Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

new hijack log please help!


  • This topic is locked This topic is locked
12 replies to this topic

#1 younguser

younguser

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 11 February 2005 - 06:17 AM

Hi I wrote yesterday and since then I sorted some (!) stuff out myself...
But still there are attacks and spyware remaining. The most does my hijacked google website bother me. I think it shows the results inverted (first result becomes last and last becomes first...)
Please help...
ogfile of HijackThis v1.98.2
Scan saved at 12:16:33, on 11.02.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Winamp\winampa.exe
C:\windows\system32\vhangwl.exe
C:\WINDOWS\System32\Services\{0AB1633B-B4DC-4D10-9520-976FC7D03FA5}\SVCHOST.EXE
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Apoint\Apntex.exe
C:\WINDOWS\process.exe
C:\windows\system32\calc.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\eMule\emule.exe
C:\Programme\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Gordon-David\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {776966BD-F389-4485-BE9D-419461B79611} - C:\WINDOWS\System32\qwsxp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:53 AM

Posted 11 February 2005 - 01:34 PM

Your log shows that you are seriously behind on windows updates. It is essential that you update your operating system as otherwise any infections we remove could reoccur. Go to Windows Update and if it asks to install software, allow it to do so. Install the offered Critical and Security updates, reboot as requested and return until you have installed all available Critical and Security updates. Be sure the Windows Firewall is enabled.


We need to gather a bit of information:

Please download DLLCompare.exe to your desktop.
http://www.bleepingcomputer.com/files/dllcompare.php.

Double click on DLLCompare.exe to run the program. When it is open, click on the Run Locate.com button. When that has completed, click on the compare button and then finally on the make log button. Post the contents of the resulting log as a reply to this topic.


Please download ServiceFilter.zip
http://www.bleepingcomputer.com/files/servicefilter.php.

Extract the zip file to C:\ServiceFilter. Inside the C:\ServiceFilter directory will be a file called ServiceFilter.vbs. Double-click on the ServiceFilter.vbs and OK the info window that opens. When the script finishes a wordpad document should open with the unknown services listed in it.

Copy and paste the document text into your reply.


You are using an outdated version of Hijackthis. Please download and install the newest version, v1.99, from this HijackThis download site.


Rescan with the the newer version of HJT and post the log along with the DLLCompare and ServiceFilter logs.
Derfram
~~~~~~

#3 younguser

younguser
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 14 February 2005 - 04:42 PM

Okay,
excuse I was not online the other days. I am in my final exams...
Anyway I seem to be outdated through that...
I have made use of some deleting through windows new anti spyware problem, but still have some minor problems... I do not trust win to much anyway...
Here the results:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :thumbsup:"
________________________________________________

1'125 items found: 1'125 files, 0 directories.
Total of file sizes: 199'453'515 bytes 190.21 M

Administrator Account = True

--------------------End log---------------------


Seems to be fine...
Next one...


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600
Feb 14, 2005 22:39:02


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AVWUpSrv
Display Name: AntiVir Update
Start Mode: Auto
Start Name: LocalSystem
Description: Hilfsdienst fuer AntiVir Personal ...
Service Type: Own Process
Path: "c:\programme\avpersonal\avwupsrv.exe"
State: Running
Process ID: 216
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 2
Service Name: SPTISRV
Display Name: Sony SPTI Service
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\gemeinsame dateien\sony shared\avlib\sptisrv.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch



ok there we have got some problems don┤t we...
how can I erase them?


but before the last one with the updated hijack log...
Logfile of HijackThis v1.99.0
Scan saved at 22:41:06, on 14.02.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\System32\Services\{0AB1633B-B4DC-4D10-9520-976FC7D03FA5}\SVCHOST.EXE
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Apoint\Apntex.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programme\eMule\emule.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Gordon-David\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {58EE76DF-690D-413F-A9D9-1589B57D6CCA} - c:\windows\system32\qwsxp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{0AB1633B-B4DC-4D10-9520-976FC7D03FA5}\SVCHOST.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vhangwl] c:\windows\system32\vhangwl.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: ─hnliche Seiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107769425437
O17 - HKLM\System\CCS\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A21EE6D0-72A6-4A0B-83EF-CE3C1812B23E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\porynt.dll
O18 - Filter: tťć5ü˛¤TĂR - {5EF9251B-2620-465F-8DC7-2B027F9059A6} - c:\windows\system32\qwsxp.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Sony SPTI Service - Unknown - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe (file missing)

OKAY seems the problems have mulitplied or moved compared to the last time... I hope it non the less makes some sense to you...
And you can help me...
THX in Advance
Yu

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:53 AM

Posted 14 February 2005 - 05:38 PM

Good luck on the exams!

The unrecognized services are both OK. Please do not make any changes other than those I ask you to. There is much in this log to clean up and it may take a few passes. Do not get discouraged.


Please uninstall Microsoft AntiSpyware for now. It is a good program but it may interfere with our work here.


Let's start with some automated anti-malware tools.

Please download and install CWShredder from:
http://cwshredder.net/bin/CWSInstall.exe

CWShedder will open as part of the install. Click on Check for Update to be sure you have the most current version.

Run CWShredder by clicking on the FIX button, and allow it to complete.


Download Ad-aware SE v1.05 from LavaSoft. Install, update and configure it as explained in this tutorial. Run Ad-aware and allow it to remove everything it finds.


Download Spybot Search & Destroy v1.3. Install, update and configure it as expained in this tutorial. Run Spybot and allow it to remove everything it finds.


Download the following file and save it to your desktop:
http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'.


Reboot and post a new HJT log so we can check our progress.
Derfram
~~~~~~

