meganu
1 Nickel

Re: Hijack this log - getting fatal system errors please help

Mike,
 
Looks like some of the things we got rid of are back again.....
 
 
Logfile of HijackThis v1.99.0
Scan saved at 10:15:20 PM, on 12/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Us\Application Data\eetu.exe
C:\WINDOWS\System32\?hkdsk.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Us\Application Data\eetu.exe
O4 - HKCU\..\Run: [Fekn] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - (no file)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
 
 
 
Hope you have a great holiday! I won't be home tomorrow so I'll check back on Sunday.
Thanks!
Megan
0 Kudos
Midnight Star
5 Rhenium

Re: Hijack this log - getting fatal system errors please help

Megan,
 
Ok, let's first take a pass with HiJackThis and see what we've got. If the entries come back, we'll need to run DLLCompare again and see make sure we're ok in that area.
 
Remember not to reboot your computer until we've gotten your system cleaned...
 
 
Let's see what these turn up now...
 

 
Go to www.trendmicro.com and click "Free Online Scan". When it's down, select all available drives, then click "Scan".
 
Run AdAware SE Personal and "perform a full system scan".
 
-
 
Download the VX2 Cleaner for AdAware SE and follow the instructions on that page.
 
-
 
Run Spybot S&D, then click "Check for Problems".
 

 
Now, let's download About:Buster and unzip it to your desktop. Be sure to check for updates before clicking "Start". If it finds anything, be sure to run it again, just to be sure.
 

 
Now, let's run HiJackThis, then:
 
1.  click "Config..."
2.  click "Misc Tools"
3.  click "Delete a file on reboot"
4.  browse to, then double-click on each of the file(s) below, one at a time:
 
   C:\Documents and Settings\Us\Application Data\eetu.exe
   C:\Program Files\Kontiki\bin\bh309190.dll
 
5.  when prompted to "Reboot Now", after selecting each file, select "No"
 
If some aren't present, just skip it and move onto the next.
 


Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
 
regsvr32  /u  bh309190.dll
 
It's ok, if these aren't found.
 


Run HiJackThis and click "Scan", then check(tick) the following, if present:
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
 
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
 
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Us\Application Data\eetu.exe
O4 - HKCU\..\Run: [Fekn] C:\WINDOWS\System32\?hkdsk.exe
 
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)
 
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
 
O9 - Extra button: (no name) - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - (no file)
 
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
 

Now, with all windows closed except HiJackThis, click "Fix checked".
 

Post back a new log.

Mike.

PS: Sorry Megan, I need to add an additional step.

 

Message Edited by Midnight Star on 12-24-2004 09:48 PM

0 Kudos
Midnight Star
5 Rhenium

Re: Hijack this log - getting fatal system errors please help

Megan,

Sorry, I got one step ahead of myself - it's getting close to Christmas day! Let's try this first, before running HiJackThis, to make sure that nothing else has returned.

Run DLLCompare again, and post back the results.

-

Remember not to reboot your system just yet.

Mike.

 

0 Kudos
meganu
1 Nickel

Re: Hijack this log - getting fatal system errors please help

Mike,
 
Ok, I ran DLL Compare:
 
 
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found Smiley Happy"
________________________________________________
1,266 items found:  1,266 files, 0 directories.
Total of file sizes:  245,755,062 bytes    234.37 M
Administrator Account =  True
--------------------End log---------------------
 
Then I did the free scan at trendmicro -- it didn't find anything.
I ran Ad-Aware and it found a few things. Here's the beginning of the log (summary info only - the whole thing is really long):
 

Ad-Aware SE Build 1.05
Logfile Created onSmiley Frustratedunday, December 26, 2004 7:49:55 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions fileSmiley FrustratedE1R23 16.12.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):6 total references
midADdle(TAC index:4):9 total references
Possible Browser Hijack attempt(TAC index:3):26 total references
Tracking Cookie(TAC index:3):36 total references
TX4.BrowserAd(TAC index:3):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

12-26-2004 7:49:55 PM - Scan started. (Full System Scan)
 
I downloaded VX2 Cleaner and ran Ad-Aware again, it found MRUList this time
Then I ran Spybot, which found WebTrends live, CoolWWW Search.Googlems, and DSO Exploit.
Then I ran About:Buster but all it said was No Ads Found.
 
