Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log - Please Help


  • Please log in to reply
1 reply to this topic

#1 chilimac

chilimac

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 25 July 2005 - 05:33 PM

Folks,

My wife mentioned her computer was running a bit slow. Upon opening her browser, I noticed she had downloaded what appears to be a Spam Blocker and some type of weather reporting program on her toolbar. After running Command Anit-Virus, the following files report to be infected:

tibs3.exe
dvvprpt.exe
QUICKVIEW.exe
syncui.dll

I've included the HijackThis log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 3:18:13 PM, on 7/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\AVINIT9X.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\UNTRAY.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\AVTRAY.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\DVPRPT.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\SCHSC9X.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBWEATHERONTRAY.EXE
C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBOEADDON.EXE
C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBINST.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBSRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lds.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBHOSTIE.DLL
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\PROGRAM FILES\SHOPPERREPORTS\BIN\1.0.4.0\SHPRRPRT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBHOSTIE.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AttuneSysTray] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CSAV_CheckViruses] c:\PROGRA~1\COMMAN~1\COMMAN~1\VCHK.EXE
O4 - HKLM\..\Run: [avinit] c:\PROGRA~1\COMMAN~1\COMMAN~1\AVINIT9X.EXE
O4 - HKLM\..\Run: [untray] c:\PROGRA~1\COMMAN~1\COMMAN~1\UNTRAY.EXE
O4 - HKLM\..\Run: [avtray] c:\PROGRA~1\COMMAN~1\COMMAN~1\AVTRAY.EXE
O4 - HKLM\..\Run: [dvprpt] c:\PROGRA~1\COMMAN~1\COMMAN~1\DVPRPT.EXE
O4 - HKLM\..\Run: [AVSchedScan] c:\PROGRA~1\COMMAN~1\COMMAN~1\SCHSC9X.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBWEATHERONTRAY.EXE
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\BIN\461~1.0\SBInst.exe
O4 - HKLM\..\Run: [rnulacnf] C:\WINDOWS\SYSTEM\seewoxgx.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {23B54140-D9F0-11D9-9BF4-00A0C975C54B} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {23B54140-D9F0-11D9-9BF4-00A0C975C54B} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS3:30 PM 7/25/05\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\PROGRAM FILES\SHOPPERREPORTS\BIN\1.0.4.0\SHPRRPRT.DLL
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\PROGRAM FILES\SHOPPERREPORTS\BIN\1.0.4.0\SHPRRPRT.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {23B54140-D9F0-11D9-9BF4-00A0C975C54B} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {23B54140-D9F0-11D9-9BF4-00A0C975C54B} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/ins...ckerutility.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = thegrid.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 209.162.0.254,209.162.32.254,198.77.116.8

Your help is appreciated...

Regards,

Chilimac

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:27 PM

Posted 25 July 2005 - 06:58 PM

Hello chilimac and welcome to the BC malware forum. Let's start with the following.
  • Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).
  • Download SpSeHjfix.zip and unzip it to it's own folder. Do not run it yet.
  • Download CleanUp! and install it. Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.
  • Start in Safe Mode Using the F8 method:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
  • Disconnect from the net and Close ALL OPEN PROGRAMS.
  • Run SpSeHjfix and click on Start Disinfection.
    When it's finished it will reboot your machine to finish the cleaning process.
    The tool creates a log of the fix which will appear in the folder that SpSeHjfix is located in.
  • Now run CWShredder and click on the Fix -> button.
  • Reboot and repeat the above process starting with Step 4.
Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users