Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack results, please help me


  • Please log in to reply
12 replies to this topic

#1 Jaybird934

Jaybird934

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 12 January 2005 - 08:33 PM

I have a friend's old computer running Windows 98, which loaded ad-aware SE and Spybot on. Norton Antivirus 2002 (which is up to date on the virus list) will not even Scan...it gives a script error saying "access denied." I used Housecall and found about 14 viruses, which I deleted. Ad-aware freezes while trying to remove entries, so I ran both it and Spybot in safemode to remove everything, which I can do. However, after doing this and rebooting normally, all the instances of the process "coolwebsearch" have returned in my ad-aware results (object c:\windows\eoubpi.dll) I downloaded the CoolWebSearch shredder and ran it in Safemode, but it doesn't see it. The homepage is not resetting, but getting popups to seemingly random sites, no porn oddly enough. Script error also causes me to "restore active desktop". Please help, glad to supply additional info.

Logfile of HijackThis v1.99.0
Scan saved at 8:29:57 PM, on 01/12/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\WIORUV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\LAUNCHBOARD\LNCHBRD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\SECURE.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: US Class - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - C:\WINDOWS\MSCORE.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: SDWin32 Class - {F0460380-600A-11D9-8041-444553540000} - C:\WINDOWS\SYSTEM\GEDJD.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [LaunchBoard] C:\LAUNCHBOARD\LNCHBRD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Tvbux] C:\WINDOWS\dteqi.exe
O4 - HKLM\..\Run: [CSV10P70] \Progra~1\CSBB\CSV10P070.EXE
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\ADL_DH.exe
O4 - HKLM\..\Run: [gedjdc] C:\WINDOWS\SYSTEM\gedjdc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\SECURE.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wioruv.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\automove.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: huptgk.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab









StartupList report, 01/12/2005, 8:30:45 PM
StartupList version: 1.52.2
Started from : C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE
Detected: Windows 98 Gold (Win9x 4.10.1998)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\WIORUV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\LAUNCHBOARD\LNCHBRD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\SECURE.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
huptgk.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
Multi-function Keyboard = GWHotKey.exe
LaunchBoard = C:\LAUNCHBOARD\LNCHBRD.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMON.EXE
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
Tvbux = C:\WINDOWS\dteqi.exe
CSV10P70 = \Progra~1\CSBB\CSV10P070.EXE
version = C:\WINDOWS\SYSTEM\ADL_DH.exe
gedjdc = C:\WINDOWS\SYSTEM\gedjdc.exe
secure = C:\WINDOWS\SYSTEM\SECURE.exe
Narrator = C:\WINDOWS\wioruv.exe
EnsoniqMixer = starter.exe
Adstartup = C:\WINDOWS\SYSTEM\automove.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
SchedulingAgent = mstask.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = c:\windows\NOTEPAD.EXE %1

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 12/1/2005, 7:35:40)

[Rename]
NUL=C:\Program Files\Recommended Hotfix - 421701D
NUL=c:\Program Files\Recommended Hotfix - 421701D\v15\RH.exe_
NUL=c:\WINDOWS\bundles\msbbhook.dll
NUL=c:\WINDOWS\bundles\BundleOuter2601031121.exe

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET PATH=%PATH%;C:\PROGRA~1\COMMON~1\AUTODE~1

--------------------------------------------------


Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - c:\program files\google\googletoolbar3.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\WINDOWS\SYSTEM\GEDJD.DLL - {F0460380-600A-11D9-8041-444553540000}
BTGrabObj Class - C:\WINDOWS\BTGRAB.DLL (file missing) - {00000000-F09C-02B4-6EC2-AD0300000000}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINDOWS\SYSTEM\CDLSP.DLL

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 5,488 bytes
Report generated in 0.304 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


m

#2 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:10 PM

Posted 13 January 2005 - 09:55 AM

Hi Jaybird934,

I'm taking a look at your Highjackthis log and will get back to you shortly.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#3 Jaybird934

Jaybird934
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 January 2005 - 12:32 PM

Awesome, thanks Joe. I've read a lot on google boards etc, and not found anything to help me on this one.

