Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - swizilstix


  • This topic is locked This topic is locked
37 replies to this topic

#1 swizilstix

swizilstix

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:NY
  • Local time:08:34 PM

Posted 30 January 2005 - 12:23 PM

So this weekend, I've been going on a anti-spyware and adware campaign, so to speak. Anyway, I've used everything I could think of: Spybot S&D, Ad-Aware SE, stinger (in safe mode), etc. However, no matter how many evil files I deleted, I still had the same problem: everytime I opened Internet Explorer, I got a popup, and another popup about once every minute from then on. Then, however, after rebooting my computer, even before everything loaded, I got this error message:

Explorer
This program has performed an illegal operation and will be shut down.
If the problem persists, contact the program vendor.


First time I got this, I clicked Close, but right away my desktop disapeared, and it wouldn't restart, so I rebooted my computer again.
Next time I turned on my computer, the same message came up. This time, I hit the Details>> button, and got this message.

EXPLORER caused an invalid page fault in
module CHGWIZ.DLL at 0187:10017d44.
Registers:
EAX=01427c44 CS=0187 EIP=10017d44 EFLGS=00010202
EBX=00000000 SS=018f ESP=0141f82c EBP=01427c78
ECX=01427c44 DS=018f ESI=00000003 FS=2fd7
EDX=5900207b ES=018f EDI=00000000 GS=0000
Bytes at CS:EIP:
8a 02 83 c2 01 3a 01 75 e7 83 c1 01 0a c0 74 dc
Stack dump:
1000a7ae 5900207b 01427c44 bff92d08 00000090 00000000 0000000c 00000008 00000003 00000000 d82be2b0 11d05764 c0006ea9 a205d74f 001c0022 0000010a


I don't know how much of this anyone can read, or if any mortals at all can understand, but regardless, I then looked up CHGWIZ.DLL on my computer, and found out it was from NicTech Networks Inc. which in turn is from VeriSign Time Stamping Services Signer. I google searched NicTech Networks Inc. and found out it was adware/spyware/whatever. But the file, CHGWIZ.dll wouldn't delete, so I restarted my computer in Safe Mode, thinking that the program wouldn't activate and I'd be able to remove it. However, same "illegal operation" message appeared, and the computer was still claiming that "the specified file is being used by Windows."
None of the programs I've run seem to want to find CHGWIZ.dll, so I don't know. Maybe I've got this all wrong, and the file's totally harmless. Either way, can anybody help me out here? I'm (obviously) posting the Logfile of HJT (I think it's the newest version); hopefully, somebody out there'll be able to clue me in.

Either way, the help's much appreciated. Thanks!
swizilstix



Logfile of HijackThis v1.99.0
Scan saved at 12:00:03 PM, on 1/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WLAN_CFG.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\XHRY12.EXE
C:\WINDOWS\SYSTEM\VNEE5.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\CESI\DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Search - {8C844B8E-EAE6-D89D-CAE3-4DB5084073C4} - C:\WINDOWS\Dtdqhwwb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [jicwrfw] C:\WINDOWS\SYSTEM\peuzhmjn.exe
O4 - HKLM\..\Run: [3BK3@XK2PCKPD2] C:\WINDOWS\SYSTEM\Cjo9g.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Upsfc] C:\WINDOWS\TEMP\APP173.TMP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\mscif.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\SYSTEM\wnsintsv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28c1f8c1721bbc...ip/RdxIE601.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:34 PM

Posted 30 January 2005 - 04:47 PM

Hello swizilstix and welcom to BC. I am presently reviewing your log and will respond back to you as soon as I can.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:34 PM

Posted 31 January 2005 - 12:20 AM

Hello again swizilstix. It appears that you have the peper trojan. Pleae follow these directions to repair:

Before we run HijackThis we need to take care of a trojan named Peper which has infected your system. Please follow these steps to download and run a special repair tool:

There are two tools available. Please choose one of them and follow the instructions in order:

Tool 1 (requires an active internet connection to run):

1. Download Newuninst.exe.
2. Run it with an active internet connection.
3. Reboot to finish removing the entries it found.
4. Run the tool a second time (again with an active internet connection).
5. Reboot to finish removing the entries it found.

