Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help in tennessee


  • This topic is locked This topic is locked
1 reply to this topic

#1 delberthall

delberthall

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 November 2004 - 08:18 PM

I am at my wits end. My daughter's computer is infested by a trojan and I have tried everything to kill it. Here is my Hijackthis log. Please help.

-DH


Logfile of HijackThis v1.98.2
Scan saved at 7:36:51 PM, on 11/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\temp\C09.exe
C:\documents and settings\default\local settings\temp\us4.exe
C:\documents and settings\default\local settings\temp\zLeymlvbm.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Microsoft Home Publishing\Mhprmind.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\MSWorks\Calendar\Wkcalrem.exe
C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spykiller.com/index.asp?Ref=3251
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Default\Local Settings\Temp\Gelwx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [37BW44G54#94KD] C:\WINDOWS\System32\Jel387h.exe
O4 - HKLM\..\Run: [C09.exe] C:\windows\temp\C09.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [us4.exe] C:\documents and settings\default\local settings\temp\us4.exe
O4 - HKLM\..\Run: [zLeymlvbm.exe] C:\documents and settings\default\local settings\temp\zLeymlvbm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [dssenh690n.exe] "C:\WINDOWS\System32\dssenh690n.exe"
O4 - HKCU\..\Run: [es642t.exe] "C:\WINDOWS\System32\es642t.exe"
O4 - HKCU\..\Run: [iedkcs32552m.exe] "C:\WINDOWS\System32\iedkcs32552m.exe"
O4 - HKCU\..\Run: [ipxrip315s.exe] "C:\WINDOWS\System32\ipxrip315s.exe"
O4 - HKCU\..\Run: [IS3Http891f.exe] "C:\WINDOWS\System32\IS3Http891f.exe"
O4 - HKCU\..\Run: [mqad434b.exe] "C:\WINDOWS\System32\mqad434b.exe"
O4 - HKCU\..\Run: [ole32500k.exe] "C:\WINDOWS\System32\ole32500k.exe"
O4 - HKCU\..\Run: [wshisn992f.exe] "C:\WINDOWS\System32\wshisn992f.exe"
O4 - HKCU\..\Run: [wzcsapi1039i.exe] "C:\WINDOWS\System32\wzcsapi1039i.exe"
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {0194C46F-636C-41DD-A79E-28BCED0C0A75} - (no file) (HKCU)
O9 - Extra button: (no name) - {0A64C684-C5C3-4855-8646-65E319B7BF8D} - (no file) (HKCU)
O9 - Extra button: (no name) - {0DD7921C-48B7-49C3-8F0B-8F596E335433} - (no file) (HKCU)
O9 - Extra button: (no name) - {1527ED51-7285-42BE-8D91-A8A0996521F1} - (no file) (HKCU)
O9 - Extra button: (no name) - {16DDD7FB-C3A5-4101-BD17-F39C8D963601} - (no file) (HKCU)
O9 - Extra button: (no name) - {1A085C22-1CAE-407A-8B8A-8E5D109AC8ED} - (no file) (HKCU)
O9 - Extra button: (no name) - {1FE354D2-634D-4D10-937C-303549234EDB} - (no file) (HKCU)
O9 - Extra button: (no name) - {21F24F60-8062-4377-B3EA-32C9F3945DF6} - (no file) (HKCU)
O9 - Extra button: (no name) - {2F2AAE8F-0744-4010-9307-D5C49605F41A} - (no file) (HKCU)
O9 - Extra button: (no name) - {3352C2F1-51C5-4024-BF1B-6A4BDC3399F2} - (no file) (HKCU)
O9 - Extra button: (no name) - {37BD63BB-EFD8-4454-B249-8E7A203C2692} - (no file) (HKCU)
O9 - Extra button: (no name) - {491EC5EF-D7E8-4B81-8683-D5A25701B56B} - (no file) (HKCU)
O9 - Extra button: (no name) - {4ECD1010-3C91-4BFE-A0B0-5870F4963E63} - (no file) (HKCU)
O9 - Extra button: (no name) - {50217EC4-962C-4D21-82F1-66D236172C2F} - (no file) (HKCU)
O9 - Extra button: (no name) - {55A68D09-3F1B-4A01-B5A1-9D1136044688} - (no file) (HKCU)
O9 - Extra button: (no name) - {5BE436F6-5B25-4B90-A212-7312DDCA2F7A} - (no file) (HKCU)
O9 - Extra button: (no name) - {5D53012C-FFB9-4F87-9288-C21C77D0F93D} - (no file) (HKCU)
O9 - Extra button: (no name) - {5E7E918B-61CE-49CB-A7A7-46F83F9A5AA7} - (no file) (HKCU)
O9 - Extra button: (no name) - {630B1E9D-2F3C-40EF-B97F-8F6B83641C1B} - (no file) (HKCU)
O9 - Extra button: (no name) - {67041BE7-49A4-40EE-9DEC-06F597DC0E8D} - (no file) (HKCU)
O9 - Extra button: (no name) - {6C44176B-9B6D-4E9A-9B86-B9413FF38071} - (no file) (HKCU)
O9 - Extra button: (no name) - {7795A196-97BB-49F4-A4DB-32747EDFD2D7} - (no file) (HKCU)
O9 - Extra button: (no name) - {809D6B1D-B226-4F7B-86C3-BAA9570A011B} - (no file) (HKCU)
O9 - Extra button: (no name) - {8EE417F0-6DA9-4880-B197-AB8C51EB3FA0} - (no file) (HKCU)
O9 - Extra button: (no name) - {95E43AE4-2697-46D6-A283-ED6C6A626B5C} - (no file) (HKCU)
O9 - Extra button: (no name) - {A1CCD52A-C585-40E4-9413-E7D1659EF7E8} - (no file) (HKCU)
O9 - Extra button: (no name) - {AD235260-EF4D-4A5A-8776-2AEE50E0C60C} - (no file) (HKCU)
O9 - Extra button: Dell Home - {AEF52560-AC7C-11D3-A7BE-008850C10000} - http://www.dell.com/ (file missing) (HKCU)
O9 - Extra button: (no name) - {C0E82CF3-9858-40D7-B371-B5F5CC29B0F6} - (no file) (HKCU)
O9 - Extra button: (no name) - {C7185A8D-31F6-4925-A44A-3CDE54347163} - (no file) (HKCU)
O9 - Extra button: (no name) - {C769BFBB-417F-4C00-877F-FA4F6ED7A69D} - (no file) (HKCU)
O9 - Extra button: (no name) - {C7DC7040-BA0F-4E0F-BA73-4AD518597B8B} - (no file) (HKCU)
O9 - Extra button: (no name) - {D5FF5192-5228-4B08-AF48-8FCC5F5F779C} - (no file) (HKCU)
O9 - Extra button: (no name) - {E1428B4E-8DBD-4197-B052-FA6F9868E8C0} - (no file) (HKCU)
O9 - Extra button: (no name) - {E3D4AE11-D60D-44B3-B222-75F53A418347} - (no file) (HKCU)
O9 - Extra button: (no name) - {EA0A6462-F173-43A8-BC9E-B0DB9E19FB51} - (no file) (HKCU)
O9 - Extra button: (no name) - {F7F5F7BE-7A3E-4DDB-85DD-9ED7C633A927} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\rmoc3260276f.dll