-Jaybird

#4 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:10 PM

Posted 14 January 2005 - 04:24 AM

Hi Jaybird934,

We found some nasties within your log.

In order to investigate these further could you download
Find It 98-ME.zip.

Unzip the contents of Find It 98-ME.zip to a folder, for example c:\findit

Navigate to the c:\findit folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.

Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post along with a new Highjackthis log.

Please post in this thread.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#5 Jaybird934

Jaybird934
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 14 January 2005 - 05:30 PM

Here it is. Thanks, Jaybird




Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

3,805.95 MB free

------- Hidden Files in system Directory -------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 12,746 10-27-04 6:14p folder.htt
DESKTOP INI 266 10-27-04 6:14p desktop.ini
MSBB LOG 93,451 07-28-04 6:03p msbb.log
MSBB_KYF DAT 4,144,103 07-27-04 9:16p msbb_kyf.dat
MSBBAU DAT 38 07-27-04 9:03p msbbau.dat
HPOCASPR GID 8,628 07-21-04 12:25p hpocaspr.GID
ATI98DEF GID 10,844 12-30-98 9:28p ati98def.GID
7 file(s) 4,270,076 bytes
0 dir(s) 3,805.95 MB free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

3,805.95 MB free

--------- Temp Files in System Directory --------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

SET2192 TMP 100,624 10-25-04 11:50p SET2192.TMP
SET21A1 TMP 124,176 10-25-04 11:50p SET21A1.TMP
SET10C5 TMP 12,288 10-25-04 11:33p SET10C5.TMP
SET1046 TMP 258,048 10-25-04 11:32p SET1046.TMP
SETB390 TMP 124,176 10-25-04 11:27p SETB390.TMP
SET8182 TMP 282,896 10-25-04 7:18p SET8182.TMP
~GLH000F TMP 326,656 03-13-01 2:53p ~GLH000f.TMP
~GLH0090 TMP 266,293 01-05-99 12:00a ~GLH0090.TMP
IEBAK001 TMP 118,784 05-11-98 8:01p IEBAK001.TMP
IEBAK003 TMP 356,352 05-11-98 8:01p IEBAK003.TMP
IEBAK047 TMP 499,712 05-11-98 8:01p IEBAK047.TMP
IEBAK002 TMP 241,664 05-11-98 8:01p IEBAK002.TMP
IEBAK004 TMP 24,576 05-11-98 8:01p IEBAK004.TMP
IEBAK006 TMP 32,768 05-11-98 8:01p IEBAK006.TMP
IEBAK049 TMP 131,856 05-11-98 8:01p IEBAK049.TMP
SFCA104 TMP 131,856 05-11-98 8:01p SFCA104.TMP
IEBAK051 TMP 380,928 05-11-98 8:01p IEBAK051.TMP
IEBAK052 TMP 487,424 05-11-98 8:01p IEBAK052.TMP
IEBAK053 TMP 2,403,088 05-11-98 8:01p IEBAK053.TMP
IEBAK068 TMP 65,536 05-11-98 8:01p IEBAK068.TMP
IEBAK070 TMP 458,752 05-11-98 8:01p IEBAK070.TMP
IEBAK071 TMP 2,179,072 05-11-98 8:01p IEBAK071.TMP
IEBAK073 TMP 114,688 05-11-98 8:01p IEBAK073.TMP
23 file(s) 9,122,213 bytes
0 dir(s) 3,805.94 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4332FD81-D435-11D8-8040-444553540000}"=""
"AT&T CSM6.0"="AT&T CSM6.0"

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
folder.htt Wed Oct 27 2004 6:14:22p ...H. 12,746 12.45 K
desktop.ini Wed Oct 27 2004 6:14:22p ...H. 266 0.26 K

