Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Infected pc, HJT log enclosed, help please


  • Please log in to reply
5 replies to this topic

#1 Guest_pcdunx_*

Guest_pcdunx_*

  • Guests
  • OFFLINE
  •  

Posted 27 January 2005 - 03:39 PM

Hi,

I have had another really messed up pc given to me to sort out.

It had no protection and no updates, have installed AVG, SpyBot, AdAware, ZoneAlarm. Updated each program and let them clean up but its still not right.

I have gone through the help on HJT and marked a few entries that I think may be problematic, (enclosed each suspect line with ???) but it's my 1st try at interpretting, so would really appreciate some guidance, thanks.

HJT log follows, thanks

Dunx

Logfile of HijackThis v1.99.0
Scan saved at 22:00:57, on 26/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\KMaestro\KMaestro.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\taskmgr32.exe
C:\WINDOWS\System32\scvhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\_tools\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/

???
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
???

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>

???
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
???

O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT

???
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
???

O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\Run: [winmgr.exe] scvhost.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

???
O4 - HKLM\..\RunServices: [HLL Data Parameter] hllcxpa.exe
???

O4 - HKLM\..\RunServices: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\RunServices: [winmgr.exe] scvhost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKCU\..\RunServices: [HLL Data Parameter] hllcxpa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

???
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/uk/ringtone/ringtone.exe
???

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA5E5F0A-239F-4D1A-9469-9974B435D1DF}: NameServer = 192.168.1.10
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 pll8on

pll8on

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgetown, Florida

Posted 28 January 2005 - 01:03 AM

Hi pcdunx
,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

#3 Guest_pcdunx_*

Guest_pcdunx_*

  • Guests
  • OFFLINE
  •  

Posted 28 January 2005 - 04:21 AM

thanks for the reply, I appreciate your help and no worries if it takes a while to get to the bottom of it.

A bit more info:-

This machine was full of virus's and spyware.

I connected it to my network but denied it internet access via my firewall. I then installed these applications from my network, but didn't do internet updates to them at first.

1) ZoneAlarm

2) AVG - every time I swept it would reboot after about 10 minutes into the scan.

Ran it in safe mode and it got rid of about 10 virus's

Ran again in normal mode, it didn't cause reboots & got rid of 3 more virus's

3) AdAware - got rid of about 200 items

4) SpyBot - got rid of about 10 items

5) Went to control panel - Add/Remove programs and uninstalled about 6 dodgy programs (search assistants, toolbars, etc)

I then allowed it internet access and updated 2, 3 & 4 above. Scanned again and got rid of a few more items with each program, but it's still not clean and is doing some odd things.

Am at work at the moment so can't list the odd things happening, can do that tonight if it will help.

Cheers

Dunx

#4 pll8on

pll8on

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgetown, Florida
  • Local time:10:19 AM

Posted 28 January 2005 - 11:57 PM

You may want to print these instructions as we will be entering safe mode in this removal process.

1. With all Windows and browsers closed, check these lines in the HJT log and then click the Fix Checked button.

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\Run: [winmgr.exe] scvhost.exe
O4 - HKLM\..\RunServices: [HLL Data Parameter] hllcxpa.ex
O4 - HKLM\..\RunServices: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\RunServices: [winmgr.exe] scvhost.exe
O4 - HKCU\..\Run: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKCU\..\RunServices: [HLL Data Parameter] hllcxpa.exe
O4 - HKCU\..\Run: [NvCplScan] msc32.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/uk/ringtone/ringtone.exe

2. Enter Safe Mode and Show Hidden Files: search for and delete these Highlighted files using Windows Explorer if present -- some entries may have already been deleted.

