Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis log


  • This topic is locked This topic is locked
4 replies to this topic

#1 boks

boks

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 09 January 2005 - 11:38 PM

Hi,

My PC was infected recently and I get the sporder.dll not present complaint. So, I ran HJT and I have attached the log. Could somebody please direct me on how I can repair my PC?

Thanks,
-raja.

Logfile of HijackThis v1.99.0
Scan saved at 8:17:48 PM, on 1/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\msupd4.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\PRISMSVR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\spywarebegone\SpywareBeGone.exe
C:\WINDOWS\System32\dkepvgsy.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {305A99CD-932D-22BD-1215-E61541607BDF} - (no file)
O2 - BHO: (no name) - {7A5D6794-46FD-3850-CD72-10279A39614E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\dkepvgsy.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: USB Manager.lnk = C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2825322a22e5a4...ip/RdxIE601.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://carnegiehallevents.webex.com/client...bex/ieatgpc.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Miscrosoft Updates Service 4 - Unknown - C:\WINDOWS\System32\msupd4.exe

Attached Files



BC AdBot (Login to Remove)

 


#2 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:07:35 AM

Posted 10 January 2005 - 08:35 AM

hi



download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/tds3setup.exe
install it, but do not launch it yet

update it: right click the link below, select "save as"
http://www.diamondcs.com.au/tds/radius.td3

save it to the directory where you installed tds-3, overwriting the previous radius.td3.

then launch tds-3. in the top bar of tds window click system testing> full system scan.
detections will appear in the lower pane of tds window. after the scan is finished ( it'll take a while ) right click the list> select save as txt. save it and post the contents of the scandump.txt here

After posting the scanlog go ahead and right click the list again, this time select delete! Delete everything labelled positive identification

reboot


Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "Customize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:

Scan registry for all users instead of current user only

Make sure the following is unchecked with a "red" X:

Unload recognized processes & modules during scan.

Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:

Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings.

Click the "Next" button to start the scan.

When a scan is completed the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.

Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.

To fix all the bad critical objects do the following:

Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.

When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Then,

Download SPYBOT Search and Destroy here if it is not already installed on your computer
Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the "Check for Problems" button. When the Check is over All problems displayed in red are regarded as real threats and should be dealt with. Make sure they are all selected and click the "Fix selected problems" button.

reboot

post a fresh log
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#3 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:07:35 AM

Posted 20 January 2005 - 06:58 AM

for convenience i'll post your scandump here:

Scan Control Dumped @ 00:37:52 20-01-05
Positive identification: TrojanDownloader.Win32.Agent.gn
File: c:\windows\system32\msupd4.exe

RegVal Trace: RAT.Agent: HKEY_CURRENT_USER
File: Software\Microsoft\Windows\CurrentVersion\Run [JavaUpdate0.07=C:\WINDOWS\System32\dkepvgsy.exe]

Positive identification: TrojanDownloader.Win32.Agent.gn
File: c:\windows\system32\msupd4.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\camlp4o.opt.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\camlp4r.opt.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\dumpgdbm-1.5.2.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\gawk-3.1.4.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\loadgdbm-1.5.2.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\ocamlc.opt.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\ocamldep.opt.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\ocamldoc.opt.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\ocamllex.opt.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\ocamlopt.opt.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\perl5.8.5.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\bin\pgawk-3.1.4.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\usr\x11r6\bin\oxdvi.bin.exe

Suspicious Filename: Dual extensions
File: c:\cygwin\cygwin\usr\x11r6\bin\xdvi.bin.exe

Positive identification (embedded in file): Adware.NewDotNet (dll)
File: c:\program files\winamp\skins\nnezta388.exe

Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
File: c:\program files\winamp\skins\tbeza127q.exe

Positive identification: Adware.EZula.g1
File: c:\program files\yahoo!\ypsr\quarantine\ppq6.tmp

Positive identification: TrojanDownloader.Win32.Small.aaq
File: c:\recycler\s-1-5-21-299502267-2139871995-725345543-1003\dc4.exe

Positive identification (DLL): Adware.WebEx (dll)
File: c:\windows\downloaded program files\ieatgpc.dll

Positive identification: RAT.Agent.ec2
File: c:\windows\system32\dkepvgsy.exe

Positive identification: TrojanDownloader.Win32.Agent.gn
File: c:\windows\system32\msupd4.exe



you did delete those positive identifications?

please post a fresh hijackthis log too


about the sporder:

File Description:

Sporder.dll is a file used by programs to work with the Windows LSP chain. Unfortunately this file is used by malware and some antispyware programs delete it by accident and break legitimate programs. You can use this replacement to try to get your programs working again. If the program continues to not work properly after replacing this file, then it is advisable that you reinstall that particular application.

Usage Information:

Download this file and save it into c:\windows\system32 or c:\winnt\system32 depending on your operating system.

download here:

http://www.bleepingcomputer.com/files/sporder.php

Edited by illukka, 20 January 2005 - 07:00 AM.

To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#4 boks

boks
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 26 January 2005 - 03:02 AM

Thanks for your help. I am attaching the hijackthis log after removing all positive identification.

Thanks,
-raja.

Attached Files



#5 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:07:35 AM

Posted 26 January 2005 - 04:30 AM

hi
start hijackthis

press do a system scan only

put checkmarks next to each of these lines:



O2 - BHO: (no name) - {305A99CD-932D-22BD-1215-E61541607BDF} - (no file)

O2 - BHO: (no name) - {7A5D6794-46FD-3850-CD72-10279A39614E} - (no file)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2825322a22e5a4...ip/RdxIE601.cab

O23 - Service: Miscrosoft Updates Service 4 - Unknown - C:\WINDOWS\System32\msupd4.exe (file missing)


then close all windows and programs, except hijackthis
and click the button fix checked

reboot

rescan with adaware and spybot

post a fresh log

is the sporder thing fixed now ?
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users