#5 younguser

younguser
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 15 February 2005 - 08:14 AM

Thx for the advise

I did what you told me...
took some time and i had some problems

I had a z-demon error in the scannig process of spyboot search and destroy...
so it stopped
I send you the log of hijackthis...
Logfile of HijackThis v1.99.0
Scan saved at 14:13:40, on 15.02.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\System32\Services\{0AB1633B-B4DC-4D10-9520-976FC7D03FA5}\SVCHOST.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Apoint\Apntex.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Gordon-David\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58EE76DF-690D-413F-A9D9-1589B57D6CCA} - c:\windows\system32\qwsxp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{0AB1633B-B4DC-4D10-9520-976FC7D03FA5}\SVCHOST.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vhangwl] c:\windows\system32\vhangwl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: ─hnliche Seiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmsimilar.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107769425437
O17 - HKLM\System\CCS\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A21EE6D0-72A6-4A0B-83EF-CE3C1812B23E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O18 - Filter: tťć5ü˛¤TĂR - {5EF9251B-2620-465F-8DC7-2B027F9059A6} - c:\windows\system32\qwsxp.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Sony SPTI Service - Unknown - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe (file missing)

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:53 AM

Posted 15 February 2005 - 02:46 PM

Download LSPFix and unzip into it's own folder.
- Run LSPFix.
- Move all instances of fltmgr.dll to the 'Remove' pane.
- Check the "I know what I'm doing" box, then on Finish.
- Reboot.


You have Spybot's Teatimer running in the background. Teatimer does a good job of notifying you when any suspicious changes are made to the registry. We are going to make some changes, so to keep Teatimer from popping up we need to disable it for now. To do so, right click the running icon of spybot's Teatimer located in the systray and choose exit.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

O2 - BHO: (no name) - {58EE76DF-690D-413F-A9D9-1589B57D6CCA} - c:\windows\system32\qwsxp.dll (file missing)

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{0AB1633B-B4DC-4D10-9520-976FC7D03FA5}\SVCHOST.EXE
O4 - HKLM\..\Run: [vhangwl] c:\windows\system32\vhangwl.exe

O18 - Filter: tťć5ü˛¤TĂR - {5EF9251B-2620-465F-8DC7-2B027F9059A6} - c:\windows\system32\qwsxp.dll

O23 - Service: Sony SPTI Service - Unknown - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe (file missing)

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Reboot into Safe Mode and enable viewing of Hidden and System files. Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders if found:

C:\WINDOWS\System32\Services\{0AB1633B-B4DC-4D10-9520-976FC7D03FA5}\ <--Folder
c:\windows\system32\qwsxp.dll <--File
c:\windows\system32\vhangwl.exe <--File


Reboot normally, and post a new HJT log.