C:\WINDOWS\System32\taskmgr32.exe
C:\WINDOWS\System32\scvhost.exe
C:\WINDOWS\System32\hllcxpa.exe
C:\WINDOWS\System32\msc32.exe

3. Reboot back into normal mode.

4. Perform at least TWO virus scans via the below: (Set them to clean)
BitDefender
Housecall
Panda

5. With Internet Explorer open, go to Tools>Windows Updates. Let it scan for updates and then chooseCustom Install. Click the link to run the Malicious Software Removal Tool. Save the log it makes and post it here in your next reply. You will probably have to reboot. Then go back to Windows Updates, chose custom again and install all security updates available. Hold off on SP2 until we know the PC is clean.

6. Reboot and provide a new HJT log.

#5 Guest_pcdunx_*

Guest_pcdunx_*

  • Guests
  • OFFLINE
  •  

Posted 03 February 2005 - 02:00 AM

Hi again, sorry it's taken so long to get back with results, this has been a real pig to sort out.

Used HJT to fix suggested items, rebooted to safe and deleted any of the exe's found. Rebooted to normal, ran Panda:-

PANDA ONLINE VIRUS SCAN RESULTS:-


Incident Status Location

Virus:Trj/Lowzones.AF Disinfected C:\00bin32.exe
Virus:Trj/Lowzones.AF Disinfected C:\24tgs.exe
Virus:W32/Gaobot.CHM.worm Disinfected C:\WINDOWS\SYSTEM\spl32.exe
Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\SYSTEM32\c.bat
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Ran one of the others online - all clear.

Ran MS malware tool, results:-

Win32/Berbew Not Infected.
Win32/Doomjuice Not Infected.
Win32/Gaobot Not Infected.
Win32/Msblast Not Infected.
Win32/Mydoom Not Infected.
Win32/Nachi Not Infected.
Win32/Sasser Not Infected.
Win32/Zindos Not Infected.

Took ages to get other MS Updates on, IE kept crashing, eventually got it done. Swept again with AdAware & SpyBot, loads more items removed with those.

Ran HJT found these were back again:-

O4 - HKLM\..\RunServices: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\RunServices: [winmgr.exe] scvhost.exe
O4 - HKCU\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe

Let HJT fix them, rebooted to safe, searched for exe's - none present.

Rebooted to normal and ran Panda again - all clear.

Ran HJT, log enclosed:-

Logfile of HijackThis v1.99.0
Scan saved at 06:50:21, on 03/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\KMaestro\KMaestro.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\_tools\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA5E5F0A-239F-4D1A-9469-9974B435D1DF}: NameServer = 192.168.1.10
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#6 pll8on

pll8on

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgetown, Florida

Posted 03 February 2005 - 11:55 PM

Hi pcdunx,

Your system is clean. "A job well done"

Two more additional processes need to be done:

1. You should disable and then enable System Restore to purge any Restore Points that may have been infected.

Right click the My Computer Icon on the Desktop and click on Properties.
Click on the System Restore tab.
Put a check mark next to 'Turn off System Restore on All Drives'.
Click the 'OK' button.
You will be prompted to restart the Computer. Click Yes.

Now re-enable the Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

You may also view the above instructions
Here

2. Clean up your browser cache and Temp folders. I see that Tracks Eraser is now installed so you have probably already done this, but you could use Disk Cleanup that comes with Windows to cover the basics--Temp, Temporary Internet Files and emptying the Recycle Bin. If there are more than one user accounts on the PC, this should be done also with each login.

Now that your PC is clean there are some more steps you can take to keep it that way. Some of it you've already done, but please take a few moments to read this entire article:

Simple steps to keep your computer secure!

There is also some additional good information in veteran spyware fighter Tony Klein's now classic article, So how did I get infected in the first place?

Please pay attention to the following three steps. They will help prevent the majority of infections.

1. Visit Windows Update: <-- EVERYONE NEEDS TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your Operating System and Internet Explorer. The first defense against infection is a properly patched OS. It should now be safe to add SP2.

Windows Update: Windows Update
Or, with Internet Explorer open, click Tools>Windows Update.


2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button

Next press the Apply button and then the OK to exit the Internet Properties page.

3. Watch what you download!

Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.



Glad I was able to help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users