Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log!


  • This topic is locked This topic is locked
3 replies to this topic

#1 ali6488

ali6488

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 10 October 2005 - 12:19 AM

Hi, I have some weird malware: Egroup.IEAccess.C (Dialer). It keeps coming back with Microsoft AntiSpyware. If anyone can help me ty!!


Logfile of HijackThis v1.99.1
Scan saved at 12:15:36 AM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Sanah\LOCALS~1\Temp\Temporary Directory 1 for HijackThis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {ACF93F61-9F60-4C1E-A015-E3B3812BD58C} (PVDMDocViewControls.PVDMDocView) - https://pv.mrioa.com/CABS/PVDMDocView400.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D8B94E9A-A34B-4253-BF48-C7CB7F2CFDB0} - http://akamai.downloadv3.com/binaries/P2EC..._1046_EN_XP.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:50 AM

Posted 15 October 2005 - 03:54 PM

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:50 AM

Posted 15 October 2005 - 06:32 PM

Step 1

There are several reasons for putting HiJackThis into its own folder.
  • HiJackThis is an analysis AND a repair tool. When you fix something in HiJackThis, you are deleting a bad entry in the Windows Registry. In case of a mistake being made, there is a reversal for line entry deletions. HiJackThis creates a new file which is a backup log of changes and you can reverse the line entry deletion. BUT...HiJackThis needs a safe folder to keep these critical backup logs and a temp folder is definitely not safe as you might run Disk Cleanup and delete them.
  • If you save HiJackThis to your desktop, you may easily lose track of the backup log in the wallpaper area (or someone might delete the backup file by dragging it to the Recycle Bin).
  • If you run HiJackThis from a zip folder, backups may not be made.
  • If you run HiJackThis from a Local Settings Temporary folder in XP or Windows 2000, when you post for help on a forum, the resulting text log will usually show your full name in a line entry since your Windows user profile is commonly named with your full name. When you copy and paste your log, HiJackThis provides a line entry showing the path to its running folder. If you use another folder like HiJackThis in the root of the C: drive (as recommended) then your Profile Name will NOT be displayed in the log.
Please download HiJackThis again, but don’t hit “Open”, but “Save as”.
  • Go to your desktop and hit “Save”.
  • After downloading, minimize all windows until you’re on your desktop.
  • Double-click on the zip file containing the HijackThis.exe file.
  • Select the HijackThis.exe, and hit the combination “Ctrl + C”.
  • Minimize the zip folder, and go to My Computer. Double-click on C:/, double-click on Program Files.
  • In the menu bar you’ll find “File”. Click it, then choose “New”, and then “Folder”.
  • Call this folder HiJackThis. Double-click to open this – new – folder.
  • Use the combination “Ctrl + V” to paste the HijackThis.exe into this folder. Close all other windows, and double-click on the HijackThis.exe in the folder you’ve just created.
  • Delete all other HiJackThis files and run HiJackThis log from this folder.
Step 2

Please download Spybot S&D

Using Spybot Search and Destroy To Remove Spyware From Your Computer <<Please check this link for instructions on how to download, install and use Spybot S&D. Run this program as soon as possible.

Step 3

Please download Ad-Aware SE

Using Ad-Aware To Remove Spyware From Your Computer <<Please check this link for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 4

To help prevent further infection, please download SpywareBlaster SpywareBlaster helps to:
  • Prevent the installation of ActiveX-based spyware, Ad-Aware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
Step 5

Please Download and Install Ewido
  • Please download Ewido Security Suite
  • After the download is complete, double click on the file to launch the install process.
  • During installation under the Additional Options menu, you will be asked if you want to "Install background guard (required for automatic updates)" and "Install scan via context menu". Please UNCHECK both of these options.
  • Once installation is complete, launch Ewido by double clicking the big "E" icon on your desktop. The program will prompt you to update click the 'OK' button.
  • The program will now go to the main screen. On the left hand side of the main screen, click on Update and then click 'Start Update'. The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see 'Update Successful' in the lower left corner.
  • Click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'
  • Please make sure 'Scan Every File' is selected. Finally, please click 'OK'
  • On the main screen, please select 'Complete System Scan' and the scan should begin.
  • While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to 'Perform action on all infections' . Doing this enables the scan to proceed automatically until its completion. Click OK.
  • When the scan is complete, click "Save Report". Your scan results will be saved in a text file.
Please submit that report with your next post.

If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
  • Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
  • If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and uncheck "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days (which is the reason we uncheck them during installation). You can use Ewido as an on demand scanner (recommended) but you will have to manually update the definition file each time you scan by clicking on “Update” and “Start Update”.

If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

Step 6

When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, please write down the filenames and locations and post that in your reply.

Step 7

Please download Cleanup! CleanUp! is a powerful and easy to use application that removes temporary files created while surfing the web, empties the Recycle Bin, deletes files from your temporary folders and more. Open CleanUp!, click on Options. Make sure that the following are checked:
  • Empty Recycle Bins
  • Delete cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • CleanUp! All Users
The others are optional. Do not run it yet.
*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders; it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!.

Step 8

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.
  • Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
  • Click on "Security Agents Status".
  • Click on "Disable real-time protection".
Open Microsoft Anti-Spyware.
  • Click on the Options menu, then Settings.
  • Select "Real Time Protection" from the left column.
  • Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
  • Click the Save button.
  • Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware".
  • Click "Yes" in the dialog that comes up.
After all of the fixes are complete, it is very important that you enable Real-time Protection again

You may want to print out this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Now we will address the HiJackThis fixes.

Please run HiJackThis and click "Scan." Place checks next to the following entries (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O16 - DPF: {D8B94E9A-A34B-4253-BF48-C7CB7F2CFDB0} - http://akamai.downloadv3.com/binaries/P2EC..._1046_EN_XP.cab


Close all browsers and other windows except for HiJackThis, and click "Fix Checked" to have HiJackThis fix the entries you checked.

Step 9

Let’s run Cleanup to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 10

Please run HiJackThis again and post a fresh log so I can make sure that all the malware was deleted according to plan
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:50 AM

Posted 15 December 2005 - 04:53 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users