2 items found: 2 files, 0 directories.
Total of file sizes: 13,012 bytes 12.71 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.A
C:\WINDOWS\eoubpi.dll: updates.qoologic.com
C:\WINDOWS\coolapi32.dll: adsrv.qoologic.com
C:\WINDOWS\hzmwul.exe: updates.qoologic.com
C:\WINDOWS\cyzoul.dll: updates.qoologic.com
C:\WINDOWS\hntecn.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,u.clkoptimizer.com,ezula.com,ads2.revenue.net,banners.pennyweb.com,counters.honesty.com,ads.bidclix.com,oz.valueclick.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickit.go2net.com,us.update.companion.yahoo.com,kill-pop-ups.com,qksrv.net,clickspring.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,xanga.com,count.exitexchange.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,paypopup.com,popuptraffic.com,cdn-cf.aol.com,allaboutsearching.com,hotmail.msn.com,adfarm.mediaplex.com,by.optimost.com,amch.questionmarket.com,akapp.whenu.com,newupdates.lzio.com,cfg.mywebsearch.com,searcheffect.com,ads.delfinproject.com,master.mx-targeting.com,hotmail.com,ctl.twain-tech.com,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,focusin.ads.targetnet.com,e.rn11.com,jmnad1.com,topicks.com,ad.doubleclick.net,m3.doubleclick.net,as.casalemedia.com,pgq.yahoo.com,webpdp.gator.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,as.adwave.com,popuppers.com,look2me.com,wisapidata.weatherbug.com,ads.addynamix.com,ar.atwola.com,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,weatherbug.com,jicmedia.cjt1.net,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,mmm.media-motor.net,hop.clickbank.net,media76.fastclick.net,websearch.com,isapi60.weatherbug.com,web.tickle.com,messenger.zango.com,wwp.icq.com,smileycentral.com,adserv1.gruvmedia.com,cdn.icq.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,download.abetterinternet.com,adserv.internetfuel.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,adverts.lzio.com,windowsupdate.microsoft.com,filter.belkin.com,comcast.net,sc.musicmatch.com,license.hotbar.com,trk.pcsecurityshield.com,web.icq.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,yahoo.com,aol.com,anrdoezrs.net,microsoft.com,target.com,aim-charts.pf.aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,couponage.com,c5.zedo.com,ekmas.com,ads.mydailyhoroscope.net,creativeby.viewpoint.com,affiliates.4lowrates.com,hits.clickandtrack.net,jcontent.bns1.net,clickserve.cc-dt.com,popups.ad-logics.com,adlog2.lzio.com,host239.ipowerweb.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,a.websponsors.com,sandboxer.com,media.fastclick.net,click2.containsitall.com,ads234.com,http300.edge.ru4.com,adlog.com.com,rs.websearch.com,ads.com.com,server.iad.liveperson.net,

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\paybuw.dat: .aspack
C:\WINDOWS\wioruv.exe: .aspack
C:\WINDOWS\Start Menu\Programs\StartUp\huptgk.exe: .aspack

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"Multi-function Keyboard"="GWHotKey.exe"
"LaunchBoard"="C:\\LAUNCHBOARD\\LNCHBRD.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"Tvbux"="C:\\WINDOWS\\dteqi.exe"
"CSV10P70"="\\Progra~1\\CSBB\\CSV10P070.EXE"
"version"="C:\\WINDOWS\\SYSTEM\\ADL_DH.exe"
"gedjdc"="C:\\WINDOWS\\SYSTEM\\gedjdc.exe"
"secure"="C:\\WINDOWS\\SYSTEM\\SECURE.exe"
"Narrator"="C:\\WINDOWS\\wioruv.exe"
"EnsoniqMixer"="starter.exe"
"Adstartup"="C:\\WINDOWS\\SYSTEM\\automove.exe"








Logfile of HijackThis v1.99.0
Scan saved at 5:38:11 PM, on 01/14/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\LAUNCHBOARD\LNCHBRD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\SECURE.EXE
C:\WINDOWS\WIORUV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: US Class - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - C:\WINDOWS\MSCORE.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: SDWin32 Class - {F0460380-600A-11D9-8041-444553540000} - C:\WINDOWS\SYSTEM\GEDJD.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [LaunchBoard] C:\LAUNCHBOARD\LNCHBRD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Tvbux] C:\WINDOWS\dteqi.exe
O4 - HKLM\..\Run: [CSV10P70] \Progra~1\CSBB\CSV10P070.EXE
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\ADL_DH.exe
O4 - HKLM\..\Run: [gedjdc] C:\WINDOWS\SYSTEM\gedjdc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\SECURE.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wioruv.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\automove.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: huptgk.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#6 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:10 PM

Posted 15 January 2005 - 01:04 PM

Hi Jaybird934,

Download KillBox here: KillBox. Unzip it to your desktop.

