofreakoo i think you have topped my list for how many 016 entries listed!!! :bounce:


well i went through them and took out ones that looked un-necessary...but if you KNOW you use them just leave them on:

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictive...ab/ptrdle23.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thoug...les/install.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {4945A5CB-1690-4189-AF3F-44BB7C197374} (CInstaller Object) - http://www.totalvelo...rT_3.0.8_B4.cab
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} (SpeedCtrl Class) - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...90/QDow_AS2.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com...ActivexTest.ocx
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/AX/AX.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusear.../WUInstSECS.cab


hope that helps {SoW}Rob
UPDATE and run adaware adware
UPDATE and run spybot spybot search and destroy
UPDATE and run cwshredder cwshredder
update and use spyware blaster spywareblaster
a nifty little program a squared 2 a squared 2
free virus scanner avg anti-virus
another free antivirus Avast!

dont forget to do windows updates windows updates

my pontiac grand prix gt
Posted Image

http://www.cardomain...id/fallen_blade

#4 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,253 posts

Posted 10 June 2004 - 10:35 PM

oofreakoo,

Please do not proceed with those fixes, they may make things worse....

Someone who knows how to sort this out will be along soon....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 11 June 2004 - 03:19 PM

You have the Peper trojan, which requires special treatment to put it out of your misery!
Please download and run this uninstaller.

Click on the peperfix link, and download the program. Then go off line, and run the program. It will remove the files, leaving one orphaned entry to be cleaned up with Hijack this.


Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll

O4 - HKLM\..\Run: [Mhd8Mbt.exe] C:\documents and settings\t0135\local settings\temp\Mhd8Mbt.exe
O4 - HKLM\..\Run: [5A5T@@H2RPMYN9] C:\WINNT\system32\HqpX.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\system32\IEHost.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\T0135\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thoug...les/install.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {4945A5CB-1690-4189-AF3F-44BB7C197374} (CInstaller Object) - http://www.totalvelo...rT_3.0.8_B4.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...90/QDow_AS2.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com...ActivexTest.ocx
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/AX/AX.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusear.../WUInstSECS.cab


Reboot, and delete

files
C:\documents and settings\t0135\local settings\temp\Mhd8Mbt.exe
C:\WINNT\system32\HqpX.exe
C:\WINNT\system32\IEHost.exe
C:\WINNT\system32\stlbdist.DLL
C:\WINNT\system32\dp-him.exe
C:\WINNT\mwsvm.exe
C:\DOCUME~1\T0135\LOCALS~1\Temp\tb_setup.exe

folders
C:\Program Files\Common Files\slmss
C:\Program Files\Common files\WinTools

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button