Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've been Jacked (Hijackthis log)


  • Please log in to reply
6 replies to this topic

#1 TimayZ

TimayZ

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 27 June 2004 - 11:13 PM

My startup page keeps resetting to hjmpg.dll/sp.html#96676, popups everywhere asking me to buy their stuff. I have ran CWShredder, spybotS&D, and adaware. It all keeps comming back. Norton poped up a couple days back and said it found Virus download.trojan. But when I scan it seems to not find it or it is gone now.?
I have a log from Hijack this. But after I open it it will soon close by itself and I cant re open it. But I did get it copied once real fast. Here it is. Any help would be real helpful at this point.
Logfile of HijackThis v1.97.7
Scan saved at 11:06:07 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\mfcsr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\TCAUDIAG.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\apppb.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hjmpg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hjmpg.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hjmpg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hjmpg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hjmpg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hjmpg.dll/sp.html#96676
O2 - BHO: (no name) - {5BA8BAA2-A8F8-C5AE-06EC-5A7D9EFC3436} - C:\WINDOWS\system32\winlg32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [apppb.exe] C:\WINDOWS\apppb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sendmail] C:\WINDOWS\System32\sendmail.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {323C9B9A-DB6C-42CE-A706-314535FD8EAF} (FTUploader Control) - http://www.fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

BC AdBot (Login to Remove)

 


#2 TimayZ

TimayZ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 27 June 2004 - 11:29 PM

Just ran about buster here is a new log
Logfile of HijackThis v1.97.7
Scan saved at 11:28:13 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\TCAUDIAG.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\apppb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\d3ci32.exe
E:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {5BA8BAA2-A8F8-C5AE-06EC-5A7D9EFC3436} - C:\WINDOWS\system32\winlg32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [apppb.exe] C:\WINDOWS\apppb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sendmail] C:\WINDOWS\System32\sendmail.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [d3ci32.exe] C:\WINDOWS\d3ci32.exe
O4 - HKLM\..\RunOnce: [sdkmo.exe] C:\WINDOWS\sdkmo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {323C9B9A-DB6C-42CE-A706-314535FD8EAF} (FTUploader Control) - http://www.fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

#3 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:10:30 AM

Posted 27 June 2004 - 11:46 PM

hi TimayZ

Welcome to BC

You may want to print this because you will not be able to open your browser for this process


Please download this tool called about:buster from

http://tools.zerosrealm.com/AboutBuster.zip or
http://www.downloads.subratam.org/AboutBuster.zip

Unzip it to your desktop.

Now start Hijack this and tick the boxes next to these items..
O2 - BHO: (no name) - {5BA8BAA2-A8F8-C5AE-06EC-5A7D9EFC3436} - C:\WINDOWS\system32\winlg32.dll
O4 - HKLM\..\Run: [apppb.exe] C:\WINDOWS\apppb.exe
O4 - HKCU\..\Run: [sendmail] C:\WINDOWS\System32\sendmail.exe


Now close ALL windows and hit fix checked.

Do not open internet explorer to come back here until after running my tool.

Start about:buster and hit start. In the first white box input this - starting with

res://hjmpg.dll/index.html#96676

Now hit ok.

Save the report in a text file somewhere.

Then startup Hijack this and tick the box next to the random 02 (dll)

Restart your computer and post the report and a new Hijack this log.
------------------------------------------------------------------
if once you are back and still infected try this. Boot into safe mode
3) Next startup Hijack this and fix all random entries again.

4) Next goto start - Run - and type in Local Settings. Double click Temp and try deleting everything there. Rerun The program and type and paste in

res://cilyn.dll/index.html#96676 again (even if the file doesnt exist it should work).

5) Restart your computer and tell us how it goes.
post all of the AboutBuster logs and a fresh hijack this log


Lobos
<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD

#4 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:10:30 AM

Posted 27 June 2004 - 11:47 PM

well arent you quick hows your browser
<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD

#5 TimayZ

TimayZ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 28 June 2004 - 12:26 AM

Seems to be good so far! I opened it a couple times. I also did the safe mode stuff you were talking about.
Couple things. I could not type in a url in about buster. It said I did not need to? And would not let me?
And when I started in reguar mode here are the three errors I got
Could not find c:\windows\system32\mfchh.exe
c:\windows\stiwb.exe
c:\windows\system32\ntru32.exe

Here is the new Hijack report and fallowing will be the text from the most recent About blaster. THANK YOU!
Logfile of HijackThis v1.97.7
Scan saved at 12:20:53 AM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\TCAUDIAG.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {323C9B9A-DB6C-42CE-A706-314535FD8EAF} (FTUploader Control) - http://www.fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

About:Buster Version 1.21
Error Removing! : C:\WINDOWS\atlwb.exe
Removed! : C:\WINDOWS\dbqus.dat
Removed! : C:\WINDOWS\mmdsd.dat
Removed! : C:\WINDOWS\dbqus.dll
Removed! : C:\WINDOWS\qupdj.dll
Removed! : C:\WINDOWS\System32\mfchh.exe
Removed! : C:\WINDOWS\System32\yasqc.dll
Removed! : C:\WINDOWS\System32\ohbqa.dll
Removed! : C:\WINDOWS\System32\wxaui.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

About:Buster Version 1.21
Removed! : C:\WINDOWS\atlwb.exe
Removed! : C:\WINDOWS\bevnn.dat
Removed! : C:\WINDOWS\System32\ntru32.exe
Removed! : C:\WINDOWS\System32\dzslk.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#6 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:10:30 AM

Posted 28 June 2004 - 01:13 AM

well you look clean

come back if it starts acting up again

about buster looks like it removed all the files

one thing though i see hijack this is not in its own folder i sujest putting it into its own folder as you will notice if you go to where hijackthis is there will be backup files in there it can get quite messy if its not in it's own folder


Also try spyware guard and spyware blaster
spyware blaster will block spyware from comming in when you surf the net(compatible with IE, mozilla and firefox) and spyware guard is a resident scanner.

they will guard against alot of the cws sites
<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD

#7 TimayZ

TimayZ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 28 June 2004 - 07:40 AM

Thanks a bunch! This site rocks! I was about to go crazy because I couldnt figure it out.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users