Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please Help Diagnose


  • This topic is locked This topic is locked
3 replies to this topic

#1 ahaile

ahaile

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 27 May 2004 - 07:33 PM

I have run Spybot - Search & Destroy version 1.3 and let it fix all errors
found, but when I run Spybot again these two errors keep coming back:

DSO Exploit and CleverIEHooker.Jeired

I think I have found out how to get the above fixed, but could you please
look at the HiJackThis log below and tell me what other files can be deleted.

Thanks

Arnold

Logfile of HijackThis v1.97.7
Scan saved at 10:28:53 AM, on 5/27/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\winnt\system32\srvany.Exe
C:\WINNT\system32\Winmgnt.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PROMon.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINNT\System32\mzthbfdc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\System32\mshta.exe
C:\WINNT\System32\mshta.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\SYSTEM32\FTP.EXE
C:\WINNT\SYSTEM32\FTP.EXE
C:\work\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure] net share ADMIN$ /delete /yes
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [otnpraq] C:\WINNT\System32\mzthbfdc.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pearland.biz
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF0A5365-4AAB-453F-BB87-79E12A03918A}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pearland.biz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pearland.biz

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 27 May 2004 - 09:53 PM

Arnold, my man, the first thing you need to do is get rid of the W32.Blaster.B.Worm and then get yourself an antivirus and your operating system up to date. That includes updating Internet Explorer to SP1.

You can download a free BlasterB removal tool from here. Run that then go to Windows Update
http://v4.windowsupdate.microsoft.com/en/default.asp
and have SP4 installed. Reboot then go back and Have SP1 for IE installed. Then go back and and download ALL critical patches (it's best to do about four at a time until they're all done).

Then install an antivirus (AV). If you can't afford one you can get an adequate AV for free. Here are two:

avast!
AVG Free Edition

Also you should run AdAware in tandem with Spybot S&D. Please follow the instructions HERE.

Do all that and then post another log and we'll get you all cleaned up.

BTW, the DSO Exploit is nothing to worry about--if your system is fully patched. There's a bug in Spybot 1.3 is why it keeps coming up.

The thing about people

is they change

when they walk away.--Mipso


#3 ahaile

ahaile
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 28 May 2004 - 12:02 PM

Thanks for the prompt reply. I have done the following:

1. Download FixBlast from Symantec and run to remove
the 32.Blaster.B.Worm virus.

2. Installed Windows 2000 SP4 and all critical updates including
IE 6.0 SP1.

3. Installed AdAware 1.681 and run 3 times until all errors were
corrected.

4. Run SpyBot S & D 1.3

5. Installed Symantec Internet Security software, including the
latest updates for both the firewall and virus programs.

6. Run complete virus scan on computer.

The system appears to be stable and no lingering effects of the virus.

Please let me know if you see anything in the log that needs attention.

Thanks for your help and I am making a donation. This is a tremendous
service and is much appreciated!

Arnold

Here is the HiJackThis log after doing the above:

Logfile of HijackThis v1.97.7
Scan saved at 10:29:15 AM, on 5/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
c:\winnt\system32\srvany.Exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\system32\Winmgnt.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PROMon.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINNT\System32\mzthbfdc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Efficient Networks\EnterNet 300\app\EnterNet.exe
C:\work\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure] net share ADMIN$ /delete /yes
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [otnpraq] C:\WINNT\System32\mzthbfdc.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pearland.biz
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF0A5365-4AAB-453F-BB87-79E12A03918A}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pearland.biz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pearland.biz

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:48 AM

Posted 28 May 2004 - 12:34 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes Is this on purpose? If not definitely remove it
O4 - HKLM\..\Run: [Secure] net share ADMIN$ /delete /yes Is this on purpose? If not definitely remove it
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [otnpraq] C:\WINNT\System32\mzthbfdc.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

Reboot your computer into Safe Mode and delete the following files:

Then delete these
C:\Program Files\TV Media\ Delete entire directory
C:\WINNT\System32\mzthbfdc.exe
c:\installer\ Delete directory

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users