We will still have a DNS hijacker to clear. Can you tell me (or find out) if your Internet Service provider (ISP) expects you to be using "Obtain a DNS service address automatically" or whether they provide a specific IP address to be used for DNS?
Derfram
~~~~~~

#7 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:53 AM

Posted 16 February 2005 - 01:36 PM

From Younguser:

voilÓ...
I looked in search mode for the other files but could not find them... Seems as we hunted them allready down...
here my new hijack lock:
Logfile of HijackThis v1.99.0
Scan saved at 18:07:44, on 16.02.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Programme\Apoint\Apntex.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Dokumente und Einstellungen\Gordon-David\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: ─hnliche Seiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmsimilar.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107769425437
O17 - HKLM\System\CCS\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A21EE6D0-72A6-4A0B-83EF-CE3C1812B23E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE


Before we continue to remove the DNS hijacker:

Can you tell me (or find out) if your Internet Service provider (ISP) expects you to be using "Obtain a DNS service address automatically" or whether they provide a specific IP address to be used for DNS?

If you do not have this info, rather than specifics, I will need to give you some options and you will need to chose the option that works best for you.

Edited by ddeerrff, 16 February 2005 - 01:40 PM.

Derfram
~~~~~~

#8 younguser

younguser
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 16 February 2005 - 02:41 PM

Hi Derf,
Sorry somehow my reply wasn┤t added the proper way. So here I give you the requested information I forgot... It is a bit chaotic but contains some more you need to know...

I think I am a rather special case, in my students house we have no such service provider. First we have a (great) broadband cable connection to the internet, with an internal network we are all logged on. so the IP Adresses are given by the internal server in our cellar...
I do not know if we have such an service provider as you suggested, I guess yes, but it will not give us IP and is primarily switched to the server....
I heard from my students mates, that the server gives each of our pc connected to the network a variable IP... Can this help you out?
By the way. I am deeply sorry, that I am such a dumbass in choosing the right thread. you know I am studying parallel I must have been to quick. Thx for your support and your help: I think this site is very very helpful to pc dorks like me. So I want to thank you and the other supporters here. I hope they are not to much bothered about my stupidity on using the threads... Shame over me and thanks for your patience with me... I apologize
Greetings
Yu
P.S.: Ok I give you some of my connection information I have about our little lan party here in our house...
The TCP/IP is given to me so I have my own adress; there is another gateway adress and a sub net mask (originally in german the words) anyway the adress is given by the DHCP (whatver that is). Perhaps you can draw some conclusions from that...
OK I know some more from the website of our service provider.
They say that their DNS for their internet services are given automatically...
So Mr. Holmes I think I found it out... But please do not forget that we have this server in between me and the service provider...

#9 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:53 AM

Posted 16 February 2005 - 03:34 PM

No need to apologize, I'm just glad I noticed your reply where it was.

Most people are set to 'obtain the DNS automatically', but not everyone. I didn't want to leave you without a valid DNS server listing. (DHCP = Dynamic Host Configuration Protocol.)


Disable Teatimer as before.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A21EE6D0-72A6-4A0B-83EF-CE3C1812B23E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{0392860E-972F-43D8-88A9-6273C4E97530}: NameServer = 69.50.176.156,195.225.176.31

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.

Reboot.


Open your Control Panel.

- If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .

- Double-click the Network Connections icon.

- Right-click the Local Area Connection icon and select Properties.

- Hilight Internet Protocol (TCP/IP) and click the Properties button.

Be sure "Obtain DNS server address automatically' is selected. OK your way out.


Reboot and post a new log.

Edited by ddeerrff, 16 February 2005 - 03:35 PM.

Derfram
~~~~~~

#10 younguser

younguser
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 18 February 2005 - 11:00 AM

Ok...
Did what you told me...
I send another HJT log

Logfile of HijackThis v1.99.0
Scan saved at 16:59:14, on 18.02.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Apoint\Apntex.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Programme\eMule\emule.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Gordon-David\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: ─hnliche Seiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmsimilar.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107769425437
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE

I am still studying here so it took some time...
Thx in advance
yu

#11 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:53 AM

Posted 19 February 2005 - 12:32 AM

Congratulations and well done. Your log is now clean.

Once again, though, I must urge you to go to WindowsUpdate and apply all the critical and security updates to your system. This would include Service Pack 2 (SP2). An unpatched WindowsXP system is full of security holes.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !
Derfram
~~~~~~

#12 younguser

younguser
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 19 February 2005 - 02:55 AM

Hoorah,
Thank you very, very much...
This makes me feel so much better. I will read and consider what is done... I hope you enjoyed helping me somehow...
Greetings to the states and I wish you all the best...
Yu

#13 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:53 AM

Posted 23 February 2005 - 12:22 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users