Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - kerque


  • Please log in to reply
7 replies to this topic

#1 kerque

kerque

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 16 December 2004 - 11:56 AM

I can't seem to get rid of Home Search and Only The Best. I think I know what to get rid of but I need a more informed opinion. Thanks in advance for your help. Here's my log:

Logfile of HijackThis v1.98.2
Scan saved at 10:45:21 AM, on 12/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\NTTW32.EXE
C:\WINDOWS\SYSTEM\SYSRC32.EXE
C:\WINDOWS\CRFC32.EXE
C:\WINDOWS\D3OJ32.EXE
C:\WINDOWS\SYSTEM\NTZS.EXE
C:\WINDOWS\JAVAQS.EXE
C:\WINDOWS\SYSTEM\MSZL.EXE
C:\WINDOWS\SYSTEM\ADDCC32.EXE
C:\WINDOWS\SYSTEM\JAVAKD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE
C:\PROGRAM FILES\U.S. ROBOTICS\INSTANT UPDATE\INSTUPDT.EXE
C:\PROGRAM FILES\HP DESKJET 880C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\ETOOLBAR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\FASTLANE\ARUPLD32.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\BROWSER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\saquu.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\saquu.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\saquu.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\saquu.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\saquu.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {80B33B79-1F61-0E51-5E5F-50ABCB2254F5} - C:\WINDOWS\SYSTEM\IEDU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" /NOCM
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NTTW32.EXE] C:\WINDOWS\SYSTEM\NTTW32.EXE
O4 - HKLM\..\RunServices: [NTZS.EXE] C:\WINDOWS\SYSTEM\NTZS.EXE
O4 - HKLM\..\RunServices: [ADDCC32.EXE] C:\WINDOWS\SYSTEM\ADDCC32.EXE
O4 - HKLM\..\RunServices: [MSZL.EXE] C:\WINDOWS\SYSTEM\MSZL.EXE
O4 - HKLM\..\RunServices: [SYSRC32.EXE] C:\WINDOWS\SYSTEM\SYSRC32.EXE
O4 - HKLM\..\RunServices: [JAVAQS.EXE] C:\WINDOWS\JAVAQS.EXE
O4 - HKLM\..\RunServices: [CRFC32.EXE] C:\WINDOWS\CRFC32.EXE
O4 - HKLM\..\RunServices: [JAVAKD.EXE] C:\WINDOWS\SYSTEM\JAVAKD.EXE
O4 - HKLM\..\RunServices: [D3OJ32.EXE] C:\WINDOWS\D3OJ32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Instant Update.lnk = C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 880C Series\ereg\Remind32.exe
O4 - Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://t058.com/inst//x.chm::/open.exe

BC AdBot (Login to Remove)

 


m

#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:30 PM

Posted 16 December 2004 - 02:24 PM

Go here to download the free version of Grisoft's AVG AntiVirus program.

Install the program, check for updates and scan your system allowing it to remove whatever it finds.
====================================
Please download a-squared
http://www.emsisoft.com/en/software/free/
The program is free, but you will need to register.
Let it scan and remove all trojans.

Then post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 kerque

kerque
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 17 December 2004 - 01:37 PM

New log. Ran Ad-Aware, AVG, and a2. Looks identical.

Logfile of HijackThis v1.98.2
Scan saved at 12:35:06 PM, on 12/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\U.S. ROBOTICS\INSTANT UPDATE\INSTUPDT.EXE
C:\PROGRAM FILES\HP DESKJET 880C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\ETOOLBAR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\FASTLANE\ARUPLD32.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\BROWSER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\nnjsg.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\nnjsg.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\nnjsg.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\nnjsg.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\nnjsg.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {68F0E283-684D-FC42-3C24-C144CBB27B3F} - C:\WINDOWS\SYSTEM\ATLIW.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" /NOCM
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Instant Update.lnk = C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 880C Series\ereg\Remind32.exe
O4 - Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O15 - Trusted Zone: *.awmdabest.com
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://t058.com/inst//x.chm::/open.exe

#4 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:30 PM

Posted 17 December 2004 - 02:05 PM

Ok basics are done.Please try not to reboot while I prepare a fix as these files tend to morph.
=======================================
You are using an old version of HijackThis, please download the latest version.

Download Hijackthis:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

http://computercops.biz/downloads-cat-14.html

If you cannot reach either site it is available from my signature.
============================================
Please download FindIt.zip to your desktop, unzip it, then double-click on it to run it.
It should run for a few seconds, then open a text document.
Please copy and paste the contents of that document here.
Once that's done, close the text file and then press a key and the batch file will clean up after itself and end.
===================================
Next, please download DLL Compare to your desktop.

Start Dll Compare, then click on "Run Locate.com". When it tells you that's finished, click on "Compare" at the bottom right. When that finishes, click "Make a Log of What was Found" and answer "Yes" to View Log file. Copy and paste the contents of that log here.

Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.

