Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJackThis logfile


  • This topic is locked This topic is locked
5 replies to this topic

#1 lordemperor

lordemperor

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 03 August 2004 - 05:34 AM

Symptoms: Every minute or so an IE window opens with some sort of advertisement. Also happens sometimes on teh click of a link.

What I have done: Scanned with fully updated Ad-Aware, Spybot S&D, CWShredder and Avast! Antivirus, both in windows normal and safe mode.

Spybot and Ad-Aware each find a few entries which I delete, another scan turns new entries. Avast detected a few viruses which I deleted. No more hav ebeen detected by real-time scanning since then.

CWShredder restores teh hosts file each time, all others are not present.

Used HiJackThis and deleted a few entries, but the problem still exists.

Without further adou, the logfile:

Logfile of HijackThis v1.97.7
Scan saved at 3:28:10 AM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\apps\Avast4\aswUpdSv.exe
C:\apps\Avast4\ashServ.exe
C:\apps\D-Tools\daemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\apps\Avast4\ashDisp.exe
C:\apps\Avast4\ashmaisv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\apps\SpybotS&D\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\apps\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Client\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lantechgaming.ca/rules.htm
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\apps\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MWADVANCED] c:\mwadvanced_enu.exe
O4 - HKLM\..\Run: [WinVNC] "C:\apps\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\apps\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\apps\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\apps\SpybotS&D\TeaTimer.exe
O4 - Startup: Shortcut to terminator.lnk = C:\bats\terminator.bat
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{53BB6CEF-CDEF-4B1C-90F4-AC843907B95A}: NameServer = 207.54.101.193,207.54.98.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{53BB6CEF-CDEF-4B1C-90F4-AC843907B95A}: NameServer = 207.54.101.193,207.54.98.226

Edited by lordemperor, 03 August 2004 - 05:39 AM.


BC AdBot (Login to Remove)

 


#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:27 PM

Posted 03 August 2004 - 10:21 AM

You are using an old version of HijackThis, please download the latest version,

Download Hijackthis:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

http://computercops.biz/downloads-cat-14.html

If you cannot reach either site it is available from my signature.

You need to put HijackThis into its own folder. It makes backups and they need to be kept all in one place.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your hijackthis.exe there. Please post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 lordemperor

lordemperor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 03 August 2004 - 04:34 PM

It is in its own folder.

Thanks for the link to the new version.

It seems my latest agressive scans with spybot and ad-aware got it.

There are no noticable symptoms remaining.

Here is what the new version of hijackthis turned up:

ogfile of HijackThis v1.98.1
Scan saved at 2:35:06 PM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\apps\Avast4\aswUpdSv.exe
C:\apps\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\apps\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\apps\D-Tools\daemon.exe
C:\apps\Avast4\ashDisp.exe
C:\apps\Avast4\ashmaisv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\apps\SpybotS&D\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Client\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lantechgaming.ca/rules.htm
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\apps\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MWADVANCED] c:\mwadvanced_enu.exe
O4 - HKLM\..\Run: [WinVNC] "C:\apps\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [avast!] C:\apps\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\apps\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\apps\SpybotS&D\TeaTimer.exe
O4 - Startup: Shortcut to terminator.lnk = C:\bats\terminator.bat
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{53BB6CEF-CDEF-4B1C-90F4-AC843907B95A}: NameServer = 207.54.101.193,207.54.98.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{53BB6CEF-CDEF-4B1C-90F4-AC843907B95A}: NameServer = 207.54.101.193,207.54.98.226

What is item 010?

Thanks again for your help.

#4 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:27 PM

Posted 03 August 2004 - 06:34 PM

Now please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and place all listings of lspak.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.

Then Reboot and post a new log

To see a tutorial on how to use this program click the link below:

Using LSP-Fix to remove LSP Spyware & Hijackers

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#5 lordemperor

lordemperor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 03 August 2004 - 08:19 PM

Wow man you rock, seriously thanks =D

This is what I have now:

Logfile of HijackThis v1.98.1
Scan saved at 6:15:44 PM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\apps\Avast4\aswUpdSv.exe
C:\apps\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\apps\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\apps\D-Tools\daemon.exe
C:\apps\Avast4\ashDisp.exe
C:\apps\Avast4\ashmaisv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\apps\SpybotS&D\TeaTimer.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lantechgaming.ca/rules.htm
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\apps\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MWADVANCED] c:\mwadvanced_enu.exe
O4 - HKLM\..\Run: [WinVNC] "C:\apps\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [avast!] C:\apps\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\apps\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\apps\SpybotS&D\TeaTimer.exe
O4 - Startup: Shortcut to terminator.lnk = C:\bats\terminator.bat
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{53BB6CEF-CDEF-4B1C-90F4-AC843907B95A}: NameServer = 207.54.101.193,207.54.98.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{53BB6CEF-CDEF-4B1C-90F4-AC843907B95A}: NameServer = 207.54.101.193,207.54.98.226

#6 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:27 PM

Posted 04 August 2004 - 10:44 AM

Looks great, good job!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users