Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Logs by Plaquemines


  • This topic is locked This topic is locked
4 replies to this topic

#1 plaquemines

plaquemines

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 February 2005 - 12:12 PM

I have a couple of users who felt it "necessary" to load the Websearch toolbar on their PCs. My operator has run SPYBOT and ADAware-SE on both PCs. He manually removed the Websearch toolbar programs in Control Panel --> Add/Remove Programs.

Yet, we still believe that we still have something around on each of the systems, because SPYBOT has reported that attempts to update the registry file have occurred. The warning lists the category of "User-specific browser toolbar", the change as "value added" and the Entries as : "ITbarLayout" and "{0E5CBF21-D15F.....etc.}.

I downloaded HiJackThis and ran a scan on each PC. The log files for each follow:

First Log (Samantha's PC):
Logfile of HijackThis v1.99.1
Scan saved at 1:40:52 PM, on 02/16/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PNLT32.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PW32\PWLOG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PTW525\PT525.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~1\InkWatch.exe
O4 - HKLM\..\Run: [Pwprint] Pwprint.exe -install
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\hpnra.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PWLICLM] PNLT32.EXE
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Event Log Viewer.lnk = C:\PW32\PWLOG.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.77.116.8,198.77.116.12




The Second Log (Diedra's PC) follows:
Logfile of HijackThis v1.99.1
Scan saved at 1:52:10 PM, on 02/16/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\PNLT32.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PW32\PWLOG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PTW525\PT525.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\PTW525\PT525.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Pwprint] Pwprint.exe -install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\hpnra.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PWLICLM] PNLT32.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Event Log Viewer.lnk = C:\PW32\PWLOG.EXE
O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedCont...bin/AvSniff.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4010/ftp...21/cpbrkpie.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.77.116.8,198.77.116.12



Note that the WinTools WTOOLST DLL is present on both of them. Not being a wizard at the Registry editing game, I would greatly appreciate your looking the logs and verifying that we need to remove that DLL and suggesting whatever else we need to remove from the registry to rid ourselves of the Websearch monster.

Also, if you see any other objects in the list that could point to some other Adware/Spyware tracker, please make note of it/them and I'll pursue removal of those as well.

Thanks in advance,
Plaquemines

BC AdBot (Login to Remove)

 


m

#2 picard_uk

picard_uk

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 17 February 2005 - 07:41 PM

Hi plaquemines,

Welcome to the forums.


For Samantha's PC

Spybot Teatimer may interfere with the fix, I'd like you to disable it
Open Spybot and click on Mode and check Advanced Mode:
Check yes to next window.
Click on Tools in bottom left hand corner:
Click on System Startup icon:
Uncheck Teatimer box and SpywareGuard (if installed).



Run HiJackThis, scan and place a check mark next to the following
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL

Optional fix. This is a resource hog and is not required at startup
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

With no other windows or browser windows open, including this one, hit "Fix checked



Reboot, on restart, start in "Safe Mode".
How To
1. Restart the computer.
2. As the computer restarts, press and hold down the F8 key until the Windows 98 startup menu appears.
3. Choose Safe mode from the startup menu, and then press Enter. Windows starts in Safe mode.


Show "Hidden files and folders".
How to
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
In the Advanced settings box, under the "Hidden files" folder, select Show all files.
Click Apply, and then click OK.

Find and delete the following (Note, only delete the items in bold)
C:\PROGRA~1\COMMON~1\WINTOOLS - It should look like C:\Program Files\Common Files\Wintools

Reboot.




For Diedra's PC

Spybot Teatimer may interfere with the fix, I'd like you to disable it
Open Spybot and click on Mode and check Advanced Mode:
Check yes to next window.
Click on Tools in bottom left hand corner:
Click on System Startup icon:
Uncheck Teatimer box and SpywareGuard (if installed).



Run HiJackThis, scan and place a check mark next to the following


O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL (file missing)

O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm


Optional fix. This is a resource hog that is not required at startup
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

With no other windows or browser windows open, including this one, hit "Fix checked


Reboot.


I'd like you to install a firewall on both machines. Either of these are free
http://www.zonelabs.com/store/content/cata...sku_list_za.jsp
http://www.kerio.com/us/kpf_home.html


Run HiJackThis, scan and post fresh log files in this thread.


Can you give some more information on the following files. Do you know what they are?
C:\PW32\PWLOG.EXE
C:\PTW525\PT525.EXE
If you do not know, right click on the files and check the properties. Let me know what you find.



picard.
Every day's a school day.

ASAP Proud member since 2005 Alliance of Security Analysis Professionals

#3 plaquemines

plaquemines
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 18 February 2005 - 04:03 PM

Mister Picard_UK ..... _U-OK ...._U-nice ..... _U-good ..... _U-da-man !!!!!

Thanks ever so much for the help with the Websearch problem.
I cleaned-up those things that you suggested, even took out the OSA9.EXE

Everything was just as you described. All went well. No problems at all.

Concerning the SpyBot 1.3 program, turning-off the TeaTimer stopped those messages and user-prompts about allowing or denying changes to the Registry.
Also, I went into the Internet Explorer Tweaks and chose all 3 options -- to lock the hosts file as read-only, to lock the home page from changing, and to lock the control panel..... there is no need for a general user to change Internet Options.

Concerning PWLOG and PW525, these are Pathworks for Microsoft Networks programs. We use LanManager Version 5.0f to communicate with our legacy "mainframe". The Pathworks 32 software is used on the PC end. PWLOG logs happenings from startup to license retrieval to shutdown. PW525 is a terminal emulation program, similar to SmartTerm or HyperTerm.... but in the DEC/Compaq/HP/whoever-bought-them-out-this-week world.

I guess you just figured out that I am an "80's-kinda guy" trying to exist in Bill Gate's new millennium....... which, of course, means that you will be hearing from me again..... and again .... and again !!!!!

So, bye for now and thanks again !!!!
Plaquemines

#4 picard_uk

picard_uk

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 18 February 2005 - 04:18 PM

Hi plaquemines,

Glad things went smoothly. :thumbsup:


You should re-enable the SpyBot TeaTimer option. It's helping to protect those machines.



You might also consider using IE-SpyAd by Eric L. Howes.
https://netfiles.uiuc.edu/ehowes/www/resource.htm

There's an informative tutorial
http://www.bleepingcomputer.com/forums/ind...showtutorial=53
This will help prevent the users from going to innocent looking sites that are not so innocent. You should check his site to see if updates are available.


picard.
Every day's a school day.

ASAP Proud member since 2005 Alliance of Security Analysis Professionals

#5 picard_uk

picard_uk

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 17 March 2005 - 04:19 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Every day's a school day.

ASAP Proud member since 2005 Alliance of Security Analysis Professionals




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users