Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
5 replies to this topic

#1 okasional

okasional

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 05 October 2006 - 05:59 PM

I have a laptop that's not infected, it's possessed! It's running WinXP Pro/SP2 and has all the latest Windows upgrades and Defender. I can't count the number of times I've scanned with Ewido, Counterspy, Spybot S&D, and AVG Anti-Virus, many times in safe mode. They find lots of Trojans, worms, and assorted spyware/adware, but some of the same ones keep coming back, and I can't get rid of popup ads. I guess I don't understand the whole point of spyware because even with the protections enabled and active, ClickSpring.PuritySCAN has been quarantined at least four times, even twice in the same day. If they can find it during a scan, why can't they spot it coming back the next time? The worst offender is ads with oinadserver and OuterInfo in the title bar. If someone can help me eliminate those I'll put them in my will.

Here's my log, taken right after scanning with Counterspy and AVG and getting a clean bill of health:

Logfile of HijackThis v1.99.1
Scan saved at 4:11:31 PM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network\ipnetwork.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\?racle\s?rvices.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1760A4F6-344A-17EB-30A0-37469CE7D89E} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {BC6AE4AB-2939-03C1-40F3-00E2EB7276C6} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [yeahdude.exe] hallowelt.exe
O4 - HKLM\..\Run: [Symantec Security Routine Addon] navpaw.exe
O4 - HKLM\..\Run: [Windows Ocx Service] winocx.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [soundman] soundman.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [yeahdude.exe] hallowelt.exe
O4 - HKLM\..\RunServices: [Symantec Security Routine Addon] navpaw.exe
O4 - HKLM\..\RunServices: [Windows Ocx Service] winocx.exe
O4 - HKLM\..\RunServices: [soundman] soundman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows Ocx Service] winocx.exe
O4 - HKCU\..\Run: [Meuif] C:\Program Files\?racle\s?rvices.exe
O4 - HKCU\..\RunServices: [Windows Ocx Service] winocx.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MSOffice\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 206.81.201.184
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159747535335
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:01:35 PM

Posted 09 October 2006 - 08:43 PM

Hi Okasional,

Welcome to Bleeping Computer. :thumbsup:

I will be helping you, under the guidance of one of our experienced coaches.

Please give me a little time to analyze your log and get back to you with instructions.

Thanks for your patience --

Dave

#3 okasional

okasional
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 10 October 2006 - 12:00 PM

DaveM59,

Thanks, but it's too late. I was working under a deadline, and when I saw my post had to be moved and go to the end of the line, I just studied all the tutorials and did it myself. I had tried to follow the forum instructions to the letter, including the name of the topic. But I was discouraged by the fact that none of the posts that had been moved, well before mine was, ever seemed to get any responses. Maybe one of the administrators should review the instructions to see if they are as clear as they can be about where to post a request for help. If I ever get my hands on that laptop again, and it still has problems, I'll try again. Thanks, and I'm sorry if you spent much time looking at the log, but there's no way to recall, abort, change, or cancel a post after it has been fired off.

Tommy

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:01:35 PM

Posted 10 October 2006 - 09:35 PM

Hi Tommy,

Sorry we couldn't help you. Also I'm sorry your log had to be moved. I hope you understand that all the helpers here are unpaid volunteers and many of us have lots of other duties, such as jobs and families. We try to take logs on a first come first served basis, but we have some leeway about this and these days there are always more logs than there are volunteer hours to work them. Every log represents (at least for me, I'm still a trainee and hope to get quicker) several hours for analysis and initial write-up. It's not surprising, therefore, that all the websites that offer free one-on-one help are overwhelmed.

I appreciate your taking time to let me know what happened. Don't worry about the time I spent on your log. As I said I'm in training and I learned quite a bit from working it. I would like to share some of what I found with you, because if possible I think you should alert the current user. There was more wrong than just Outerinfo popups.

The laptop was infected with several bot trojans, which make it available for manipulation by a remote hacker any time it is connected to the internet. Besides stealing passwords and other information, the hacker could use it to send spam or launch a denial-of-service attack.

I did not see any signs of Quicken or other financial software on the laptop. However it may still be used for online transactions, and if that is the case then the danger is obvious: such usage should be stopped and any and all online passwords need to be changed, from a clean computer.

I have no idea how much you fixed, but you need to know that it may still be severely compromised. Several of the bot trojan files are "socially engineered" to appear legitimate.

For a start, you should ask the current user to install a two-way softwall firewall, which blocks unauthorized traffic out of as well as into the machine. That should make it more difficult for the trojan to "phone home" -- if it does the firewall should block it and alert the user.

There are a number of good free firewalls out there but if your user has no preference then Zone Alarm is as easy to set up as any of them.

As a further step you should strongly suggest that they post a fresh HJT log either here at BC or another PC help website.

I hope this may help prevent some major aggravation for the current user. It was good of you to try to help them.

Regards,

Dave

#5 okasional

okasional
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 11 October 2006 - 08:40 AM

DaveM59,

Thanks very much for your message. I realize you guys are swamped, and I hope everybody appreciates the "pro bono" work you do. I've looked over the forum again and it was my own dumb fault for posting in the wrong place originally. You would laugh at my trial and error fix process. I would study the log, select a prospect, "fix" it, then wait to see if the popups came back. If they did, I would restore and try something else. Sometimes I would reboot after the fix. Very crude, and I'm sure you're right that there's still stuff in there. I know there were still occasional pop-unders that were just the upper half page and marked only "Advertisement" in the title bar, sometimes animated, and these would sometimes popup when not online. I only achieved a status where you could use it for several hours at a time without an interruption, or without being bogged down in speed.

If I can get my hands on that PC again (my sister-in-law's) I'll install Zone Alarm. And if I am able to get a new HJT log within a week or two, will you still be able to look at it (as your time is available, of course) or would it be better to re-post and start over?

Thanks again, and keep up the good work.

Tommy

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:01:35 PM

Posted 11 October 2006 - 10:15 AM

Hi Tommy,

thanks for your response.

Not to turn this into a malware removal tutorial, but one problem with your approach is that several of your trojans were installed so as to be started from more than one place in the Registry -- precisely to forestall the kind of fix you did.

I'm afraid at this point you would have to post a fresh HJT log and start the process over -- that's the only fair way to do it. However, I will say that your prompt answer with a "call it off" message counts in your favor. Many victims post a log and when a helper responds with the first step of a fix, they never reply. Some of the logs that you see going unanswered are from people with that sort of history. Not that we ignore them out of spite or policy, but when there are so many calls for help, well other things being equal I for one will turn first to those where I think I will be able to see the job through.

So when you have a chance, don't hesitate to post a fresh log. You know the routine now, and you may be luckier next time. Not all logs wait four or five days for a first response. Also as a matter of luck, this time you got a trainee, and we always take longer because our coach has to review the log and approve our fix. You get excellent help, thanks to the coaches, but it is slower than from a regular team member.

Please warn your sister-in-law about the security issues with her computer. Depending on what she uses it for, they are potentially very serious.

Good luck,

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users