Select the Delete on reboot option.

Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\eoubpi.dll

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the NO button.

Repeat steps above for these files:

C:\WINDOWS\coolapi32.dll
C:\WINDOWS\hzmwul.exe
C:\WINDOWS\cyzoul.dll
C:\WINDOWS\hntecn.dll
C:\WINDOWS\paybuw.dat
C:\WINDOWS\Start Menu\Programs\StartUp\huptgk.exe


Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\wioruv.exe

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the YES button.


Your computer will reboot.

Download LSPFix from:
here and unzip into it's own folder.

Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and move all instances of cdlsp.dll from the left panel to the right panel then click ‘Finish’

Reboot the Computer

Open Highjackthis, take another scan and tick the check-boxes beside to all these entries.

R3 - URLSearchHook: US Class - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - C:\WINDOWS\MSCORE.DLL
O2 - BHO: SDWin32 Class - {F0460380-600A-11D9-8041-444553540000} - C:\WINDOWS\SYSTEM\GEDJD.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL (file missing)
O4 - HKLM\..\Run: [Tvbux] C:\WINDOWS\dteqi.exe
O4 - HKLM\..\Run: [CSV10P70] \Progra~1\CSBB\CSV10P070.EXE
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\ADL_DH.exe
O4 - HKLM\..\Run: [gedjdc] C:\WINDOWS\SYSTEM\gedjdc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\SECURE.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wioruv.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\automove.exe
O4 - Startup: huptgk.exe

Close all open Windows except Hijackthis and click on "fix Checked".

Set Windows to show Hidden Files And Folders then reboot into safe mode Click "My Computer", then navigate to and delete the following "Highlighted files/folders" if present (If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.):

c:\windows\eoubpi.dll<<<---Delete file
C:\WINDOWS\MSCORE.DLL <<<---Delete file
C:\WINDOWS\SYSTEM\GEDJD.DLL <<<---Delete file
C:\WINDOWS\dteqi.exe <<<---Delete file
C:\Prograam files\CSBB\<<<---Delete CSBB folder and contents
C:\WINDOWS\SYSTEM\ADL_DH.exe <<<---Delete file
C:\WINDOWS\SYSTEM\gedjdc.exe <<<---Delete file
C:\WINDOWS\SYSTEM\SECURE.exe <<<---Delete file
C:\WINDOWS\wioruv.exe <<<---Delete file
C:\WINDOWS\SYSTEM\automove.exe <<<---Delete file

Reboot the Computer in normal mode, then click the "Add Reply" button top right in this hread and post a new "Findit" log and a new Hijackthis log in this thread for further review and evaluation.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#7 Jaybird934

Jaybird934
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 15 January 2005 - 02:25 PM

Couple minor things to share here. Hijack entry "O4 - Startup: huptgk.exe" was not there....perhaps removed by something done in a previous step. Also, Killbox did not ask me if I wanted to reboot at all. So, after telling it to remove all that you suggested, I just clicked "exit" and reboot manually. (minor thing I assume...just making sure) Thanks!


