Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help analyzing HijackThis Log file


  • Please log in to reply
5 replies to this topic

#1 Webbie

Webbie

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 20 January 2005 - 03:27 PM

The following is a Hijack this log file from one of our user's PC's. When the user clicks on Internet Explorer to launch it, it takes a LONG time to launch and the CPU gets pegged at 100% during that time. We have run the latest version of Ad Aware SE Personal which did find and successfully remove problems. The IE problem persists however and I don't know what to do. Here is the log from Hijack this. I would appreciate if someone could review this and let me know what (if any) problem areas they notice.

Thanks in advance,

Webbie


PS - Here is the log file:


Logfile of HijackThis v1.99.0
Scan saved at 12:07:11 PM, on 1/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\OfficeScan NT\pccntmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
E:\Hijack_This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SDWin32 Class - {2A2F7324-0448-4C2D-B8B4-0621B388DA26} - C:\WINDOWS\System32\qslck.dll (file missing)
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: SDWin32 Class - {D9AE11CE-F9A1-42E6-B80C-70FF0E07994E} - C:\WINDOWS\System32\uecul.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Oracle Discoverer 4i - http://x.weber.com:7777/discwb4/applet/dis4uie.cab
O16 - DPF: Oracle Discoverer 4i Initializer - http://x.weber.com:7777/discwb4/applet/start/dis4sie.cab
O16 - DPF: {00000000-0000-0000-1234-012398761234} - http://www.riversoftware.net/x0ff.cab
O16 - DPF: {332bd5a0-8000-11d7-b657-00c04faedb18} (Oracle JInitiator 1.1.8.22) - http://x.weber.com:8004/jinitiator/oajinit.exe
O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://x.weber.com/AntiSpamGateway/Cabs/Mapicom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} - http://x.weber.com:7777/discwb4/jinit/jinit11811.exe
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://x.weber.com:8002/jinitiator/oajinit.exe
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} - http://x.weber.com:8000/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = weber.com
O17 - HKLM\Software\..\Telephony: DomainName = weber.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = weber.com
O23 - Service: ASF Agent - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleWORKFLOW_HOMEClientCache - Unknown - C:\orawfl\BIN\ONRSD.EXE
O23 - Service: OfficeScanNT Listener - Unknown - C:\OfficeScan NT\tmlisten.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

BC AdBot (Login to Remove)

 


#2 pll8on

pll8on

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgetown, Florida
  • Local time:01:50 AM

Posted 21 January 2005 - 12:36 PM

Hi Webbie,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

#3 pll8on

pll8on

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgetown, Florida
  • Local time:01:50 AM

Posted 21 January 2005 - 11:00 PM

Hi Webbie,

1. Boot your computer into Safe Mode. Use the F8 method. How to enter safe mode

2. Click Start > Control Panel > Add/Remove Programs.
Uninstall the following if found: Ebates and/or MoeMoneyMaker

3. Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to view hidden files

4. Close all browser windows, Start HijackThis and tick the boxes next to all these and tell HijackThis to "Fix checked" if present.

R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll (file missing
O2 - BHO: SDWin32 Class - {2A2F7324-0448-4C2D-B8B4-0621B388DA26} - C:\WINDOWS\System32\qslck.dll (file missing)
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: SDWin32 Class - {D9AE11CE-F9A1-42E6-B80C-70FF0E07994E} - C:\WINDOWS\System32\uecul.dll (file missing)
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {00000000-0000-0000-1234-012398761234} - http://www.riversoftware.net/x0ff.cab
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

5. Through Windows Explorer find and delete these highlighted files and/or folders, if present.

C:\Program Files\Ebates_MoeMoneyMaker
C:\WINDOWS\zeta.exe
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\System32\qslck.dll
C:\WINDOWS\DOWNLO~1\search3.dll---DOWNLO~1 probably>> Downloaded Program Files folder--do a search if it's not there.
C:\WINDOWS\System32\uecul.dl

6. Reboot and provide another HJT log

#4 Webbie

Webbie
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 24 January 2005 - 01:01 PM

Okay, I did as you suggested. The Ebates and/or MoeMoneyMaker was not found in Add/Remove programs, nor were the zeta.exe, BTGrab.dll, qslck.dll, search3.dll, or uecul.dl found in the folders or in advanced searches for them on the entire hard drive. However, I did check the specified boxes during a HijackThis run and it appears to have corrected the problem. Posted below is a HijackThis log that I just ran. Thanks SO MUCH for your help with this!

Webbie

Logfile of HijackThis v1.99.0

Scan saved at 11:53:30 AM, on 1/24/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\OfficeScan NT\ntrtscan.exe

C:\OfficeScan NT\tmlisten.exe

C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\System32\CCM\CcmExec.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\msiexec.exe

C:\OfficeScan NT\ofcdog.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\OfficeScan NT\pccntmon.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Hijack This\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Oracle Discoverer 4i - http://x.weber.com:7777/discwb4/applet/dis4uie.cab

O16 - DPF: Oracle Discoverer 4i Initializer - http://x.weber.com:7777/discwb4/applet/start/dis4sie.cab

O16 - DPF: {332bd5a0-8000-11d7-b657-00c04faedb18} (Oracle JInitiator 1.1.8.22) - http://x.weber.com:8004/jinitiator/oajinit.exe

O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://x.weber.com/AntiSpamGateway/Cabs/Mapicom.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} - http://x.weber.com:7777/discwb4/jinit/jinit11811.exe

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://x.weber.com:8002/jinitiator/oajinit.exe

O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} - http://x.weber.com:8000/jinitiator/oajinit.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = weber.com

O17 - HKLM\Software\..\Telephony: DomainName = weber.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = weber.com

O23 - Service: ASF Agent - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe

O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe

O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE

O23 - Service: OracleWORKFLOW_HOMEClientCache - Unknown - C:\orawfl\BIN\ONRSD.EXE

O23 - Service: OfficeScanNT Listener - Unknown - C:\OfficeScan NT\tmlisten.exe

#5 pll8on

pll8on

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgetown, Florida
  • Local time:01:50 AM

Posted 25 January 2005 - 10:10 PM

Hi Webbie

Your log looks great. Sorry on delay answering your final log.

We have one more function to perform to completely safeguard your computer.
Item 1. in these recommendations must be performed.
Final Clean & Recommendations

You are more than welcome from BleepingComputer.
Post another log if you have further problems.

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 AM

Posted 25 January 2005 - 10:37 PM

Hi webbie,

pll8on has linked you to a page that you won't be able to read. Sorry about the mix up.

Please do this:

Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide

Please read the following web page for steps you can take to prevent furture infections. I see that you aren't running an antivirus and would recommend that that be done along with these other recommendations:
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Good job on the cleanup! :thumbsup:

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users