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:12:29 PM

Posted 02 November 2004 - 03:13 PM

Hello delberthall and welcome to BleepingComputer.

Open Control Panel then Add/Remove Programs. Look for the following and uninstall them if found:

Web Rebates
Web Offers
WindUpdates
Viewpoint Media Player


You have T.V. Media installed. T.V. Media will prevent a proper installation of Windows XP Service Pack 2 (SP2). Download and run the Adware T.V. Media Removal Tool (KB 886590) from Microsoft.


You have a Peper infection. Download the removal tool to the desktop: Peper Removal Tool

YOU MUST BE ONLINE WHEN RUNNING IT and let it have access to pass the firewall.
Please run it twice, rebooting in between the first and second run.


Download LSPFix and unzip into it's own folder. Run LSPFix. Move all instances of calsp.dll to the 'Remove' pane. Check the "I know what I'm doing" box, then on Finish. Reboot.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spykiller.com/index.asp?Ref=3251
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Default\Local Settings\Temp\Gelwx.dll

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [37BW44G54#94KD] C:\WINDOWS\System32\Jel387h.exe
O4 - HKLM\..\Run: [C09.exe] C:\windows\temp\C09.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [us4.exe] C:\documents and settings\default\local settings\temp\us4.exe
O4 - HKLM\..\Run: [zLeymlvbm.exe] C:\documents and settings\default\local settings\temp\zLeymlvbm.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [dssenh690n.exe] "C:\WINDOWS\System32\dssenh690n.exe"
O4 - HKCU\..\Run: [es642t.exe] "C:\WINDOWS\System32\es642t.exe"
O4 - HKCU\..\Run: [iedkcs32552m.exe] "C:\WINDOWS\System32\iedkcs32552m.exe"
O4 - HKCU\..\Run: [ipxrip315s.exe] "C:\WINDOWS\System32\ipxrip315s.exe"
O4 - HKCU\..\Run: [IS3Http891f.exe] "C:\WINDOWS\System32\IS3Http891f.exe"
O4 - HKCU\..\Run: [mqad434b.exe] "C:\WINDOWS\System32\mqad434b.exe"
O4 - HKCU\..\Run: [ole32500k.exe] "C:\WINDOWS\System32\ole32500k.exe"
O4 - HKCU\..\Run: [wshisn992f.exe] "C:\WINDOWS\System32\wshisn992f.exe"
O4 - HKCU\..\Run: [wzcsapi1039i.exe] "C:\WINDOWS\System32\wzcsapi1039i.exe"

O9 - Extra button: (no name) - {0194C46F-636C-41DD-A79E-28BCED0C0A75} - (no file) (HKCU)
O9 - Extra button: (no name) - {0A64C684-C5C3-4855-8646-65E319B7BF8D} - (no file) (HKCU)
O9 - Extra button: (no name) - {0DD7921C-48B7-49C3-8F0B-8F596E335433} - (no file) (HKCU)
O9 - Extra button: (no name) - {1527ED51-7285-42BE-8D91-A8A0996521F1} - (no file) (HKCU)
O9 - Extra button: (no name) - {16DDD7FB-C3A5-4101-BD17-F39C8D963601} - (no file) (HKCU)
O9 - Extra button: (no name) - {1A085C22-1CAE-407A-8B8A-8E5D109AC8ED} - (no file) (HKCU)
O9 - Extra button: (no name) - {1FE354D2-634D-4D10-937C-303549234EDB} - (no file) (HKCU)
