Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

<hijackthis log>help


  • Please log in to reply
3 replies to this topic

#1 mark_penaranda

mark_penaranda

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 21 April 2005 - 03:52 PM

Hey everyone just wonderin if I could get some help with getting rid of that grand old spyware junk. I would be very apprecitve on what junk i can delete so i can get rid of it for good. -thanks--mark

Logfile of HijackThis v1.98.2
Scan saved at 4:47:57 PM, on 4/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\xmqeyja\fstdwunk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oaxgty\mebvyyp.exe
C:\WINDOWS\system32\dlhvjj\mworwnid.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\windows\system32\qmnzoinw.exe
C:\WINDOWS\system32\dnhcyfl\jqjn.exe
C:\WINDOWS\system32\pdhiui.exe
C:\WINDOWS\system32\gah95on6.exe
C:\WINDOWS\system32\msuqahn\gqhwrfho.exe
C:\WINDOWS\system32\aihe.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\odexcl40.exe
C:\Program Files\AIM\aim.exe
C:\windows\system32\calc.exe
C:\WINDOWS\system32\w?nspool.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [qmnzoinw] c:\windows\system32\qmnzoinw.exe
O4 - HKLM\..\Run: [mworwnid] C:\WINDOWS\system32\dlhvjj\mworwnid.exe
O4 - HKLM\..\Run: [mebvyyp] C:\WINDOWS\system32\oaxgty\mebvyyp.exe
O4 - HKLM\..\Run: [jqjn] C:\WINDOWS\system32\dnhcyfl\jqjn.exe
O4 - HKLM\..\Run: [SkyH2] C:\WINDOWS\TEMP\qsrojxdv.exe
O4 - HKLM\..\Run: [fstdwunk] C:\WINDOWS\system32\xmqeyja\fstdwunk.exe
O4 - HKLM\..\Run: [4stT35h] pdhiui.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [gqhwrfho] C:\WINDOWS\system32\msuqahn\gqhwrfho.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /C /FS /X
O4 - HKCU\..\Run: [Oeem] C:\WINDOWS\system32\aihe.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LB23RRNtX] odexcl40.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Znxhio] C:\WINDOWS\system32\w?nspool.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105402815060
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC189F13-5326-41C8-A98F-EA3A7433C6FB}: NameServer = 198.6.100.125 198.6.1.125

BC AdBot (Login to Remove)

 


#2 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:04:36 AM

Posted 22 April 2005 - 01:02 PM

Hi mark_penaranda,

Before we get started on fixing the log, there are a couple of things I need you to do first:
  • You are using an outdated version of hijackthis. Please download the newer version. Download HijackThis from: HijackThis Download Site

  • You are running HijackThis from your Desktop. When you run from this location, the backups that HijackThis makes may accidentally get deleted, so please put HijackThis into a permanent folder. Full instructions on how to do this can be found here: Detailed Explanation Brief instructions to create a permanent folder are:
    • Click My Computer, then C:\
    • In the menu bar choose, File -> New -> Folder.
    • That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
    • Now you have C:\HJT\ folder.
    • Put your new HijackThis.exe there.
  • Run your new version of HijackThis and post a new log here using the Add Reply button.


#3 mark_penaranda

mark_penaranda
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 April 2005 - 02:52 PM

Hey sorry 'bout the outdated hijackthis log and not creating a permanent folder. Well I did what I was told to do, so heres the updated log....thanks in advance mark

