Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log


  • Please log in to reply
6 replies to this topic

#1 bcclark7414

bcclark7414

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 16 March 2005 - 08:23 PM

OK...this is beyond me. I've run Ad-aware and Spybot Search & Destroy, as well as cwshredder and nothing is helping. Below is the log file. I appreciate any help given....

Logfile of HijackThis v1.99.1
Scan saved at 7:16:30 PM, on 3/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLDET.EXE
C:\CPQS\SCOM\CPQBOOTPERFDB.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\MY DOCUMENTS\SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {7D053907-4698-480E-9B0F-55600CCB22B4} - C:\WINDOWS\SYSTEM\OMHB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O18 - Filter: text/html - {0A9430D5-82B8-4F17-A7DA-44FC01094109} - C:\WINDOWS\SYSTEM\OMHB.DLL
O18 - Filter: text/plain - {0A9430D5-82B8-4F17-A7DA-44FC01094109} - C:\WINDOWS\SYSTEM\OMHB.DLL

Thanks again.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 16 March 2005 - 11:23 PM

Please follow these steps:

Step 1:

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.

5. Continue to Step 2.

Step 2:

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the unmark all button.

6. Then put checkmarks in the following checkboxes:

Under Registry put a checkmark in the Run Keys checkbox.

Under System/Drivers put a check in the Running Proccess checkbox.

7. Press the OK button.

8. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

9. Post a copy of the log as a reply to this post.

#3 bcclark7414

bcclark7414
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 19 March 2005 - 10:13 AM

OK...here we go...

The name of the file, I think is c:\windows\temp\se.dll. However there is another dll file named c:\windows\system\kernel32.dll that appears three times on this information.

Here is the the startdreck log...

StartDreck (build 2.1.7 public stable) - 2005-03-19 @ 09:07:53 (GMT -06:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at COMPUTER

舞egistry
舞un Keys
翟urrent User
舞un
*MoneyAgent="c:\Program Files\Microsoft Money\System\Money Express.exe"
舞unOnce
*QRIA=
聞efault User
舞un
*MoneyAgent="c:\Program Files\Microsoft Money\System\Money Express.exe"
舞unOnce
*QRIA=
腿ocal Machine
舞un
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*PCTVOICE=pctvoice.exe
*Digital Dashboard=C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
*EACLEAN=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
*CpqBootPerfDb=C:\Cpqs\Scom\CpqBootPerfDb.exe
*BJCFD=C:\Program Files\BroadJump\Client Foundation\CFD.exe
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
舞unOnce
舞unServices
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
舞unServicesOnce
**rmxu=rundll32 C:\WINDOWS\MODEMCTL.TXT,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFCF6CF3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF9A1F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF9277=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFE290F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE1A9B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE9E73=C:\WINDOWS\RUNDLL32.EXE
+FFFEC713=C:\WINDOWS\EXPLORER.EXE
+FFFDB053=C:\WINDOWS\TASKMON.EXE
+FFFDA1AB=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD0B1B=C:\WINDOWS\PCTVOICE.EXE
+FFFDFD63=C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLDET.EXE
+FFFC5B2F=C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
+FFFBA7B3=C:\WINDOWS\RUNDLL32.EXE
+FFFBBEDB=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFA2F6F=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFC152F=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFA923F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFB5B63=C:\WINDOWS\WUAUCLT.EXE
+FFF866A3=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
+FFF785FB=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
翠pplication specific


Thank you so much for your assistance.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 19 March 2005 - 02:47 PM

  • Download CWShredder from the following location and save it to your desktop, but do not run it yet. We will tell you when to do so later.

    http://cwshredder.net/bin/CWShredder.exe
  • Reboot your computer, and press F8 when Windows is starting. When you come to the menu, select to boot into the safe command prompt mode.
  • At the DOS prompt type the following (There is a space between del and c:\):

    del C:\WINDOWS\MODEMCTL.TXT
  • Copy the text in the quote box below to notepad. Name the file showhidden.reg and change the save as type to all All files. Then save the file to the desktop.

    REGEDIT4

    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\New Windows]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

  • Now double-click on the showfile.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes or OK button.
  • Reboot your computer into Safe Mode
  • Run CWshredder and click on the Fix button. A tutorial on how to use this program can be found here if you run into problems:

    How to remove CoolWebSearch with CWShredder
  • Close all windows except for hijackthis, and start HijackThis again and fix the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
  • Click on start, then run, and type Cleanmgr and have it remove all Temp, Temporary Internet, and Recycle Bin files.
  • Reboot your system back to normal mode and post a brand new log.


#5 bcclark7414

bcclark7414
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 19 March 2005 - 04:16 PM

Well, I downloaded CWShredder and then rebooted in safe mode. However when I enter del C:windowsmodemctl.txt, it tells me 'Access denied'. Do I need to do something different after that step or try another method?

#6 bcclark7414

bcclark7414
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 19 March 2005 - 07:23 PM

Actually, even with the access denied message, I followed the other steps and it seems to have maybe worked. Here is my new Hijack This log....

Logfile of HijackThis v1.99.1
Scan saved at 6:18:11 PM, on 3/19/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLDET.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net

Now, if it will stay without a problem I have no idea. Any other tips, advice, etc. I truly, truly appreciate all the help.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 20 March 2005 - 01:37 AM

Give me another startdreck log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users