Tool 2 (does NOT require an internet connection to run):

1. Please Download PeperFix.exe,
2. Start the tool and click Find and Fix.
3. Reboot to finish removing what it found.
4. Run the tool a second time.
5. Reboot to finish removing the entries.

Whichever tool you choose follow the directions to run it, reboot your computer and then run it a 2nd time and reboot again.

Post a new HijackThis log back here as a reply to this topic and I will check it when it comes in.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 swizilstix

swizilstix
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:NY
  • Local time:08:34 PM

Posted 31 January 2005 - 04:08 PM

Ok, so, I did what you said (thanks, by the way - you're so awesome!): ran Tool 1, rebooted, ran it again, rebooted, etc. But each time, the explorer error message still popped up. Is there more that I should do? Should I run Tool 2 instead?

Anyway, here's the HJT log you wanted:

Logfile of HijackThis v1.99.0
Scan saved at 3:59:49 PM, on 1/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WLAN_CFG.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\MY DOCUMENTS\CESI\DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Search - {8C844B8E-EAE6-D89D-CAE3-4DB5084073C4} - C:\WINDOWS\Dtdqhwwb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [jicwrfw] C:\WINDOWS\SYSTEM\peuzhmjn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Upsfc] C:\WINDOWS\TEMP\APP173.TMP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\mscif.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\SYSTEM\wnsintsv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28c1f8c1721bbc...ip/RdxIE601.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

Thanks again for all your help!
swizilstix

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:34 PM

Posted 31 January 2005 - 08:26 PM

Hello again swizilstix. No, you don't have to run the peper tool again. It appears to have removed the peper trojan admirably. You still have, however, other malware on your computer. We needed to remove the peper trojan before we could proceed in removing the additional items. To begin the next phase, once again print these directions and close all open windows (including this one).

From reviewing your log I do not see any installed anti-virus software running. That is your first defense in safe internet surfing. I will now have you perform some on-line virus scans and then run AdAware and Spybot again. Then we will download a free anti-virus application, install and update it and do a complete system scan with that. Please follow each step in order.

Step # 1

Run both of the following on-line virus scans:

Trend Micro Housecall and
BitDefender On-Line Virus Scan

Make sure that you choose "fix" or "clean".

Step #2

Please run both AdAware and Spybot. Follow the instructions in the links below to make sure that you have the most current updates and the proper settings to run each one.

Spybot Tutorial
AdAware Tutorial

Step # 3

Next, let's clean up the temporary directories:
*Click Start
*Point to Programs
*Point to Accessories
*Point to System Tools
*Click Disk Cleanup.
*Select all items shown and click the OK button.

Step # 4

Please download and install one of the free anti-virus apps listed below. Follow the provider's directions for installing, updating and running a full scan.

Grisoft AVG Anti-Virus Free Edition and
Avast Anti-Virus Home Edition.

Step # 5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here as a relpy to this topic and I will review it.

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGITIMATE AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 swizilstix

swizilstix
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:NY
  • Local time:08:34 PM

Posted 01 February 2005 - 03:30 PM

Hey again -

OK so unfortunately, I haven't gotten past step one. hehe.

So the problem is that I can't run HouseCall: I get to page 1, click on the link that says Scan Now. It's Free!, and I fill out the location page etc. Everything's going fine. Then, when it gets to the actual scan page, it tries to start the Active Update, and within two seconds, I get this message:

Trend ActiveUpdate did not update successfully. It may result from busy server or bad network traffic.
Error Code: 28
Error String: Generic source network failure
Do you want to retry?


I've clicked retry. I've refreshed the page. I've rebooted my computer and tried again. I even waited practically 24 hours, hoping it was a bug in the system that Trend Micro would fix right away. Still no luck.

So. What should I do now? I already ran BitDefender On-Line Virus Scan, after the first couple of unsuccessful tries with Housecall, and it came up empty, if I remember correctly.

Ugh.

dazed and confused,
swizilstix

#7 swizilstix

swizilstix
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:NY
  • Local time:08:34 PM

Posted 01 February 2005 - 03:31 PM

P.S.
the pop ups have gotten worse - way moreso than usual. Help!

