Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hjt log/igonuts2


  • This topic is locked This topic is locked
43 replies to this topic

#1 igonuts2

igonuts2

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:30 AM

Posted 18 August 2005 - 09:32 PM

refered to this forum from http://www.bleepingcomputer.com/forums/ind...topic=28189&hl=

helping a neighbor friend.
he's on dialup and on "life line" so on line scans cannot be done. he has a cd drive. i'm on dsl and have a burner so i can dl anything needed to cd and install it on his pc.
spybot sd, adaware se, and resident av programs have been performed.
currently we are seeing bogus av popups advising user to visit a web site for removal instructions, RUNDLL "Error loading C:\Windows\Temp\se.dll Access denied", numerous "important changes" noted by spybot sd, and the resident av program IDs and is blocking Trojan TR/StartPage.qr.DLL. Cannot access internet.

as of the time of this post, tasks can only be performed in safe mode. anything done in normal start up commits an "illegal function" and is closed. also this hjt log was made before spybot sd popped up with several more "important changes" that as you know requires an "allow or deney" decision. not knowing whats good or bad, i denied all changes. i don't know if those decisions would demand a new hjt log. but a new log would have to be transposed by hand and therefore would be subject to human error. that said here is the hjt log made after cleaning in safe mode but before spybot noted important changes that were subsequently denied.
greatfull for any assistance.

Logfile of HijackThis v1.99.1
Scan saved at 8:48:16 AM, on 8/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\PEOPLEPC\ISP6230\BROWSER\BARTSHEL.EXE
C:\PROGRAM FILES\PEOPLEPC\ISP6230\BROWSER\PPSHARED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {F29C3D9C-08B5-FD86-1DBB-782BA067FB99} - control64.dll (file missing)
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\PROGRAM FILES\PEOPLEPC\TOOLBAR\PPCTOOLBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {FDA3AEC1-0D92-11DA-AD5C-4445F92683F1} - C:\WINDOWS\SYSTEM\OMDI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\PROGRAM FILES\PEOPLEPC\TOOLBAR\PPCTOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\SYSTEM\PPCRunOnce.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.158,85.255.112.8
O18 - Filter: text/html - {FDA3AEC0-0D92-11DA-AD5C-4445966A266A} - C:\WINDOWS\SYSTEM\OMDI.DLL
O18 - Filter: text/plain - {FDA3AEC0-0D92-11DA-AD5C-4445966A266A} - C:\WINDOWS\SYSTEM\OMDI.DLL
Why work when you can play!

BC AdBot (Login to Remove)

 


m

#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:30 AM

Posted 21 August 2005 - 03:56 PM

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:30 AM

Posted 21 August 2005 - 05:21 PM

To help prevent further infection, please download and install SpywareBlaster SpywareBlaster will help to:
  • prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • restrict the actions of potentially unwanted sites in Internet Explorer.
You will need to disable TeaTimer. Open Spybot S&D in advanced mode, click Tools > Resident, and remove the check from "Resident Tea-Timer". Reboot after unchecking the entry.

Please download CW-Shredder

Please download 'SpSeHjfix' to the desktop and then right click a blank part of desktop & select new folder, call it spfix. Unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers, it will say system clean and not go on to next stage

Now run the CWShredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:30 AM

Posted 21 August 2005 - 05:31 PM

will do. one problem though,
cant access internet anymore. so i now have no way to get info from that pc to mine so i can post a log. i was emailing logs to my pc. no printer either.
maybe some of your steps might enable IE again?
i have to dl to my pc, burn to cd and walk 'em over to the pc in question.
any suggestions as to how to get info from the optiplex to my pc so i can post results?
i know your time is valuable so, it'll take me an hour or so to do your steps.

ty ty ty suebaby

Edited by igonuts2, 21 August 2005 - 05:42 PM.

Why work when you can play!

#5 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:30 AM

Posted 21 August 2005 - 07:48 PM

thank you sue for your assistance,
SpSeHjfix is a zip file.
the infected pc doesn't have a zip file exstraction program. i went to bc's tutorials and then dl'd the smallest one from CNET. the infected pc doesn't have enough mem for it. excuse my newb ignorance here but before it got bit there was 80% free on the hd. 80% of nothing is stil nothing i know. i think some unauthorized program is occupying all the resources.
anyway, can i unzip it on my xp os and then burn it and walk the cd over to the infected one and install it w/o corrupting or otherwize compromizing the program.
it just occured to me that if there is no room for a zipfile program, how am i going to install other cleaning programs.

Edited by igonuts2, 21 August 2005 - 07:48 PM.

Why work when you can play!

#6 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:30 AM

Posted 21 August 2005 - 09:26 PM

sue,
every time we boot up and try to do something ( not even trying to get online) the resident av program window pops up with a trojan alert, "TR/StartPage.qr.DLL", "Blocked", "no further action" (can't delete or quarantine), so we click on OK and the window goes away. at the same time RUNDLL pops up with a window "Error loading", "C:\Winows\Temp\se.dll", "Access is Denied". we then click OK and window goes away. immediately the pc freezes. no access through start menu or task manager and we have to manualy shut down. can we illiminate this problem by doing everything in safe mode?

summary;
Tea Timer is disabled.
cwsredder is intalled to program files and short cut to that is on desktop
SpSeHjfix is in it's own folder on desktop, still zipped (see above reply). can i run it while it's still in the zipped folder?
SpywareBlaster is not on pc yet (due to lack of free space). dail up is physicaly unplugged.

i am sill a newb and don't want to damage someone elses pc, so i am hesitant to experiment with my ideas.

ty again & awaiting your advise,
Arne
Why work when you can play!