O9 - Extra button: (no name) - {21F24F60-8062-4377-B3EA-32C9F3945DF6} - (no file) (HKCU)
O9 - Extra button: (no name) - {2F2AAE8F-0744-4010-9307-D5C49605F41A} - (no file) (HKCU)
O9 - Extra button: (no name) - {3352C2F1-51C5-4024-BF1B-6A4BDC3399F2} - (no file) (HKCU)
O9 - Extra button: (no name) - {37BD63BB-EFD8-4454-B249-8E7A203C2692} - (no file) (HKCU)
O9 - Extra button: (no name) - {491EC5EF-D7E8-4B81-8683-D5A25701B56B} - (no file) (HKCU)
O9 - Extra button: (no name) - {4ECD1010-3C91-4BFE-A0B0-5870F4963E63} - (no file) (HKCU)
O9 - Extra button: (no name) - {50217EC4-962C-4D21-82F1-66D236172C2F} - (no file) (HKCU)
O9 - Extra button: (no name) - {55A68D09-3F1B-4A01-B5A1-9D1136044688} - (no file) (HKCU)
O9 - Extra button: (no name) - {5BE436F6-5B25-4B90-A212-7312DDCA2F7A} - (no file) (HKCU)
O9 - Extra button: (no name) - {5D53012C-FFB9-4F87-9288-C21C77D0F93D} - (no file) (HKCU)
O9 - Extra button: (no name) - {5E7E918B-61CE-49CB-A7A7-46F83F9A5AA7} - (no file) (HKCU)
O9 - Extra button: (no name) - {630B1E9D-2F3C-40EF-B97F-8F6B83641C1B} - (no file) (HKCU)
O9 - Extra button: (no name) - {67041BE7-49A4-40EE-9DEC-06F597DC0E8D} - (no file) (HKCU)
O9 - Extra button: (no name) - {6C44176B-9B6D-4E9A-9B86-B9413FF38071} - (no file) (HKCU)
O9 - Extra button: (no name) - {7795A196-97BB-49F4-A4DB-32747EDFD2D7} - (no file) (HKCU)
O9 - Extra button: (no name) - {809D6B1D-B226-4F7B-86C3-BAA9570A011B} - (no file) (HKCU)
O9 - Extra button: (no name) - {8EE417F0-6DA9-4880-B197-AB8C51EB3FA0} - (no file) (HKCU)
O9 - Extra button: (no name) - {95E43AE4-2697-46D6-A283-ED6C6A626B5C} - (no file) (HKCU)
O9 - Extra button: (no name) - {A1CCD52A-C585-40E4-9413-E7D1659EF7E8} - (no file) (HKCU)
O9 - Extra button: (no name) - {AD235260-EF4D-4A5A-8776-2AEE50E0C60C} - (no file) (HKCU)
O9 - Extra button: Dell Home - {AEF52560-AC7C-11D3-A7BE-008850C10000} - http://www.dell.com/ (file missing) (HKCU)
O9 - Extra button: (no name) - {C0E82CF3-9858-40D7-B371-B5F5CC29B0F6} - (no file) (HKCU)
O9 - Extra button: (no name) - {C7185A8D-31F6-4925-A44A-3CDE54347163} - (no file) (HKCU)
O9 - Extra button: (no name) - {C769BFBB-417F-4C00-877F-FA4F6ED7A69D} - (no file) (HKCU)
O9 - Extra button: (no name) - {C7DC7040-BA0F-4E0F-BA73-4AD518597B8B} - (no file) (HKCU)
O9 - Extra button: (no name) - {D5FF5192-5228-4B08-AF48-8FCC5F5F779C} - (no file) (HKCU)
O9 - Extra button: (no name) - {E1428B4E-8DBD-4197-B052-FA6F9868E8C0} - (no file) (HKCU)
O9 - Extra button: (no name) - {E3D4AE11-D60D-44B3-B222-75F53A418347} - (no file) (HKCU)
O9 - Extra button: (no name) - {EA0A6462-F173-43A8-BC9E-B0DB9E19FB51} - (no file) (HKCU)
O9 - Extra button: (no name) - {F7F5F7BE-7A3E-4DDB-85DD-9ED7C633A927} - (no file) (HKCU)