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:34 PM

Posted 01 February 2005 - 04:55 PM

If you ran BitDefender and came up clean that's OK. You could try the Panda ActiveScan instead of the Trend Micro Houseclall if you want:

http://www.pandasoftware.com/home/default.asp

(look on the bottom on the left-hand side). We usually have users run 2 scans just to make sure nothing was missed.

Continue with the rest of the steps and post your log back here (it should be interesting).

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 swizilstix

swizilstix
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:NY
  • Local time:08:34 PM

Posted 02 February 2005 - 04:21 PM

whoot!

here's the HJT log u wanted:


Logfile of HijackThis v1.99.0
Scan saved at 4:18:28 PM, on 2/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WLAN_CFG.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\CESI\DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - Default URLSearchHook is missing
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [jicwrfw] C:\WINDOWS\SYSTEM\peuzhmjn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Upsfc] C:\WINDOWS\TEMP\APP173.TMP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\mscif.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\SYSTEM\wnsintsv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28c1f8c1721bbc...ip/RdxIE601.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


thanks!
swizilstix

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:34 PM

Posted 03 February 2005 - 01:54 AM

tix. Things are looking better. After reviewing your log we have a few last items to clean up. Please print these directions and then close all open windows (including this one). Follow the steps below in order.

Step # 1

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [jicwrfw] C:\WINDOWS\SYSTEM\peuzhmjn.exe
O4 - HKLM\..\Run: [Upsfc] C:\WINDOWS\TEMP\APP173.TMP
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\mscif.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\SYSTEM\wnsintsv.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


Now click the Fix Checked button to finish the repair.

Step # 2

Restart your computer in Safe Mode by following these directions:

How to Start To Safe Mode Using the F8 method:

To start your computer in Safe Mode:
*turn the computer on
*as the computer restarts, press and hold down the Ctrl key until the Windows 98 startup menu
appears. (This also works with the F8 key following the same steps)
*Choose Safe mode from the startup menu,
*press Enter
*Windows starts in Safe mode.

We need to make sure all hidden files are showing so please:
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Click OK.

Find the following files/directories and delete them:

C:\WINDOWS\SYSTEM\peuzhmjn.exe
C:\WINDOWS\SYSTEM\mscif.exe
C:\WINDOWS\SYSTEM\wnsintsv.exe
C:\WINDOWS\TEMP\APP173.TMP


While still in Safe mode follow these steps to clean out your temporary files:

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Do this same process for %windir%\temp.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here as a relpy to this topic and I will review it. Let me know how things are running.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 swizilstix

swizilstix
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:NY
  • Local time:08:34 PM

Posted 03 February 2005 - 03:43 PM

ok I did everything you said, except when I got to

Find the following files/directories and delete them:

C:\WINDOWS\SYSTEM\peuzhmjn.exe
C:\WINDOWS\SYSTEM\mscif.exe
C:\WINDOWS\SYSTEM\wnsintsv.exe
C:\WINDOWS\TEMP\APP173.TMP


i couldn't find any of them! I went directly to the files through My Computer, and they weren't there, so I searched for each of them through the Start>>Find. The closest I found was C:\WINDOWS\TEMP\mscif.exe, but none of the others got a hit. I didn't delete the file right away - I wanted to check with you before doing anything rash - so I skipped that step and went ahead and deleted all the Temp Files like you said, which naturally deleted the program (C:\WINDOWS\TEMP\mscif.exe) for me.

I hope the fact that I couldn't find these files is more of a good thing than a bad one...

Anyway, now that I've made all those changes and restarted the computer, the popups have gotten MUCH better (though I still get one every now and then - I hope that just has to do with the sites I've visiting, and not some more stupid ad/spywares...) and there was no error: explorer message when I signed on. that makes me very happy. :flowers:

So, here's the most recent (and hopefully, the last one I'll be posting anytime soon :thumbsup: ) HJT results. Hope everything looks good!

swizilstix



Logfile of HijackThis v1.99.0
Scan saved at 3:33:34 PM, on 2/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WLAN_CFG.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\MY DOCUMENTS\CESI\DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - Default URLSearchHook is missing
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [jicwrfw] C:\WINDOWS\SYSTEM\peuzhmjn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Upsfc] C:\WINDOWS\TEMP\APP173.TMP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\mscif.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\SYSTEM\wnsintsv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28c1f8c1721bbc...ip/RdxIE601.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:34 PM

Posted 04 February 2005 - 12:54 PM

Hey swizilstix. Unfortunately, your log doesn't look any different than the one before. The same files/entries are still there. I notice that you have ICS running on this computer. This machine could be picking up these infections from a connected machine. Here is what I would like you to do:

Download this file: http://www.thatcomputerguy.us/downloads/findit98.zip and save it for later.

