zbestwun2001
6 Gallium

Re: Help Interpreting Hijack This Log

Message Edited by zbestwun2001 on 12-30-2004 03:52 PM

 

Dell Forum Member Since 2004 but not an employee of Dell

If this answers your question, click
  Yes  

0 Kudos
mgkct
1 Nickel

Re: Help Interpreting Hijack This Log

Ok, this is what I've done:

- run Trend Micro Scan

- run AdAware twice (once, then reboot, then ran it again)

- ran SpyBot

Here are two logs: hijack this, and dllcompare log.  Thanks advance for the continued help!

HIJACK THIS LOG:

Logfile of HijackThis v1.99.0
Scan saved at 10:38:08 PM, on 12/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: DigiChat Applet - http://chat2.alllearn.org/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/applets/msie40x.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Gear Security Service - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee.com Personal Firewall Service - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

 

DLLCOMPARE LOG:

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\enn8l1~1.dll   Tue Dec 28 2004   9:40:38p  ..S.R        224,457   219.20 K
C:\WINDOWS\SYSTEM32\p4r40e~1.dll   Tue Dec 28 2004   1:19:14p  ..S.R        223,726   218.48 K
________________________________________________

1,193 items found:  1,193 files (2 H/S), 0 directories.
Total of file sizes:  237,218,071 bytes    226.23 M

Administrator Account =  True

--------------------End log---------------------

 

Mona

0 Kudos
Midnight Star
5 Rhenium

Re: Help Interpreting Hijack This Log

mona,

 Let's run KillBox again, then:

-----

1.  check(tick) "Replace on reboot"

2.  enter C:\WINDOWS\SYSTEM32\enn8l1~1.dll , in "Full Path of File to Delete".

3.  check(tick) "Use Dummy".

4.  click the red-x, just right of where you entered the file to delete.

5.  Confirm that you want to replace the 'bad' file with the 'dummy'.

6.  When prompted to "Reboot Now", select "No".

7. Now repease steps #1 - #6 for the following files:

   C:\WINDOWS\SYSTEM32\p4r40e~1.dll  

   C:\Windows\System32\Guard.tmp

After entering the last file, when prompted to "Reboot Now", select "Yes".

-----

You can copy/paste these file name(s) to save on typing.


Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results.

Be sure not to reboot your computer while we're working on this, otherwise we'll have a whole new set of program(s) to check for - this thing has a habit of changing the above names on reboot ...

Mike.

Message Edited by Midnight Star on 12-28-2004 10:37 PM

0 Kudos
mgkct
1 Nickel

Re: Help Interpreting Hijack This Log

Mike,
I deleted the files using killbox.
 
Here is the new dllcompare log:
 
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\p4r40e~1.dll   Tue Dec 28 2004   1:19:14p  ..S.R        223,726   218.48 K
________________________________________________
1,193 items found:  1,193 files (1 H/S), 0 directories.
Total of file sizes:  237,218,071 bytes    226.23 M
Administrator Account =  True
--------------------End log---------------------
 
Thanks,
Mona
0 Kudos
Midnight Star
5 Rhenium

Re: Help Interpreting Hijack This Log

mona,

 Let's run KillBox again, then:

-----

1.  check(tick) "Replace on reboot"

2.  enter C:\WINDOWS\SYSTEM32\p4r40e~1.dll , in "Full Path of File to Delete".

3.  check(tick) "Use Dummy".

4.  click the red-x, just right of where you entered the file to delete.

5.  Confirm that you want to replace the 'bad' file with the 'dummy'.

6.  When prompted to "Reboot Now", select "No".

7. Now repease steps #1 - #6 for the following files:

   C:\Windows\System32\Guard.tmp

After entering the last file, when prompted to "Reboot Now", select "Yes".

-----

You can copy/paste these file name(s) to save on typing.


Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results.

Mike.

 

0 Kudos
mgkct
1 Nickel

Re: Help Interpreting Hijack This Log

Mike,

I did that.  and the new log is posted below.

But I want to make sure I'm doing what I'm supposed to -- you say to check reboot now "yes" at the end, but you also say be sure not to reboot.  I'm confused Smiley Happy.  Bottom line -- I haven't rebooted at all in the past few steps.  Am I supposed to??

Thanks,

Mona

 

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found Smiley Happy"
________________________________________________

1,193 items found:  1,193 files, 0 directories.
Total of file sizes:  237,218,071 bytes    226.23 M

Administrator Account =  True

--------------------End log---------------------

0 Kudos
Midnight Star
5 Rhenium

Re: Help Interpreting Hijack This Log

mona,

Sorry about that, we'll just 'rack' that up to long hours behind the keyboard ... Smiley Happy

I'll also copy/paste sections of the solution from other threads i've worked, to save on typing, and somtimes typos come across.

-

Let's get started...


Let's make sure your recycle-bin is intact...
 
 -

Run Killbox again, but this time just copy/paste the following names, one at a time, in the file name to delete field:

  •  C:\Windows\System32\Guard.tmp
  •  C:\RECYCLER\Desktop.ini

then click the red-x to delete these files. Next create a  dummy text file ( a text file that we're going to delete ), then delete it ( let it go to the recycle bin ). Check the recycle bin to see if it's there. If it isn't post back and let me know. Also, it's ok if some of these aren't found.


Run VX2Finder, then: 

1. Click "User Agent$"

2.  Click "Restore Policy"

We'll reverse the order this time. It's ok if some of the buttons are 'greyed' out.


From a command line, run "regedit" then go to the following registry key:

  1.  HKEY_LOCAL_MACHINE
  2. SOFTWARE
  3. Microsoft
  4. Windows NT
  5. CurrentVersion
  6. Winlogon
  7. Notify

Look for an entry that says:

DLLName="c:\\windows..."

It'll have a randomly named file where the "..." is. Post back the name of that file and close the registry editor, without changing any of the data.


 
Download the VX2 cleaner from here, and follow the instructions on that page. If it finds anything, it'll ask you to reboot and run it again for safe measure - the second time it should come up clean. It's should be ok to reboot at this point.
 

Now, let's post back a new log and see what we've got.

Mike.

0 Kudos
mgkct
1 Nickel

Ran Dllcompare again...

So I had to restart (I decided to run ad aware again).  Anyway, for ha has, I ran dllcompare again, and I now the log is different.  I'm not sure whether these files are malware or not, so I did not delete them with killbox.  Please advise...
 
DLLCOMPARE LOG
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\enn8l1~1.dll   Tue Dec 28 2004   9:40:38p  ..S.R        224,457   219.20 K
C:\WINDOWS\SYSTEM32\m0rm0a~1.dll   Wed Dec 29 2004  10:16:42a  ..S.R        223,232   218.00 K
________________________________________________
1,194 items found:  1,194 files (2 H/S), 0 directories.
Total of file sizes:  237,446,624 bytes    226.45 M
Administrator Account =  True
--------------------End log---------------------
 
Thanks!!
 
Mona
0 Kudos
Midnight Star
5 Rhenium

Re: Ran Dllcompare again...

Mona,

Yes those are, and need to be removed using killbox. Do you have an IM account? We might be able to work this out while i'm online this morning - which sometimes can go alot smoother.

Mike.

 

Message Edited by Midnight Star on 12-29-2004 10:33 AM

0 Kudos
mgkct
1 Nickel

Re: Ran Dllcompare again...

I just installed AOL IM on my other pc... my screen name is mgkct.

Oh and I just killed those files with killbox, and rebooted.

 

Thank you so much!

Mona

0 Kudos