Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • Please log in to reply
5 replies to this topic

#1 soulchild

soulchild

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 17 February 2005 - 09:15 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:08:26 PM, on 2/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {5A1D5506-7F60-11D9-963D-004043A3CAA5} - C:\WINDOWS\SYSTEM\ECFCCA.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServicesOnce: [*nbg] rundll32 C:\WINDOWS\HLPSTEZ1.GIF,DllGetClassObject
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = resnet.buffalo.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = buffalo.edu,acsu.buffalo.edu,cse.buffalo.edu,eng.buffalo.edu,resnet.buffalo.edu,openport.buffalo.edu
O18 - Filter: text/html - {2AD7D063-8125-11D9-963D-004036F18FD9} - C:\WINDOWS\SYSTEM\ECFCCA.DLL
O18 - Filter: text/plain - {2AD7D063-8125-11D9-963D-004036F18FD9} - C:\WINDOWS\SYSTEM\ECFCCA.DLL

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:37 PM

Posted 19 February 2005 - 02:01 PM

Hello soulchild,

You have a nasty CWS infection on your computer. This will require several steps to fix, so bear with me.

Download: "StartDreck", from here:
http://members.blackbox.net/hp_links/21/ni.../startdreck.zip

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)


*********************************************

Please download, update, but DO NOT RUN Adaware SE

We will be running Adaware SE later, so do not run it yet.


***************************************************

If you need help running this tool, here is a some helpful tutorial.

Adaware SE Tutorial

***************************************************

Please download CWShredder and put it in its own folder. http://www.intermute.com/spysubtract/cwshr...r_download.html,
but do not run it yet. We will be running it later.

Edited by SifuMike, 19 February 2005 - 02:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 soulchild

soulchild
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 22 February 2005 - 05:39 PM

thank you for your reply.
i have downloaded the programs you mentioned, is it ok if run them now?

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:37 PM

Posted 22 February 2005 - 06:24 PM

Hello soulchild,

You can run StartDreck as per my previous instructions.
Post the log to this thread.

Do not run Adaware SE or CWShredder until I tell you to.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 soulchild

soulchild
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 22 February 2005 - 11:23 PM

StartDreck (build 2.1.7 public stable) - 2005-02-22 @ 23:24:38 (GMT +07:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as calvin at CALVIN

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
舞unServicesOnce
**xu=rundll32 C:\WINDOWS\HLPSTEZ1.GIF,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FF0F0279=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF424D=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF4FDD=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEAF31=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE3245=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFEBBD1=C:\WINDOWS\RUNDLL32.EXE
+FFFEC905=C:\WINDOWS\EXPLORER.EXE
+FFFD7A8D=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFFC3A39=C:\PROGRAM FILES\WINAMP\WINAMP.EXE
+FFFBDA49=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFB48F5=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:37 PM

Posted 23 February 2005 - 12:58 AM

Hello soulchild,

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please boot into Safe Mode and run CWS Shredder.
Click Fix and then Next, let it fix everything it asks about.

**************************************************

Next, run Adaware SE with a Full Scan in the Safe Mode.


The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.


Let it fix everything it wants to.

**************************************************

Reboot and post a new Hijackthis log.

Edited by SifuMike, 23 February 2005 - 01:09 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users