Print these directions and then shut this machine down.

Physically disconnect it from all other machines and the internet.

Restart your computer in Safe Mode by following these directions:

How to Start To Safe Mode Using the F8 method:

To start your computer in Safe Mode:
*turn the computer on
*as the computer restarts, press and hold down the Ctrl key until the Windows 98 startup menu
appears. (This also works with the F8 key following the same steps)
*Choose Safe mode from the startup menu,
*press Enter
*Windows starts in Safe mode.

We need to make sure all hidden files are showing so please:
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Click OK.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [jicwrfw] C:\WINDOWS\SYSTEM\peuzhmjn.exe
O4 - HKLM\..\Run: [Upsfc] C:\WINDOWS\TEMP\APP173.TMP
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\mscif.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\SYSTEM\wnsintsv.exe


Now click the Fix Checked button to finish the repair.

Find the following files/directories and delete them (do a complete scan of the hard drive for each one):

C:\WINDOWS\SYSTEM\peuzhmjn.exe
C:\WINDOWS\TEMP\APP173.TMP
C:\WINDOWS\SYSTEM\mscif.exe
C:\WINDOWS\SYSTEM\wnsintsv.exe


While still in Safe mode follow these steps to clean out your temporary files:

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there by clicking on the Edit menu item and then clicking on Select All. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file report it back here in your next post.

Do this same process for %windir%\temp.

Step 2: Delete Temporary Internet Files
Now I want you to click Start then Settings then Control Panel and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Now right-click on the Recycle Bin icon on your desktop and click on the Empty Recycle Bin menu item. Click on the Yes button when asked to confirm.

Now start AdAware and run a complete scan. Fix anything that AdAware finds.

OK. Reboot your computer normally, start HijackThis and perform a new scan. Save the log file to your My Documents folder. Shut the machine down, hook your internet connection back up and restart your machine again. Post your new log file back here as a relpy to this topic and I will review it.

Now go to where you downloaded the findit98.zip file and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.


OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 swizilstix

swizilstix
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:NY
  • Local time:08:34 PM

Posted 20 February 2005 - 12:41 AM

sorry about the delay....

anyway, here's the HJT scan you wanted... hopefully things are looking up.



Logfile of HijackThis v1.99.0
Scan saved at 12:31:28 AM, on 2/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WLAN_CFG.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\MY DOCUMENTS\CESI\DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28c1f8c1721bbc...ip/RdxIE601.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab



i'll get started on findit98 right now. thanks again!
swizilstix

#14 swizilstix

swizilstix
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:NY
  • Local time:08:34 PM

Posted 20 February 2005 - 01:01 AM

and here's the find.bat log....


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 277D-15DC
Directory of C:\WINDOWS\SYSTEM

PWBM74I K9S 512 01-23-05 6:23p Pwbm74i.k9s
YDUHGTT 58Q 512 12-29-04 8:17p YduHgTT.58q
AFXJIVVQ 8T0 512 12-04-04 4:10p AfxJiVVQ.8t0
INSETUP DLL 312,680 10-02-04 12:36p InSETUP.DLL
CHGWIZ DLL 312,680 10-02-04 12:36p ChGWIZ.DLL
WBTFESR 4TP 512 09-02-04 10:44p WbtFeSR.4tp
FKCO 5AA 512 08-23-04 10:38a Fkco.5aa
YFK8 CT6 512 08-20-04 5:33p Yfk8.ct6
RXDN74K LAT 512 07-26-04 12:32a Rxdn74k.lat
9 file(s) 628,944 bytes
0 dir(s) 4,440.73 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 277D-15DC
Directory of C:\WINDOWS\SYSTEM