Edited by raw, 17 December 2004 - 02:06 PM.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#5 kerque

kerque
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 17 December 2004 - 02:30 PM

FindIt Results.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------


Volume in drive C has no label
Volume Serial Number is 0475-0AE7
Directory of C:\WINDOWS\SYSTEM32

974,553,088 bytes free

------- Hidden Files in System32 Directory -------


Volume in drive C has no label
Volume Serial Number is 0475-0AE7
Directory of C:\WINDOWS\SYSTEM32

FOLDER HTT 13,122 07-06-03 1:57p folder.htt
DESKTOP INI 266 07-06-03 1:57p desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 974,520,320 bytes free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 0475-0AE7
Directory of C:\WINDOWS\SYSTEM32

974,487,552 bytes free

--------- Temp Files in System32 Directory --------


Volume in drive C has no label
Volume Serial Number is 0475-0AE7
Directory of C:\WINDOWS\SYSTEM32

974,454,784 bytes free

---------------- User Agent ------------


------------ Keys Under Notify ------------


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


No matches found.


DLL Compare Results.

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\saquu.dll Wed Dec 15 2004 5:29:30p A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM\nnjsg.dll Fri Dec 17 2004 11:43:50a A.SH. 56,320 55.00 K
________________________________________________

755 items found: 755 files (2 H/S), 0 directories.
Total of file sizes: 119,911,421 bytes 114.36 M

--------------------End log---------------------


No Guard.tmp file visible.

#6 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:30 PM

Posted 17 December 2004 - 03:25 PM

You may want to print these instructions or save them as a file to refer to.

Download KillBox here: KillBox. Unzip it to your desktop.


Disconnect from the internet.

Reboot your computer into Safe Mode

Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.


When that finishes, copy and paste each of the following lines into the Full Path of File to Delete box in Killbox, and click the red button with the white X on it after each.

After each file press the Delete button (the button that looks like a red circle with a white X in it).

Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:


C:\WINDOWS\SYSTEM\saquu.dll
C:\WINDOWS\SYSTEM\nnjsg.dll
C:\WINDOWS\SYSTEM\Guard.tmp


Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\nnjsg.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\nnjsg.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\nnjsg.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\nnjsg.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\nnjsg.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O15 - Trusted Zone: *.awmdabest.com
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://t058.com/inst//x.chm::/open.exe

For the files that Killbox either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

Immediately on reboot run Ad-Aware SE. Make sure to check "Full Scan"


Check if your Recycle Bin is OK. Create an empty TXT file and delete it.

If the Recycle Bin is damaged:
Click Start, Run and type cmd. Press OK.

A DOS window will open.

Type the following and then press Enter after typing each one:

attrib -h -s c:\recycler

del c:\recycler

Close the window and REBOOT.

Check if the Recycle Bin is OK. Please report back.


Run again DLLCompare and HijackThis and post the logs please.
Let me know what Ad-Aware did.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#7 kerque

kerque
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 17 December 2004 - 04:35 PM

Recycle Bin was undamaged.

Ad-Aware found nothing.

DLLCompare log

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :thumbsup:"
________________________________________________

753 items found: 753 files, 0 directories.
Total of file sizes: 119,798,781 bytes 114.25 M

--------------------End log---------------------

HijackThis log

Logfile of HijackThis v1.99.0
Scan saved at 3:07:35 PM, on 12/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\U.S. ROBOTICS\INSTANT UPDATE\INSTUPDT.EXE
C:\PROGRAM FILES\HP DESKJET 880C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\ETOOLBAR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = catproxy.sprintspectrum.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = PKCSM005;USKMRSSOA343;USMOKCMMWW07;PKCAP050;intranet.sprintspectrum.com;*.intranet.sprintspectrum.com;*.nmcc.sprintspectrum.com;*.corp.sprint.com;10.*.*.*;144.223.*.*;144.224.*.*;144.226.*.*;144.229.*.*;192.168.*.*;199.14.*.*;207.40.169.99;208.4.108.90;207.40.169.129;208.10.107.*;<local>
F1 - win.ini: run=hpfsched
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {68F0E283-684D-FC42-3C24-C144CBB27B3F} - C:\WINDOWS\SYSTEM\ATLIW.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" /NOCM
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Instant Update.lnk = C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 880C Series\ereg\Remind32.exe
O4 - Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

What's the verdict?

#8 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:30 PM

Posted 17 December 2004 - 07:10 PM

Run HijackThis again and fix these:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = catproxy.sprintspectrum.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = PKCSM005;USKMRSSOA343;USMOKCMMWW07;PKCAP050;intranet.sprintspectrum.com;*.intranet.sprintspectrum.com;*.nmcc.sprintspectrum.com;*.corp.sprint.com;10.*.*.*;144.223.*.*;144.224.*.*;144.226.*.*;144.229.*.*;192.168.*.*;199.14.*.*;207.40.169.99;208.4.108.90;207.40.169.129;208.10.107.*;<local>
O2 - BHO: Class - {68F0E283-684D-FC42-3C24-C144CBB27B3F} - C:\WINDOWS\SYSTEM\ATLIW.DLL
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

Then delete this file:
C:\WINDOWS\SYSTEM\ATLIW.DLL

Post a new log.

Edited by raw, 17 December 2004 - 07:16 PM.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users