Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log


  • This topic is locked This topic is locked
4 replies to this topic

#1 guaranteed

guaranteed

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 20 August 2005 - 03:59 PM

I have run AVG and Adaware after updating. Also windows update. Ran in safemode. Removed all temp int files and win temp files. ran stinger.
SE.dll seems to be the main culpert.

Logfile of HijackThis v1.99.1
Scan saved at 3:44:50 PM, on 8/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O2 - BHO: (no name) - {DB4CE4C1-0D08-11DA-9118-000857B7301D} - C:\WINDOWS\SYSTEM\KAON.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O18 - Filter: text/html - {6D44F5E3-1176-11DA-9118-0008C0654FB7} - C:\WINDOWS\SYSTEM\KAON.DLL
O18 - Filter: text/plain - {6D44F5E3-1176-11DA-9118-0008C0654FB7} - C:\WINDOWS\SYSTEM\KAON.DLL
O21 - SSODL: HObkVFUgvAeliW - {40661CEA-EACC-B640-4B19-8BF469C91147} - C:\WINDOWS\SYSTEM\PEXE.DLL

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:06 PM

Posted 22 August 2005 - 04:13 AM

Hello,

Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Please update your Adaware se!! Make sure you have the latest version!
Don't run it yet!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {DB4CE4C1-0D08-11DA-9118-000857B7301D} - C:\WINDOWS\SYSTEM\KAON.DLL
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O18 - Filter: text/html - {6D44F5E3-1176-11DA-9118-0008C0654FB7} - C:\WINDOWS\SYSTEM\KAON.DLL
O18 - Filter: text/plain - {6D44F5E3-1176-11DA-9118-0008C0654FB7} - C:\WINDOWS\SYSTEM\KAON.DLL
O21 - SSODL: HObkVFUgvAeliW - {40661CEA-EACC-B640-4B19-8BF469C91147} - C:\WINDOWS\SYSTEM\PEXE.DLL


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`: ( without networking support !)

* Using Windows Explorer, locate the following files and delete them:

C:\WINDOWS\SYSTEM\PEXE.DLL
C:\WINDOWS\SYSTEM\KAON.DLL

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Open Ad-aware and do a full scan. Remove all it finds.

Reboot back to normal mode.

Download SpSeHjfix: http://www.derbilk.de/404.html
choose the right version for your system.
Unzip it to your desktop.

Start SpSeHjfix and click "Start disinfection"

Let it finish the job.

Restore your websettings: Go to start > controlpanel > Internetoptions > Tab Programs.
Click: "Restore Websettings"

When done, post a new hijackthislog together with the log that SpSeHjfix produced. (it's in the same folder as SpSeHjfix) and the log from smitrem... You'll find it on your C:\ with the name smitfiles.txt
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 guaranteed

guaranteed
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 23 August 2005 - 03:18 PM

Done, thank you. Sorry to be so long in getting back. Our area had some DSL problems. Below are files you requested.

smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleadm.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleadm.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!! :thumbsup:



(8/20/05 7:22:00 PM) SPSeHjFix started v1.09
(8/20/05 7:22:00 PM) OS: Win98SE A (4.10.67766446)
(8/20/05 7:22:00 PM) Language: english
(8/20/05 7:22:08 PM) Disinfect started
(8/20/05 7:22:08 PM) Bad-Dll(IEP): (not found)
(8/20/05 7:22:08 PM) Bad-Dll(IEP) in BHO: (not found)
(8/20/05 7:22:08 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\KAON.DLL
(8/20/05 7:22:08 PM) Searchassistant Uninstaller - Keys Deleted
(8/20/05 7:22:08 PM) UBF: 5
(8/20/05 7:22:08 PM) UBB: 1
(8/20/05 7:22:08 PM) FilterKey: HKCR\text/html (deleted)
(8/20/05 7:22:08 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(8/20/05 7:22:08 PM) FilterKey: HKCR\CLSID\{6D44F5E3-1176-11DA-9118-0008C0654FB7} (deleted)
(8/20/05 7:22:08 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB3DC006-1190-11DA-9118-0008614CBA16} (deleted)
(8/20/05 7:22:08 PM) BHO-Key: HKCR\CLSID\{BB3DC006-1190-11DA-9118-0008614CBA16} (deleted)
(8/20/05 7:22:08 PM) UBR: 11
(8/20/05 7:22:08 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(8/20/05 7:22:08 PM) Stealth-String not found:
(8/20/05 7:22:08 PM) File added to delete: c:\windows\system\kaon.dll
(8/20/05 7:22:08 PM) File added to delete: c:\windows\system\kaon.dll
(8/20/05 7:22:08 PM) Reboot
(8/20/05 7:23:35 PM) SPSeHjFix 2nd Step
(8/20/05 7:23:36 PM) RunServicesOnce-Key: (edited)
(8/20/05 7:23:52 PM) Cleaned