#7 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:30 AM

Posted 22 August 2005 - 05:03 PM

hi sue,
i'm stuck on the fist step.
i thought SpSeHjfix might have become corrupt so i dl'd another to my burner and inserted it into the infected pc.

just to make sure i'm doing this right i'll explain in detail what i did.

on the infected pc,
i right clicked "my computer" icon on the desktop and clicked on explore. window opened and in the left plane i clicked "D drive(cd)". in the right plane i did a drag & drop to the awaiting SpSeHjfix folder on desktop. i then closed the cd window. at this point all programs and windows were closed. i then opened the SpSeHjfix folder and double clicked on the SpSeHjfix icon. the following happens in either safe or normal boot; an "Imaging" pop up appears with red X "This document's format is invalid or is not supported".

i have repeated these steps three times.

there is one exception, in normal boot ONLY, when double clicking on SpSeHjfix to start the program, i recieve the RUNDLL error loading C:\Windows\Temp\se.dll access denied, and the resident av program pops up with TR/StartPage.qr.DLL Blocked. i get rid of the av window by clicking OK. the av window does show an option do delete or quaratine the trojan but thats unsuccessfull, so i just OK the "no further action" option thats pre checked. the RUNDLL error mesg is left down on the tool bar and not delt with because if the mesg is OK'd the pc freezes.

just trying to relate to you every thing that happens so you have all the info you might need to help.

i'm a patient person and will "Track This Topic" so when ever you can get back here is fine.

ty sue, very much,
Arne
Why work when you can play!

#8 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:30 AM

Posted 22 August 2005 - 09:09 PM

Yes. You can unzip the program on your computer and burn it to the CD to carry to the infected computer. If memory is a problem, uninstall one of the programs that has been installed previously in the infected computer. You can always reinstall it later. Until you can use SpSeHjfix, you will have problems getting the message “C:\Windows\Temp\se.dll access denied” because that is what the virus does and SpSeHjfix will fix it.

I apologise. I discovered that I had given you the wrong version of SpSeHjfix. However, when I was checking into it, I discovered that the one I should have given you had problems with 98 so it would not have worked either. The one below is an earlier version. Please delete the other one.

Please download 'SpSeHjfix'. to the desktop and then right click a blank part of desktop & select new folder, call it spfix. Unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix, you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Now run the CWShredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

Edited by suebaby41, 22 August 2005 - 09:13 PM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#9 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:30 AM

Posted 22 August 2005 - 11:34 PM

ty sue,
i'll try it again, no problem.
ty
Why work when you can play!

#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:30 AM

Posted 23 August 2005 - 11:50 AM

I am not ready to give up yet. But, just in case it comes to this, does your neighor have the Windows 98 installation disks? Reinstalling Windows 98 is the very last resort.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:30 AM

Posted 23 August 2005 - 02:56 PM

hi sue,
i gave my neighbor the pc and win98 disks. so we are good there. he didn't want a pc at first, but now he can't do with out. all i wanted to realy do was bring an "old schooler" into the 21st century and intro him to bc. i think i did that.

i'm in it for the learning curve and consider reinstalling the os as the easy way out. what ever you think is best though.

it might seem that i'm a little slow with replies here, but thats because my neighbor has a medical condition and sleeps a lot so i have to wait and we all have a life too. if he gets to the point that he puts the pc in the garbage, i won't abandon this thread. i'll let you know.

if we can get the pc net enabled again we will be ahead of the game.

this is some of the best education i've had in years!

ty again sue, if all goes well, i'll be posting later on tonite.

ty,
Arne
Why work when you can play!

#12 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:30 AM

Posted 23 August 2005 - 04:17 PM

After you are able to run the SPSeHjfix and CWShredder, remember to reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

Just think! Once we get done, you will be able to do all this for your own computer when you need to do so (hopefullly, this does not happen to your computer); however, don't try the same fix for your computer unless you are using Windows 98 too. :thumbsup:
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#13 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:30 AM

Posted 23 August 2005 - 06:19 PM

hi sue,
bad news. i get "This document's format is invalid or is not supported".
safe mode or not, same thing. i tried several times.

by the way, more bad news. i don't know how but no installation disks.

maybe he does have 'em still, or he may have tossed 'em. he has dificulty remembering things.

i'm just thinking, if i did something wrong.

i drag and drop from cd to desktop. i looked at properties of the program in the folder on desktop and they are zipped. so after double clicking on the program it extracts itself and exicutes, right? i don't see it unzip. but i don't if thats normal. i have xp and i usualy see that function. but then again, i'm not familiar with SpSeHjfix.

anyway, there i am. stuck again.

awaiting advice,
Arne
Why work when you can play!

#14 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:30 AM

Posted 23 August 2005 - 06:44 PM

Can you run CWShredder and HiJackThis on the infected computer?
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#15 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:30 AM

Posted 23 August 2005 - 08:13 PM

haven't tried CWShredder. i've only read about it in the forums. never needed to use it.

HJT program works. i've never "fixed" with it. just scans. since it scans successfuly, it should fix to i suppose (i hope).

about 4 outta 5 attemps at running any one task, let alone multiples, results in the pc freezing or crashing while in windows. is it possible to do any, if not all tasks in safe mode?

gonna go study the tutorial on cwshredder before we do this.

lemmie know what you want me to do.

ty,
Arne

since IE crashes or freezes every time, so far with no exception, how are we gonna update it?

so you know my resources;
XP SP2
DSL
CD-RW
no floppy

Edited by igonuts2, 23 August 2005 - 08:25 PM.

Why work when you can play!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users