Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help!


  • This topic is locked This topic is locked
2 replies to this topic

#1 esg73079

esg73079

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 14 April 2005 - 12:10 PM

IE randomly closes explorer windows. The error message says "IE has generated errors and will close". I'd also like to clean out the registry. I ran spybot, adaware, mcaffe's virus scan and housecall. Also getting a files needed prompt that says "The file farmmext.exe on (Unknown) is needed."

Logfile of HijackThis v1.99.1
Scan saved at 12:39:25 PM, on 4/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\?ttrib.exe
C:\Documents and Settings\Erik\Application Data\trdb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Erik\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {24A411F0-D647-FE93-1832-DC38723A9197} - C:\WINNT\system32\mogkcqa.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Erik\Local Settings\Temp\bXJuo.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [OYaPI] C:\documents and settings\erik\local settings\temp\OYaPI.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\Bin9.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [2] C:\documents and settings\erik\local settings\temp\2.exe
O4 - HKLM\..\Run: [cf] C:\documents and settings\erik\local settings\temp\cf.exe
O4 - HKLM\..\Run: [v3bbe] C:\documents and settings\erik\local settings\temp\v3bbe.exe
O4 - HKLM\..\Run: [Rw09B0] C:\documents and settings\erik\local settings\temp\Rw09B0.exe
O4 - HKLM\..\Run: [uS] C:\documents and settings\erik\local settings\temp\uS.exe
O4 - HKLM\..\Run: [qovqvt] c:\winnt\system32\qovqvt.exe
O4 - HKLM\..\Run: [OYaPI.exe] C:\documents and settings\erik\local settings\temp\OYaPI.exe
O4 - HKLM\..\Run: [2.exe] C:\documents and settings\erik\local settings\temp\2.exe
O4 - HKLM\..\Run: [cf.exe] C:\documents and settings\erik\local settings\temp\cf.exe
O4 - HKLM\..\Run: [v3bbe.exe] C:\documents and settings\erik\local settings\temp\v3bbe.exe
O4 - HKLM\..\Run: [Rw09B0.exe] C:\documents and settings\erik\local settings\temp\Rw09B0.exe
O4 - HKLM\..\Run: [uS.exe] C:\documents and settings\erik\local settings\temp\uS.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\PROGRA~1\McAfee\MANAGE~1\VScan\Splash.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Sapovstu] C:\WINNT\system32\?ttrib.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\Erik\Application Data\trdb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/So...in/myCioAgt.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\myRmProt3.0.0.573.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - (no file)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: SonicWALL Agent Service (SWAGENT) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:55 AM

Posted 15 April 2005 - 10:34 PM

Hi there,
Better to print out the next instructions, because you also have to work in safe mode and this page wouldn't be available then.

* Download and install CCleaner
Do not use it yet.

Download CWShredder. Start CWShredder and click FIX

You have the Peper trojan.

Download the Peperfix Tool and save it to your Desktop.

Make sure you are connected to the Internet and run it; reboot afterwards. Repeat the procedure as it has to be run twice to ensure its effectiveness.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {24A411F0-D647-FE93-1832-DC38723A9197} - C:\WINNT\system32\mogkcqa.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Erik\Local Settings\Temp\bXJuo.dll (file missing)
O4 - HKLM\..\Run: [OYaPI] C:\documents and settings\erik\local settings\temp\OYaPI.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\Bin9.exe
O4 - HKLM\..\Run: [2] C:\documents and settings\erik\local settings\temp\2.exe
O4 - HKLM\..\Run: [cf] C:\documents and settings\erik\local settings\temp\cf.exe
O4 - HKLM\..\Run: [v3bbe] C:\documents and settings\erik\local settings\temp\v3bbe.exe
O4 - HKLM\..\Run: [Rw09B0] C:\documents and settings\erik\local settings\temp\Rw09B0.exe
O4 - HKLM\..\Run: [uS] C:\documents and settings\erik\local settings\temp\uS.exe
O4 - HKLM\..\Run: [qovqvt] c:\winnt\system32\qovqvt.exe
O4 - HKLM\..\Run: [OYaPI.exe] C:\documents and settings\erik\local settings\temp\OYaPI.exe
O4 - HKLM\..\Run: [2.exe] C:\documents and settings\erik\local settings\temp\2.exe
O4 - HKLM\..\Run: [cf.exe] C:\documents and settings\erik\local settings\temp\cf.exe
O4 - HKLM\..\Run: [v3bbe.exe] C:\documents and settings\erik\local settings\temp\v3bbe.exe
O4 - HKLM\..\Run: [Rw09B0.exe] C:\documents and settings\erik\local settings\temp\Rw09B0.exe
O4 - HKLM\..\Run: [uS.exe] C:\documents and settings\erik\local settings\temp\uS.exe
O4 - HKCU\..\Run: [Sapovstu] C:\WINNT\system32\?ttrib.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\Erik\Application Data\trdb.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - (no file)


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Documents and Settings\Erik\Application Data\trdb.exe
C:\WINNT\system32\SearchBar.htm
C:\Program Files\CxtPls <== this folder
C:\WINNT\system32\dp-him.exe
c:\winnt\system32\qovqvt.exe

* Start Ccleaner and click Run Cleaner !! Don't forget this step !!

* Reboot your system back to normal mode.

* Perform an onlinescan with housecall and/or Etrust and let it delete everything it finds.

When done..

Open notepad, copy and paste next content (bold) in it:

dir C:\WINNT\system32\?ttrib.exe /a h > files.txt
notepad files.txt


Save this as look.bat ,choose to save as *all files and save it to your desktop.
Doubleclick on it and notepad will open with some text in it.
Copy and paste this in your next reply together with a fresh hijackthislog.

If you had any problems with deleting files or noticed any other problems during your fix, let me also know in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:55 AM

Posted 01 May 2005 - 03:15 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users