Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - jmj


  • This topic is locked This topic is locked
6 replies to this topic

#1 jmj

jmj

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 03 August 2004 - 10:56 PM

Today im cleaning up my Sisters machine which i Spent most of my afternoon today scanning and removing Trojans and Viri
Think i have 99% of the badies out went thu the list of apps in this post and need some one to review my HijackThis Log


Machine is a Windows 2000 Pro
Build 5.00.2195
Service pack 3

with updates enabled automatic thru the Micosoft updater


Apps i ran and scanned on the box with current Spybot 1.3
Adaware
Cool Web Shredder
TrojanHunter

all updated with current ref files

Also did viri a scan with
AVG ANTIVirus
Trendmicro house calls online
Ended up removing 125 badies with SpyBot and finding 3 trojans
including the WhenUSearch tool Bar
And eZula Hot text

One thing i had trouble removing was the Purtiy Scan.B downloader since it was memory resident
but i think i got it

any way here's my HJT Log file to check out Any thank you again for your time and effort admins



After looking a bit more at my log i found these 3 items that im questioning
what they are.

Ive done a search in Google with nothing showing up Maybe some one can give me some insight on what they are?

Nothing came back on this doing a search on TonyKleins BHO List ? on this
O2 - BHO: (no name) - {628D440F-E24D-5093-8725-61557CA72649} - C:\WINNT\system32\gbjl.dll



O4 - HKCU\..\Run: [Into] C:\Documents and Settings\sue\Application Data\cawt.exe

O4 - HKCU\..\Run: [Ymqdmvjk] C:\WINNT\system32\ntjtmm.exe




Logfile of HijackThis v1.98.0
Scan saved at 6:00:05 PM, on 8/2/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\PROMon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\FotoNation\EvLstnr.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\ntjtmm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINNT\System32\HPHipm11.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\notepad.exe
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {628D440F-E24D-5093-8725-61557CA72649} - C:\WINNT\system32\gbjl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [EVENTLISTENER] C:\Program Files\Common Files\FotoNation\EvLstnr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Sue"
O4 - HKCU\..\Run: [Into] C:\Documents and Settings\sue\Application Data\cawt.exe
O4 - HKCU\..\Run: [Ymqdmvjk] C:\WINNT\system32\ntjtmm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Sue"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LAKESHORE
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CE32B2A-DA3E-408A-A804-06D70FADB3AB}: NameServer = 198.147.221.34 198.147.221.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LAKESHORE
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LAKESHORE


Thanx for you time and effort hopefully i can donate my time to the removal and
Stoppage of this War soon as i learn more.


JMJ

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:12 PM

Posted 04 August 2004 - 09:59 AM

YOu need to ugprade to SP4.

Your log shows that you are seriously behind on windows updates. It is essential that you update your windows before we continue to help you as the infections could reoccur. Go to http://www.windowsupdate.com and if it asks to install software, let it. Then click on the Scan link and let it do its thing. When its done you will see on your left a section called critical updates. Click on that section and install everything that you can. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed. Then post a new log.

#3 jmj

jmj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 04 August 2004 - 07:28 PM

Thanx Grinler

Will do im about 60 miles away so il get out that way sometime this week

Didnt realize the updates were not working so please keep this open
for awhile

Edited by jmj, 04 August 2004 - 07:33 PM.


#4 jmj

jmj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 14 August 2004 - 08:50 PM

Finally got a chance to drive out and do the Service pack 4 updates
and run the new Adaware Se and a current Spybot scan

Heres a current Log from Hijack

Still getting some sort of trojans hitting me

Logfile of HijackThis v1.98.2
Scan saved at 3:15:35 PM, on 8/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\PROMon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\FotoNation\EvLstnr.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\ntjtmm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINNT\System32\HPHipm11.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\hjt\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {628D440F-E24D-5093-8725-61557CA72649} -
C:\WINNT\system32\gbjl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [EVENTLISTENER] C:\Program Files\Common
Files\FotoNation\EvLstnr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32
\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11
\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [Into] C:\Documents and Settings\sue\Application
Data\cawt.exe
O4 - HKCU\..\Run: [Ymqdmvjk] C:\WINNT\system32\ntjtmm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search
& Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony
Handheld\HOTSYNC.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-
a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061...rendmicro.com/h
ousecall/xscan53.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -
http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LAKESHORE
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CE32B2A-DA3E-408A-A804-
06D70FADB3AB}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LAKESHORE
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LAKESHORE

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:12 PM

Posted 15 August 2004 - 05:54 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button
O2 - BHO: (no name) - {628D440F-E24D-5093-8725-61557CA72649} -
C:\WINNT\system32\gbjl.dll
O4 - HKCU\..\Run: [Into] C:\Documents and Settings\sue\Application
Data\cawt.exe
O4 - HKCU\..\Run: [Ymqdmvjk] C:\WINNT\system32\ntjtmm.exe
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -
http://download.overpro.com/WildApp.cab

Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINNT\system32\gbjl.dll
C:\Documents and Settings\sue\Application Data\cawt.exe
C:\WINNT\system32\ntjtmm.exe

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#6 jmj

jmj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 15 August 2004 - 07:49 PM

Will do thank you Grinler. I have another drive and and should be out that way
in 3 days so keep the post open.

Also i noticed my Laptop was doing the same things so i started a new
Thread on it. HJT Log Laptop -jmj


Hope im not being a pain :thumbsup:
I relalize its a pain in the butt to go thru these logs Line by line and apreciate your time and dedication to helping others less experianced is there any way i can
pay you back for your time?
Or learn how i can do it my self to be part of the Team here.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:12 PM

Posted 15 August 2004 - 10:29 PM

There are always ways to help us out which you can find here:

http://www.bleepingcomputer.com/supportus.php

As for learning how to clean this stuff and join the team, we do not have a formal classroom. There are some sites that do though, and if you are interested, PM me and ill give ya the info




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users