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

3,859.68 MB free

------- Hidden Files in system Directory -------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 12,746 10-27-04 6:14p folder.htt
DESKTOP INI 266 10-27-04 6:14p desktop.ini
MSBB LOG 93,451 07-28-04 6:03p msbb.log
MSBB_KYF DAT 4,144,103 07-27-04 9:16p msbb_kyf.dat
MSBBAU DAT 38 07-27-04 9:03p msbbau.dat
HPOCASPR GID 8,628 07-21-04 12:25p hpocaspr.GID
ATI98DEF GID 10,844 12-30-98 9:28p ati98def.GID
7 file(s) 4,270,076 bytes
0 dir(s) 3,859.67 MB free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

3,859.67 MB free

--------- Temp Files in System Directory --------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

SET2192 TMP 100,624 10-25-04 11:50p SET2192.TMP
SET21A1 TMP 124,176 10-25-04 11:50p SET21A1.TMP
SET10C5 TMP 12,288 10-25-04 11:33p SET10C5.TMP
SET1046 TMP 258,048 10-25-04 11:32p SET1046.TMP
SETB390 TMP 124,176 10-25-04 11:27p SETB390.TMP
SET8182 TMP 282,896 10-25-04 7:18p SET8182.TMP
~GLH000F TMP 326,656 03-13-01 2:53p ~GLH000f.TMP
~GLH0090 TMP 266,293 01-05-99 12:00a ~GLH0090.TMP
IEBAK001 TMP 118,784 05-11-98 8:01p IEBAK001.TMP
IEBAK003 TMP 356,352 05-11-98 8:01p IEBAK003.TMP
IEBAK047 TMP 499,712 05-11-98 8:01p IEBAK047.TMP
IEBAK002 TMP 241,664 05-11-98 8:01p IEBAK002.TMP
IEBAK004 TMP 24,576 05-11-98 8:01p IEBAK004.TMP
IEBAK006 TMP 32,768 05-11-98 8:01p IEBAK006.TMP
IEBAK049 TMP 131,856 05-11-98 8:01p IEBAK049.TMP
SFCA104 TMP 131,856 05-11-98 8:01p SFCA104.TMP
IEBAK051 TMP 380,928 05-11-98 8:01p IEBAK051.TMP
IEBAK052 TMP 487,424 05-11-98 8:01p IEBAK052.TMP
IEBAK053 TMP 2,403,088 05-11-98 8:01p IEBAK053.TMP
IEBAK068 TMP 65,536 05-11-98 8:01p IEBAK068.TMP
IEBAK070 TMP 458,752 05-11-98 8:01p IEBAK070.TMP
IEBAK071 TMP 2,179,072 05-11-98 8:01p IEBAK071.TMP
IEBAK073 TMP 114,688 05-11-98 8:01p IEBAK073.TMP
23 file(s) 9,122,213 bytes
0 dir(s) 3,859.66 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4332FD81-D435-11D8-8040-444553540000}"=""
"AT&T CSM6.0"="AT&T CSM6.0"

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
folder.htt Wed Oct 27 2004 6:14:22p ...H. 12,746 12.45 K
desktop.ini Wed Oct 27 2004 6:14:22p ...H. 266 0.26 K

2 items found: 2 files, 0 directories.
Total of file sizes: 13,012 bytes 12.71 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"Multi-function Keyboard"="GWHotKey.exe"
"LaunchBoard"="C:\\LAUNCHBOARD\\LNCHBRD.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"EnsoniqMixer"="starter.exe"










Logfile of HijackThis v1.99.0
Scan saved at 2:34:26 PM, on 01/15/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\LAUNCHBOARD\LNCHBRD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\AUPDATE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [LaunchBoard] C:\LAUNCHBOARD\LNCHBRD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#8 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:10 PM

Posted 15 January 2005 - 06:51 PM

Hi Jaybird934,

Just this one left:

Go to the Add/Remove Programs in the Control Panel. Scroll down and Find "Ezula"

Click uninstall/Remove and follow the wizard.

Set Windows to show Hidden Files And Folders then reboot into safe mode Click "My Computer", then navigate to and delete the following "Highlighted folder"

C:\PROGRAm Files\Web Offer <<<---Delete this Folder

Reboot the Computer, then click the "Reply Post" button top right in this thread and post a new Hijackthis log in this thread for review and to let us know how the Computer is running.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#9 Jaybird934

Jaybird934
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 15 January 2005 - 07:56 PM

Because this is a friend's computer I can't be sure, but I think that "web offer" thing was part of a previous problem that has been mostly removed. I saw that line in Hijack, but that listing in add/remove, the folder it references, and wo.exe are not on this computer. I can just delete that Hijack entry now?

