Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Inspect Hijack This Log for any Evils


  • This topic is locked This topic is locked
7 replies to this topic

#1 spycat

spycat

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 11 February 2005 - 11:53 AM

Hello all,
Many thanks in advance for any help that can be given here.
Much appreciation to the kind volunteers here who so generously donate their time.
Ok, I knows better, but I managed to get some infections.
I lost my Windows 2000 installation, and after putting it back on, I went surfing without the security updates being installed.
I ran (several times) AdAware and Search & Destroy, I have since applied all the security updates, along with SP4 for Win 2000 and updated IE Browser to 6.0. However, the updates installed after-the-fact may or may not have have fixed the prior problems.
I have also:
* Installed Spyware Guard

* Went to Panda and ran activeScan online test. It detected and removed some bad stuff

* About to run TrendMicro's "HouseCall". I aborted it before in order to isolate results from Panda's scan and disinfectment.

* Chose "View All Files" from my computer

* Rebooted in Safe Mode and re-ran HJT

* The Anti-virus prog I use is Avast!'s free edition.

*nstalled SpywareBlaster 3.2.0.0 (thoughts on this product?)

I THINK I found most of the bad stuff but I want an expert here to take a look to make sure.

Ok, enough talk, here is my HijackThis log file:
--
Logfile of HijackThis v1.99.0
Scan saved at 6:27:02 AM, on 2/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\SYSTEM32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashSimpl.exe
D:\HJT\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
O2 - BHO: SEDP Class - {3BA765C2-08DB-4fe2-9279-311CA10D582A} - D:\WINNT\sehlp.dll (file missing)
O2 - BHO: (no name) - {46A70E85-ABE6-4179-9B7A-90195ABBB235} - D:\WINNT\System32\pdokgfa.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C3A8DA18-30A1-3B5E-D828-39E67C8858C5} - D:\WINNT\System32\gtpolmu.dll
O2 - BHO: (no name) - {F685EA18-1D92-0E6A-F518-09CB4CB875F5} - D:\WINNT\System32\gtpolmu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - HKLM\..\RunOnce: [Q828026] "D:\WINNT\INF\unregmp2.exe" /UpdateWMP
O4 - HKCU\..\Run: [Qwkkb] D:\WINNT\System32\d?dplay.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O15 - Trusted IP range: (HKLM)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® Active Monitor - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
--
Any thoughts?

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:55 AM

Posted 12 February 2005 - 11:41 AM

Hi :thumbsup:

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as unhide.reg
Change the Save as Type to All Files
Save this file on the desktop.


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001


Double-click on the unhide.reg file you saved on your desktop, and when it prompts to merge say Yes.


Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

O2 - BHO: SEDP Class - {3BA765C2-08DB-4fe2-9279-311CA10D582A} - D:\WINNT\sehlp.dll (file missing)
O2 - BHO: (no name) - {46A70E85-ABE6-4179-9B7A-90195ABBB235} - D:\WINNT\System32\pdokgfa.dll (file missing)
O2 - BHO: (no name) - {C3A8DA18-30A1-3B5E-D828-39E67C8858C5} - D:\WINNT\System32\gtpolmu.dll
O2 - BHO: (no name) - {F685EA18-1D92-0E6A-F518-09CB4CB875F5} - D:\WINNT\System32\gtpolmu.dll

O4 - HKCU\..\Run: [Qwkkb] D:\WINNT\System32\d?dplay.exe

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.130/e9xr2.chm::/file.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if present:
D:\WINNT\sehlp.dll <-- this file
D:\WINNT\System32\pdokgfa.dll <-- this file
D:\WINNT\System32\gtpolmu.dll <-- this file

D:\WINNT\System32\dvdplay.exe <-- this file, NOTE: You will find two files with the same name in the C:\WINNT\System32\ folder: dvdplay.exe. One is bad and one is legitimate. You must delete only the bad file.
Right click on each file and select Properties.
In the General tab the legitimate file has this Description: dvdplay placeholder Application. Do not delete this file, it is a Microsoft file.

The bad file has this size = 389,120 bytes, and the description is dvdplay.exe. The icon is blue colored with three letters: FMC. The bad file will not appear alphabetically.


Clean out temporary and Temporary Internet Files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


REBOOT normally.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 spycat

spycat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 13 February 2005 - 01:34 PM

Hello Daisuke, and thanks for looking into this for me!
I did all the steps you recommended, except for the part about the dvdplay.exe
Recently, I had to install windows 2000 on my "D" drive because the partition my my "C" drive got messed up ("Crosses 1024 cyl. Boundary"). The dvdplay.exe files are all the same, and are all around 118 kb.

Anyway, here is the latest log file:

Logfile of HijackThis v1.99.0
Scan saved at 10:32:56 AM, on 2/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\SYSTEM32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\Explorer.EXE
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\BinarySense\HDDlife\HDDlife.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\HJT\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - Startup: HDDlife.lnk = D:\Program Files\BinarySense\HDDlife\HDDlife.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O15 - Trusted IP range: (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® Active Monitor - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe

How's it looking now?

Thanks,
Rick

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:55 AM

Posted 13 February 2005 - 01:39 PM

The dvdplay.exe files are all the same, and are all around 118 kb.

OK.

Download the inf file (right click, --> Save Target As) and save it to your desktop.

http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file on your desktop and select 'Install'


REBOOT yopur machine and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 spycat

spycat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 13 February 2005 - 05:48 PM

Ok, here ya go:

---
Logfile of HijackThis v1.99.0
Scan saved at 2:53:37 PM, on 2/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\SYSTEM32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\Explorer.EXE
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\HJT\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - Startup: HDDlife.lnk = D:\Program Files\BinarySense\HDDlife\HDDlife.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® Active Monitor - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:55 AM

Posted 14 February 2005 - 01:44 AM

Log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !

Glad I was able to help.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 spycat

spycat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 14 February 2005 - 06:25 AM

Hi Daisuke,

I want to give you a BIG thanks for helping me with this.
The generousity you showed with your time and expertise is sincerely appreciated :thumbsup:

Rick

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:55 AM

Posted 14 February 2005 - 01:20 PM

You're Welcome ! Happy surfing :thumbsup:


Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users