Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis log stavana


  • Please log in to reply
3 replies to this topic

#1 sarva

sarva

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 23 December 2004 - 03:01 PM

Hi ,
I need expert advise on removing adware. I did adaware, spybot and CWS . I continue
to get something from "GAIN Publishing" causing popups. Please advise.

here is the hijack this log

Logfile of HijackThis v1.99.0
Scan saved at 2:12:12 PM, on 12/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe
C:\WINNT\myCIO\VScan\McShield.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\myCIO\Agent\myagttry.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\?ttrib.exe
C:\Documents and Settings\stavana\Application Data\ccne.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe
C:\Documents and Settings\stavana\Desktop\Sadry\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3B88640C-B661-7F94-8221-16550AF02F6B} - C:\WINNT\system32\sdweq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D5D69A82-571C-0EBF-4A25-2CF07BCF3AB7} - C:\WINNT\system32\pewyfu.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINNT\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINNT\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Gnjzb] C:\WINNT\system32\?ttrib.exe
O4 - HKCU\..\Run: [Uapt] C:\Documents and Settings\stavana\Application Data\ccne.exe
O4 - Startup: Shortcut to PSTSize.exe.lnk = C:\PSTSize.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: IPSec Dial Client.lnk = C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Free History Cleaner - {ECC5778A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\FHC\FreeHistoryCleaner (file missing)
O9 - Extra 'Tools' menuitem: Free History Cleaner - {ECC5778A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\FHC\FreeHistoryCleaner (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://vscan.lion4nai.com/VS2/bin/myCioAgt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F0DBA4C-7EDD-4254-A3AD-8DB9F210E949}: Domain = egenera.com
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.8.1.144.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SafeNet Monitor Service - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINNT\myCIO\VScan\McShield.exe
O23 - Service: McAfee Agent - Network Associates, Inc. - C:\WINNT\myCIO\Agent\myAgtSvc.exe
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:55 AM

Posted 24 December 2004 - 04:03 AM

Hi :thumbsup:

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {3B88640C-B661-7F94-8221-16550AF02F6B} - C:\WINNT\system32\sdweq.dll (file missing)
O2 - BHO: (no name) - {D5D69A82-571C-0EBF-4A25-2CF07BCF3AB7} - C:\WINNT\system32\pewyfu.dll

O4 - HKCU\..\Run: [Gnjzb] C:\WINNT\system32\?ttrib.exe
O4 - HKCU\..\Run: [Uapt] C:\Documents and Settings\stavana\Application Data\ccne.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINNT\system32\sdweq.dll <-- this file
C:\WINNT\system32\pewyfu.dll <-- this file
C:\Documents and Settings\stavana\Application Data\ccne.exe <-- this file

Delete these folders:
C:\Program Files\Ebates_MoeMoneyMaker\ <-- this folder


With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Copy and paste the contents of the following quotebox into Notepad:

dir C:\WINNT\System32\?ttrib.exe /a h > files.txt
notepad files.txt


Save it as FindFile.bat and save it on your Desktop.

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.


Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 sarva

sarva
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 28 December 2004 - 02:41 PM

Thanks for the help. I just need to run Hijackthis both in safe and normal mode to see some of the entries.
Here is the log

Volume in drive C has no label.
Volume Serial Number is 50E2-F455

Directory of C:\WINNT\System32

07/26/2000 07:00a 12,048 attrib.exe
12/08/2004 10:43a 389,120 ?ttrib.exe
2 File(s) 401,168 bytes

Directory of C:\Documents and Settings\stavana\Desktop

and new hijackthis log

Logfile of HijackThis v1.99.0
Scan saved at 2:40:47 PM, on 12/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe
C:\WINNT\myCIO\VScan\McShield.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\myCIO\Agent\myagttry.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\stavana\Desktop\Sadry\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINNT\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINNT\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - Startup: Shortcut to PSTSize.exe.lnk = C:\PSTSize.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: IPSec Dial Client.lnk = C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Free History Cleaner - {ECC5778A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\FHC\FreeHistoryCleaner (file missing)
O9 - Extra 'Tools' menuitem: Free History Cleaner - {ECC5778A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\FHC\FreeHistoryCleaner (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://vscan.lion4nai.com/VS2/bin/myCioAgt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F0DBA4C-7EDD-4254-A3AD-8DB9F210E949}: Domain = egenera.com
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINNT\myCIO\Agent\myRmProt2.8.1.144.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SafeNet Monitor Service - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINNT\myCIO\VScan\McShield.exe
O23 - Service: McAfee Agent - Network Associates, Inc. - C:\WINNT\myCIO\Agent\myAgtSvc.exe
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:55 AM

Posted 28 December 2004 - 05:41 PM

You will find two files with the same name in the C:\WINNT\System32\ folder: attrib.exe. One is bad and one is legitimate. You must delete the bad file.
Right click on each file and select Properties.
In the General tab the legitimate file has this Description: Attribute Utility, Size = 12,048 bytes Do not delete this file, it is a Microsoft file.

The bad file has this size = 389,120 bytes, and the description is unknown.

If only the legitimate file is visible:

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as unhide.reg
Change the Save as Type to All Files
Save this file on the desktop.


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001


Double-click on the unhide.reg file you saved on your desktop, and when it prompts to merge say Yes.

REBOOT your machine.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Look for the bad file and delete it.

REBOOT and post a new hijackthis log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users