The computer is running well. I am rid of all popups. Ad-aware and Spybot report no problems. Only one issue remains. My friend used 2002 Norton Antivirus. When opening Norton, I get a script error that says "Permission denied". If I click Yes I want to continue running scripts, all aspects of Norton say "refreshing". It won't let me update or run a scan. I don't feel good recommending my friend buy the newest Norton for this old computer, which is already slow enough. Might it be better to just replace 2002 Norton with the new AVG? If so, I'll uninstall Norton and not worry about this problem.

-Jaybird

#10 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:10 PM

Posted 16 January 2005 - 09:36 AM

Hello Jaybird934,

I'm pleased the Computer is running well so we are nearly there now.

My friend used 2002 Norton Antivirus. When opening Norton, I get a script error that says "Permission denied". If I click Yes I want to continue running scripts, all aspects of Norton say "refreshing". It won't let me update or run a scan. I don't feel good recommending my friend buy the newest Norton for this old computer, which is already slow enough. Might it be better to just replace 2002 Norton with the new AVG? If so, I'll uninstall Norton and not worry about this problem.


The AVG Anti-Virus is an excellent choice, I use it myself. As this is an older machine please pay attention to the system requirements. According to Grisoft their product will run on all Computers from the 485 CPU, 32 MB RAM and 15 MB clear hard drive space. If you do opt for AVG be sure and uninstall Norton as running both can create a conflict.

Grisoft AVG Download Site.
http://www.grisoft.com/us/us_index.php

I saw that line in Hijack, but that listing in add/remove, the folder it references, and wo.exe are not on this computer. I can just delete that Hijack entry now?


In that case please do the following:

First check to see if it is listed in the "Start|Programs" menu Find "Ezula" if its there uninstall it.

Now Open Hijackthis, take another scan and tick the check-box beside to this entry.

O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

Close all open Windows except Hijackthis and click on "fix Checked".

Set Windows to show Hidden Files And Folders then reboot into safe mode Click "My Computer", then navigate to and delete the following "Highlighted folder"

C:\PROGRAM Files\Web Offer <<<---Delete this Folder

Reboot the Computer, then click the "Reply Post" button top right in this thread and post a new log in this thread for a final review and to ensure the Computer is completly clean.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#11 Jaybird934

Jaybird934
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 16 January 2005 - 04:19 PM

I don't have the "C:\PROGRAM Files\Web Offer" folder or that Add/Remove entry. I deleted that "web offer" entry in Hijack. Bleeping computer is easily the best new tool I've discovered for quite some time to fix a wide variety of computer problems. Everything else seems to be running great now. Thanks a lot Joe! I've gotta get busy.....think I'll remove Norton, add AVG, and add Firefox.

my (final?) log :

Logfile of HijackThis v1.99.0
Scan saved at 4:07:53 PM, on 01/16/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\LAUNCHBOARD\LNCHBRD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [LaunchBoard] C:\LAUNCHBOARD\LNCHBRD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab


-----------------------




(not sure if you wanted this Findit log or not)


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

3,194.37 MB free

------- Hidden Files in system Directory -------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 12,746 10-27-04 6:14p folder.htt
DESKTOP INI 266 10-27-04 6:14p desktop.ini
MSBB LOG 93,451 07-28-04 6:03p msbb.log
MSBB_KYF DAT 4,144,103 07-27-04 9:16p msbb_kyf.dat
MSBBAU DAT 38 07-27-04 9:03p msbbau.dat
HPOCASPR GID 8,628 07-21-04 12:25p hpocaspr.GID
ATI98DEF GID 10,844 12-30-98 9:28p ati98def.GID
7 file(s) 4,270,076 bytes
0 dir(s) 3,194.36 MB free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

3,194.36 MB free

--------- Temp Files in System Directory --------


Volume in drive C has no label
Volume Serial Number is 0A0B-29D6
Directory of C:\WINDOWS\SYSTEM