RATINGS POL 8,192 01-23-05 7:44p RATINGS.POL
PWBM74I K9S 512 01-23-05 6:23p Pwbm74i.k9s
YDUHGTT 58Q 512 12-29-04 8:17p YduHgTT.58q
ZLLICTBL DAT 4,212 12-20-04 7:25p zllictbl.dat
AFXJIVVQ 8T0 512 12-04-04 4:10p AfxJiVVQ.8t0
INSETUP DLL 312,680 10-02-04 12:36p InSETUP.DLL
CHGWIZ DLL 312,680 10-02-04 12:36p ChGWIZ.DLL
WBTFESR 4TP 512 09-02-04 10:44p WbtFeSR.4tp
FKCO 5AA 512 08-23-04 10:38a Fkco.5aa
YFK8 CT6 512 08-20-04 5:33p Yfk8.ct6
RXDN74K LAT 512 07-26-04 12:32a Rxdn74k.lat
LOG1 TXT 10,264 05-23-04 9:28a log1.txt
LOG2 TXT 10,258 05-22-04 9:57p log2.txt
LOG3 TXT 10,258 05-22-04 8:09p log3.txt
LOG4 TXT 10,258 05-22-04 6:21p log4.txt
KYF DAT 2,886,514 05-22-04 10:31a kyf.dat
LOG5 TXT 30,770 05-02-04 3:23p log5.txt
LOG6 TXT 10,306 04-29-04 4:58p log6.txt
LOG7 TXT 10,342 04-29-04 3:26p log7.txt
LOG8 TXT 10,244 04-28-04 9:52p log8.txt
LOG9 TXT 10,295 04-28-04 8:04p log9.txt
RATINGS OLD 8,192 01-15-03 6:52p Ratings.old
ZBQ_Q1~1 INI 94 12-19-02 11:57a zbq_Q1swg.ini
EPIUIE3P GID 10,832 10-09-02 5:59p EPIUIE3P.GID
LXAU9XDH GID 34,496 10-22-01 4:10a lxau9xdh.GID
FOLDER HTT 13,122 06-30-99 2:33p folder.htt
DESKTOP INI 266 06-30-99 2:33p desktop.ini
27 file(s) 3,707,859 bytes
0 dir(s) 4,440.72 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A47819C1-146F-11D9-AE9F-00062508195D}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ratings.pol Sun Jan 23 2005 7:44:50p ...HR 8,192 8.00 K
zllictbl.dat Mon Dec 20 2004 7:25:38p ...H. 4,212 4.11 K
afxjivvq.8t0 Sat Dec 4 2004 4:10:36p ..SH. 512 0.50 K
yduhgtt.58q Wed Dec 29 2004 8:17:56p ..SH. 512 0.50 K
pwbm74i.k9s Sun Jan 23 2005 6:23:54p ..SH. 512 0.50 K

5 items found: 5 files, 0 directories.
Total of file sizes: 13,940 bytes 13.61 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\Zuwcueh.yab: plaspackusa.com
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\InSETUP.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\InSETUP.DLL: UMonitor
C:\WINDOWS\SYSTEM\ChGWIZ.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\ChGWIZ.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"WLAN_Cfg.exe"="C:\\Program Files\\WUSB11 WLAN Monitor\\WLAN_Cfg.exe"
"ICSDCLT"="c:\\windows\\rundll32.exe c:\\windows\\SYSTEM\\icsdclt.dll,ICSClient"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:34 PM

Posted 21 February 2005 - 06:26 PM

Hello again swizilstix. Your log looks pretty clean at this point but we still have some files and a registry key left over from the infection to clean up. I'm going to have you download a special tool to take care of these items.

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.

    C:\WINDOWS\SYSTEM\InSETUP.DLL

  • Click the Delete File button which looks like a stop sign.
  • Click Yes at the Replace on Reboot prompt.
  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

C:\WINDOWS\SYSTEM\ChGWIZ.DLL

After you add the last file, ChGWIZ.DLL, and it prompts to reboot, you should press the Yes button to allow it to do so.

Do not reboot more than once.

Step 2:

Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users