Logfile of HijackThis v1.99.1
Scan saved at 3:49:03 PM, on 4/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\xmqeyja\fstdwunk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oaxgty\mebvyyp.exe
C:\WINDOWS\system32\dlhvjj\mworwnid.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\windows\system32\qmnzoinw.exe
C:\WINDOWS\system32\dnhcyfl\jqjn.exe
C:\WINDOWS\system32\msuqahn\gqhwrfho.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\aihe.exe
C:\windows\system32\packager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\w?nspool.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\WINDOWS\system32\inkmib.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [qmnzoinw] c:\windows\system32\qmnzoinw.exe
O4 - HKLM\..\Run: [mworwnid] C:\WINDOWS\system32\dlhvjj\mworwnid.exe
O4 - HKLM\..\Run: [mebvyyp] C:\WINDOWS\system32\oaxgty\mebvyyp.exe
O4 - HKLM\..\Run: [jqjn] C:\WINDOWS\system32\dnhcyfl\jqjn.exe
O4 - HKLM\..\Run: [SkyH2] C:\WINDOWS\TEMP\qsrojxdv.exe
O4 - HKLM\..\Run: [fstdwunk] C:\WINDOWS\system32\xmqeyja\fstdwunk.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [gqhwrfho] C:\WINDOWS\system32\msuqahn\gqhwrfho.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [4stT35h] inkmib.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [Oeem] C:\WINDOWS\system32\aihe.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LB23RRNtX] faudbg32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Znxhio] C:\WINDOWS\system32\w?nspool.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105402815060
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC189F13-5326-41C8-A98F-EA3A7433C6FB}: NameServer = 198.6.100.125 198.6.1.125
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: fstdwunkxmqeyja - Unknown owner - C:\WINDOWS\system32\xmqeyja\fstdwunk.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mebvyypoaxgty - Unknown owner - C:\WINDOWS\system32\oaxgty\mebvyyp.exe
O23 - Service: mworwniddlhvjj - Unknown owner - C:\WINDOWS\system32\dlhvjj\mworwnid.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#4 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:04:36 AM

Posted 24 April 2005 - 01:16 PM

Hi Mark

There are a few sticky entries in your log that may take a bit of moving and three files I would like copies of. You may find it helpful to print these instructions out as you will not have access to the Internet whilst you are running in Safe mode. Please read through all of the steps first to ensure you understand what I'm asking you to do. If you have any questions, please ask before you start the fixes.

Peter
  • I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

    C:\WINDOWS\system32\xmqeyja\fstdwunk.exe
    C:\WINDOWS\system32\oaxgty\mebvyyp.exe
    C:\WINDOWS\system32\dlhvjj\mworwnid.exe

    To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder. Right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. Then go to http://www.bleepingcomputer.com/submit-malware.php, fill in the required fields, and browse to the file. Then click on the Send File button.

    If you run into problems copying the files then please let me know before you carry on with the following steps.


  • Please download and run Ad-Aware and SpybotS&D.

    Download Spybot and Ad-Aware from the following locations and install them. You should run both programs and clean up what they find. This is to gaurantee that you find the most malware you can installed on your computer.
    Download both programs from the following locations:Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.
    Using Spybot - Search & Destroy to remove Spyware, Malware, & Hijackers from Your Computer.
    Please update each of the programs but don't run them just yet.

  • Restart you machine in Safe Mode:
    • Reboot your computer
    • As the machine starts, continually tap the F8 key
    • You will then be presented with a menu screen
    • Use the the up/down arrow keys to select Safe Mode
    • Press the Enter key to boot in that mode.
  • Now run both Ad-Aware and Spybot Search & Destroy and let them remove anything they find.

  • Reboot your machine in normal mode.

  • I want you to run three online virus scans as follows:

    Perform a full scan here: Trendmicro, check AutoClean and let it remove anything it finds.

    Perform a second full scan here: Panda Online, follow the instructions on the screed, make sure these are checked:
    • Disinfect automatically
    • Scan compressed files
    • Scan e-mail files
    • Neutralize Trojans
    Let active scan remove anything it finds. Please save any log information produced.

    Perform a full scan here: BitDefender Free Online Virus Scan
    Follow the instructions on the screen.
    Tick all the boxes on the left and let Bitdefender remove anything it finds. Please save any log information produced.

  • Reboot your machine in Safe Mode and run both Ad-Aware and Spybot again.

  • Reboot your machine in normal mode and post a new log here using the Add Reply button. Please include any log information from the Panda and Bitdefender online scans. Let me know how you went on with the other steps.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users