SET2192 TMP 100,624 10-25-04 11:50p SET2192.TMP
SET21A1 TMP 124,176 10-25-04 11:50p SET21A1.TMP
SET10C5 TMP 12,288 10-25-04 11:33p SET10C5.TMP
SET1046 TMP 258,048 10-25-04 11:32p SET1046.TMP
SETB390 TMP 124,176 10-25-04 11:27p SETB390.TMP
SET8182 TMP 282,896 10-25-04 7:18p SET8182.TMP
~GLH000F TMP 326,656 03-13-01 2:53p ~GLH000f.TMP
~GLH0090 TMP 266,293 01-05-99 12:00a ~GLH0090.TMP
IEBAK001 TMP 118,784 05-11-98 8:01p IEBAK001.TMP
IEBAK003 TMP 356,352 05-11-98 8:01p IEBAK003.TMP
IEBAK047 TMP 499,712 05-11-98 8:01p IEBAK047.TMP
IEBAK002 TMP 241,664 05-11-98 8:01p IEBAK002.TMP
IEBAK004 TMP 24,576 05-11-98 8:01p IEBAK004.TMP
IEBAK006 TMP 32,768 05-11-98 8:01p IEBAK006.TMP
IEBAK049 TMP 131,856 05-11-98 8:01p IEBAK049.TMP
SFCA104 TMP 131,856 05-11-98 8:01p SFCA104.TMP
IEBAK051 TMP 380,928 05-11-98 8:01p IEBAK051.TMP
IEBAK052 TMP 487,424 05-11-98 8:01p IEBAK052.TMP
IEBAK053 TMP 2,403,088 05-11-98 8:01p IEBAK053.TMP
IEBAK068 TMP 65,536 05-11-98 8:01p IEBAK068.TMP
IEBAK070 TMP 458,752 05-11-98 8:01p IEBAK070.TMP
IEBAK071 TMP 2,179,072 05-11-98 8:01p IEBAK071.TMP
IEBAK073 TMP 114,688 05-11-98 8:01p IEBAK073.TMP
23 file(s) 9,122,213 bytes
0 dir(s) 3,194.36 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4332FD81-D435-11D8-8040-444553540000}"=""
"AT&T CSM6.0"="AT&T CSM6.0"


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
folder.htt Wed Oct 27 2004 6:14:22p ...H. 12,746 12.45 K
desktop.ini Wed Oct 27 2004 6:14:22p ...H. 266 0.26 K

2 items found: 2 files, 0 directories.
Total of file sizes: 13,012 bytes 12.71 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.343: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.343: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"Multi-function Keyboard"="GWHotKey.exe"
"LaunchBoard"="C:\\LAUNCHBOARD\\LNCHBRD.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"EnsoniqMixer"="starter.exe"



#12 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:10 PM

Posted 16 January 2005 - 07:03 PM

Hello Jaybird934,

Your log is now clean.

I recommend these simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!

Make sure that you have all the Critical Updates recommended for your Operating System and Internet Explorer. The first defence against infection is a properly patched OS.

Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
Or, with Internet Explorer open, click Tools>Windows Update.


2. Adjust your security settings for ActiveX:
Go to Internet Options>Security tab.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed ActiveX controls', to 'Prompt;
set the second option, 'Download unsigned ActiveX controls', to 'Disable';
and finally, set 'Initialise and Script ActiveX controls not marked as safe' to 'Disable'.

These recommendations are based on veteran spyware fighter Tony Klein's now classic article, So how did I get infected in the first place? Check it out for even more information.

I also highly recommend the information in Bleepingcomputer's own Simple steps to keep your computer secure!

Thank you for you excellent cooperation during this fix.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#13 Jaybird934

Jaybird934
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 20 January 2005 - 09:54 PM

For once, on that last post, I was way ahead of ya. Meant to come back earlier and thank you again. The lady I returned this computer to was quite pleased. I kept telling her not to thank me, that it was Joe London....but she wasn't having it. No justice in this world. :thumbsup:

thanks again Joe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users