Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis logfile


  • Please log in to reply
2 replies to this topic

#1 rodger1904

rodger1904

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 12 July 2005 - 04:27 PM

Here is the logfile, I've come a long way already but it is still definitely infected. Webroot Spysweeper shows CoolWebSearch but I can't remove it using either Webroot or CWShredder. Also, I plan to update it to SP2 as soon as I can get it cleaned up enough.

Any help is greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 3:22:33 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\cdosys51.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Documents and Settings\Gordon Eberhardt\Desktop\IWP\NPFMntor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\??plorer.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\PROGRA~1\COMMON~1\qwmk\qwmkm.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\htwu\rrup.exe
C:\WINDOWS\boo.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\d3xs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Gordon Eberhardt\Desktop\HijackThis.exe
C:\WINDOWS\appqw.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6CB55B62-92A9-30DC-1708-C97DEE5E6821} - C:\WINDOWS\javaxf32.dll
O2 - BHO: Class - {AB9D62B8-7E56-2DB3-A516-E377F1010DCD} - C:\WINDOWS\mfclh.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [0874e0acc50b] C:\WINDOWS\System32\cdosys51.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ntxs32.exe] C:\WINDOWS\system32\ntxs32.exe
O4 - HKLM\..\Run: [d3xs.exe] C:\WINDOWS\system32\d3xs.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Ngwerwv] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [qwmk] C:\PROGRA~1\COMMON~1\qwmk\qwmkm.exe
O4 - HKCU\..\Run: [Osus] C:\Program Files\htwu\rrup.exe
O4 - HKCU\..\Run: [boo] C:\WINDOWS\boo.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appqw.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Documents and Settings\Gordon Eberhardt\Desktop\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Omerr

Omerr

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 12 July 2005 - 04:50 PM

Hello and welcome to BleepingComputer.

I am currently reviewing your log. Please understand that in order to give you the best answer to your problem, I must dedicate time and thought to your log, so please be patient with me.

I will come back to you with an answer as soon as possible.

Omer.

#3 Omerr

Omerr

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 12 July 2005 - 05:04 PM

Hello and welcome to Bleeping Computer.

WARNING - You are running Hijack This from your desktop. It needs to be in a permanent folder. Please go into Windows Explorer, click on C:\ then click on File > New > Folder and call it HJT , or another name of your choice. The program creates backup files that we may need to use later. If the program is in a Temporary folder, files may be deleted by you or automatically if your system is set to empty temp files.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\System32\??plorer.exe


Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Download CWSserviceRemove and unzip it to your desktop. It'll create a file called cwsserviceremove.reg. Do NOT run this yet.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go to Start->Run and type in services.msc and hit OK. Then look for the following service:
Workstation NetLogon Service ( 11F?? #•???`I)
Double click on it. Click on the Stop button and under Startup type, choose Disabled.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\System32\cdosys51.exe
C:\PROGRA~1\COMMON~1\qwmk\qwmkm.exe
C:\Program Files\htwu\rrup.exe
C:\WINDOWS\boo.exe
C:\WINDOWS\system32\d3xs.exe
C:\WINDOWS\appqw.exe


Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

htwu


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6CB55B62-92A9-30DC-1708-C97DEE5E6821} - C:\WINDOWS\javaxf32.dll
O2 - BHO: Class - {AB9D62B8-7E56-2DB3-A516-E377F1010DCD} - C:\WINDOWS\mfclh.dll
O4 - HKLM\..\Run: [0874e0acc50b] C:\WINDOWS\System32\cdosys51.exe
O4 - HKLM\..\Run: [ntxs32.exe] C:\WINDOWS\system32\ntxs32.exe
O4 - HKLM\..\Run: [d3xs.exe] C:\WINDOWS\system32\d3xs.exe
O4 - HKCU\..\Run: [Ngwerwv] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [qwmk] C:\PROGRA~1\COMMON~1\qwmk\qwmkm.exe
O4 - HKCU\..\Run: [Osus] C:\Program Files\htwu\rrup.exe
O4 - HKCU\..\Run: [boo] C:\WINDOWS\boo.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Workstation NetLogon Service ( 11F?? #•???`I) - Unknown owner - C:\WINDOWS\appqw.exe


Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Folders indicated in BLUE if they still exist:

C:\PROGRA~1\COMMON~1\qwmk
C:\Program Files\htwu


Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\System32\cdosys51.exe
C:\WINDOWS\boo.exe
C:\WINDOWS\system32\d3xs.exe
C:\WINDOWS\appqw.exe
C:\WINDOWS\javaxf32.dll
C:\WINDOWS\mfclh.dll
C:\WINDOWS\system32\ntxs32.exe
repairs.dll>>> SEARCH FOR THIS FILE


Double-click on the cwsserviceremove.reg file you unzipped to your desktop earlier. When it prompts to merge, click Yes. This will clear some registry entries left behind by the malware infections.

Reboot your system in Normal Mode.

Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log.

Please scan again with HijackThis to get a new log.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Now give us a new HijackThis Analyzer log, along with Panda ActiveScan’s log, so we can make sure your system is clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users