Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacker keeps comming back


  • This topic is locked This topic is locked
2 replies to this topic

#1 bestleonard

bestleonard

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 16 July 2004 - 10:19 AM

After following he cleaning insturcions,
1)CWSchredder
2)Spybot and Ad-Aware (with updates)

I get the following log. Then, the hijacker:easy-search.biz
comes back. Where else should I look?

Thanks,
Bob




Logfile of HijackThis v1.98.0
Scan saved at 5:11:25 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\System32\qttask.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\ktdata\sysmon32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\hrtcm.exe
C:\WINDOWS\runwin32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Admin\Application Data\Mozilla\Profiles\default\kqzdxfbz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Admin\Application Data\Mozilla\Profiles\default\kqzdxfbz.slt\prefs.js)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: - {32D85703-1CC9-4139-B70C-A9ED643F62EA} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {382A286C-39FC-4844-85E7-E15225605757} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {40E7928F-AB3B-4DF2-819B-3D25446C4D2F} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {41BBC94F-2FB1-4AB4-A9EC-EDB6558B6B37} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {471D70D5-5FAB-4C0F-8CD4-AA266AFB3488} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {499561AB-563D-4000-987D-767490D56AD6} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {4CFD64DB-878F-4053-A71A-2D5A647AC17E} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: - {57D91505-9605-4D75-97F1-A6C1C30149AD} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {5BBCFB06-E404-4162-BFBB-023CF18EB5CE} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {5BF5CEAC-6536-4B4B-88BE-22EC10AFFB02} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {5CA7DDB5-BAEB-418F-BA9D-F90B015F3A99} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {63162440-3AEC-4BA7-8F20-E241877D206A} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {779CD59A-D1BD-4801-BBEC-ABD6C2693AF7} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {81B61435-5AF1-4031-8822-BF58F5F9BDF5} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dll
O2 - BHO: - {87C47E4D-6B14-4C8E-AABD-FF01F48381F0} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {9295B0C7-20F2-484A-B67E-5AFC707283C7} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: - {B25ADDCA-2A1A-4E7D-B469-726194E69EB6} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {B2F7C21D-12BF-4FC2-AD51-9A490C657F63} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {BCCF8FC6-D19E-4F7D-A496-148D21034308} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {CE1F481F-E729-4FAB-ABA6-8CC8FE82B6A3} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {D33E5BD3-E745-4BF1-B925-5DDC576D3A06} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {E6ACE558-B170-4332-B679-1978AF77D77F} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {E9EF6376-A7B5-4932-8AD4-5642DB8A7C33} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {F0A93D97-9FCC-4E0B-965C-8BFE5DB7C433} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {F22310E7-77F5-47CA-9E9B-75603F3B8531} - C:\WINDOWS\msie32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Sysmon] c:\ktdata\sysmon32.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Admin\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Admin\Application Data\amee.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {44B33957-091D-45DA-9E91-CD5224B6BA17} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX Object) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} (CHSInstaller Class) - http://www.compaq.com/athome/support/PCHInstallTrust01.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/174aaf718cfc368fd415/netzip/RdxIE2.cab
O16 - DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} (MarketTrader - ETrade v243a) - http://etrade.bridge.com/etgmt_prd/java/gmtb_etrade_i.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} (MarketTrader - Reuters v243b) - http://etrade.bridge.com/etgmt_prd/java/gmtb_bridge_i.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...350/mcfscan.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F719743-CDE3-46CF-ABAA-A680F49BF990}: NameServer = 140.99.0.2,140.99.1.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D71EFC53-7CB1-4B61-8F36-3150FDAE277D}: NameServer = 206.80.192.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

BC AdBot (Login to Remove)

 


#2 paff

paff

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 16 July 2004 - 11:47 AM

@bestleonard

Download the file mwav.exe
ftp://ftp.microworldsystems.com/download/tools/mwav.exe

Decompress it in a permanent folder such
as C:\mwav\

Please boot in safe mode of WinXP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Then fix this in HiJackThis
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: - {32D85703-1CC9-4139-B70C-A9ED643F62EA} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {382A286C-39FC-4844-85E7-E15225605757} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {40E7928F-AB3B-4DF2-819B-3D25446C4D2F} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {41BBC94F-2FB1-4AB4-A9EC-EDB6558B6B37} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {471D70D5-5FAB-4C0F-8CD4-AA266AFB3488} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {499561AB-563D-4000-987D-767490D56AD6} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {4CFD64DB-878F-4053-A71A-2D5A647AC17E} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {57D91505-9605-4D75-97F1-A6C1C30149AD} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {5BBCFB06-E404-4162-BFBB-023CF18EB5CE} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {5BF5CEAC-6536-4B4B-88BE-22EC10AFFB02} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {5CA7DDB5-BAEB-418F-BA9D-F90B015F3A99} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {63162440-3AEC-4BA7-8F20-E241877D206A} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {779CD59A-D1BD-4801-BBEC-ABD6C2693AF7} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {81B61435-5AF1-4031-8822-BF58F5F9BDF5} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINDOWS\System32\winnet.dll
O2 - BHO: - {87C47E4D-6B14-4C8E-AABD-FF01F48381F0} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {9295B0C7-20F2-484A-B67E-5AFC707283C7} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {B25ADDCA-2A1A-4E7D-B469-726194E69EB6} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {B2F7C21D-12BF-4FC2-AD51-9A490C657F63} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {BCCF8FC6-D19E-4F7D-A496-148D21034308} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {CE1F481F-E729-4FAB-ABA6-8CC8FE82B6A3} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {D33E5BD3-E745-4BF1-B925-5DDC576D3A06} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {E6ACE558-B170-4332-B679-1978AF77D77F} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {E9EF6376-A7B5-4932-8AD4-5642DB8A7C33} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {F0A93D97-9FCC-4E0B-965C-8BFE5DB7C433} - C:\WINDOWS\msie32.dll (file missing)
O2 - BHO: - {F22310E7-77F5-47CA-9E9B-75603F3B8531} - C:\WINDOWS\msie32.dll (file missing)
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Admin\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Admin\Application Data\amee.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/174aaf718cfc368fd415/netzip/RdxIE2.cab
O16 - DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} (MarketTrader - ETrade v243a) - http://etrade.bridge.com/etgmt_prd/java/gmtb_etrade_i.cab
O16 - DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} (MarketTrader - Reuters v243b) - http://etrade.bridge.com/etgmt_prd/java/gmtb_bridge_i.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Scan with ESsan

Reboot normaly

Post your Logfile again

Greets paff

Edited by paff, 16 July 2004 - 11:49 AM.


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:54 AM

Posted 16 July 2004 - 03:11 PM

Paff,

What is mwav.exe ? Never saw that before and the link does not seem to work.

Also what is essan?


You can follow Paff's instructions except you should not fix the following as they are legit:


O16 - DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} (MarketTrader - ETrade v243a) - http://etrade.bridge.com/etgmt_prd/java/gmtb_etrade_i.cab
O16 - DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} (MarketTrader - Reuters v243b) - http://etrade.bridge.com/etgmt_prd/java/gmtb_bridge_i.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Also when in safe mode delete these files:

C:\WINDOWS\System32\idctup20.exe
C:\WINDOWS\hrtcm.exe
C:\Documents and Settings\Admin\LOCAL SETTINGS\Temp\DELDIR0.EXE"
C:\Documents and Settings\Admin\Application Data\amee.exe
C:\WINDOWS\runwin32.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users