O20 - AppInit_DLLs: C:\WINDOWS\System32\rmoc3260276f.dll

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Reboot into Safe Mode and enable viewing of Hidden and System files. Open Windows Explorer (Windows key+e), drill down and delete the following files and folders if found:

Files
C:\windows\temp\C09.exe
C:\Documents and Settings\Default\Local Settings\Temp\Gelwx.dll
C:\documents and settings\default\local settings\temp\us4.exe
C:\documents and settings\default\local settings\temp\zLeymlvbm.exe
C:\WINDOWS\System32\Jel387h.exe
C:\WINDOWS\System32\dssenh690n.exe
C:\WINDOWS\System32\es642t.exe
C:\WINDOWS\System32\iedkcs32552m.exe
C:\WINDOWS\System32\ipxrip315s.exe
C:\WINDOWS\System32\IS3Http891f.exe
C:\WINDOWS\System32\mqad434b.exe
C:\WINDOWS\System32\ole32500k.exe
C:\WINDOWS\System32\wshisn992f.exe
C:\WINDOWS\System32\wzcsapi1039i.exe

Folders
C:\Program Files\Web_Rebates\
C:\Program Files\WindUpdates\
C:\Program Files\Viewpoint\
C:\Program Files\TV Media\
C:\PROGRA~1\Web Offer\


Your log shows that you are seriously behind on windows updates. It is essential that you update your windows before we continue as otherwise the infections could reoccur. Open this link to the Windows XP Service Pack 1a page, select Express Installation and follow the instructions to download/install Service Pack 1a (SP1a). Reboot when requested then return to Windows Update and install any remaining Critical Updates.

Hold off on SP2 for now - some malware can cause problems when installing that Service Pack and we need to be sure you are clear before proceeding with SP2.


Post a new HJT log.

==========
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users