(8/22/05 8:37:14 AM) SPSeHjFix started v1.09
(8/22/05 8:37:14 AM) OS: Win98SE A (4.10.67766446)
(8/22/05 8:37:14 AM) Language: english
(8/22/05 8:37:20 AM) Disinfect started
(8/22/05 8:37:20 AM) Bad-Dll(IEP): (not found)
(8/22/05 8:37:20 AM) Bad-Dll(IEP) in BHO: (not found)
(8/22/05 8:37:20 AM) UBF: 4
(8/22/05 8:37:20 AM) UBB: 0
(8/22/05 8:37:20 AM) UBR: 11
(8/22/05 8:37:20 AM) Bad IE-pages:
(8/22/05 8:37:20 AM) Stealth-String not found:
(8/22/05 8:37:20 AM) Not infected->END


(8/23/05 3:59:41 PM) SPSeHjFix started v1.09
(8/23/05 3:59:41 PM) OS: Win98SE A (4.10.67766446)
(8/23/05 3:59:41 PM) Language: english
(8/23/05 3:59:46 PM) Disinfect started
(8/23/05 3:59:46 PM) Bad-Dll(IEP): (not found)
(8/23/05 3:59:46 PM) Bad-Dll(IEP) in BHO: (not found)
(8/23/05 3:59:46 PM) UBF: 4
(8/23/05 3:59:46 PM) UBB: 0
(8/23/05 3:59:46 PM) UBR: 10
(8/23/05 3:59:46 PM) Bad IE-pages:
(8/23/05 3:59:46 PM) Stealth-String not found:
(8/23/05 3:59:46 PM) Not infected->END

Logfile of HijackThis v1.99.1
Scan saved at 4:03:55 PM, on 8/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:06 PM

Posted 23 August 2005 - 03:48 PM

Hello,

Ok, it seems like your wininet.dll is infected. Wininet.dll is a legit file though, so we may not delete it.

But we have to disinfect it. The problem is, when wininet.dll is deleted you can't open your IE anymore or your explorer won't load also anymore. So please read very carefully how to fix this..

Open your C:\windows\system-folder and COPY , don't MOVE the wininet.dll present in your system-folder to your desktop.

Reboot afterwards.

Now we are going to disinfect the wininet.dll that is present on your desktop. We can't disinfect the one that is present in your system-folder, because it is in use and won't get disinfected. But we can disinfect the copy that is present on your desktop. :thumbsup:

So, go to next online scanner:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Let it update first, so please be patient.

After the update, you'll see that you can also choose seperate files to scan.
So expand there.. C > windows > desktop > wininet.dll
Click start scan.
Then click CURE (not delete) !!

Close the online scanner.

Then, I want you to go to next site:
http://virusscan.jotti.org/

On top you'll find: File to upload and scan.
Now browse to the next file:

C:\Windows\desktop\wininet.dll

Click submit and let it scan.
Post the results in your next reply.

Please, don't scan the wininet.dll present in your C:\Windows\System -folder. I need the scan of the one present on your desktop.
When that one is really clean, then we can proceed with the fix, but first I want to be sure it's clean. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:06 PM

Posted 09 September 2005 - 09:03 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users