Unfortunately, the computer was rebooted over the weekend....I forgot to tell my husband to leave it on, and he turned the computer off while I was gone. Hopefully it hasn't created more problems...
 
I'm assuming I should run HiJackThis next, but I'll wait till I hear back from you.
 
Thanks and I hope you had a nice holiday!
Megan
 
0 Kudos
Midnight Star
5 Rhenium

Re: Hijack this log - getting fatal system errors please help

Megan,
 
Wow! That's some good new indeed! Pat yourself on the back! - Excellent work!
 

 
Ok, now we need to fix some of the damage that garbage did to your system and do one more thing:
 
 -

Run Killbox again, but this time just copy/paste the following names, one at a time, in the file name to delete field:

  •  C:\Windows\System32\Guard.tmp
  •  C:\RECYCLER\Desktop.ini

then click the red-x to delete these files.


Download and run VX2Finder, then: 

1.  Click "Restore Policy"

2. Click "User Agent$"


From a command line, run "regedit" then go to the following registry key:

  1.  HKEY_LOCAL_MACHINE
  2. SOFTWARE
  3. Microsoft
  4. Windows NT
  5. CurrentVersion
  6. Winlogon
  7. Notify

Look for an entry that says:

DLLName="c:\\windows..."

It's have a randomly named file where the "..." is. Post back the name of that file and close the registry editor, without changing any of the data.


Let me know when your done with that, and post back a new log - let's see if anything is left.

Mike.

 
0 Kudos
meganu
1 Nickel

Re: Hijack this log - getting fatal system errors please help

Mike,
I would've posted this last night, but the cursor wouldn't show up in this message body, so I was unable to type anything! I'm at work right now and it's fine with this computer. Is it something in my settings??
 
Anyway, I deleted those files, ran VX2Finder and I think I found the entry you were talking about -- it's in the ThemeManager directory under Notify, called C:\WINDOWS\System32\j4jqle151h.dll.
 
 
Thanks
Megan
0 Kudos
meganu
1 Nickel

Re: Hijack this log - getting fatal system errors please help

Woops, forgot I wanted to post the VX2 Finder log:

 

Log for VX2.BetterInternet File Finder (ALL)
 
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
ThemeManager
wlballoon



 

Guardian Key--- is called:


 

Guardian Key--- :


 

User Agent String---



 

0 Kudos
Midnight Star
5 Rhenium

Re: Hijack this log - getting fatal system errors please help

Megan,


You've done a excellent job! That system had multiple 'infections'!


I'm not sure just yet - it might be, but I doubt it. When you click in the message body, even though you don't see a cursor, did you try typing to see if anything text would show up? Sometimes when IncrediMail tosses up an e-mail notice on my screen, I don't see a cursor either, but it still let's me type text. I'm guessing the cursor is a sprite, and not an actual text charater - we'll figure that out ... Smiley Happy


-----


That file looks like what we need. Check and see if this file is present:


C:\WINDOWS\System32\j4jqle151h.dll


If, it is, let's go ahead and delete it.


-----

Post up a new HiJackThis to review, and i'll see if we have anything left. If your still having problems entering text when posting, just PM me and i'll see if we can work this out while i'm online using an instant messenger.


Mike.


Message Edited by Midnight Star on 12-28-2004 07:49 AM

0 Kudos
meganu
1 Nickel

Re: Hijack this log - getting fatal system errors please help

Hi Mike!

You mentioned something about a system restore the other night -- should I create a new system restore point?

 

Thanks!!

Megan

0 Kudos
Midnight Star
5 Rhenium

Re: Hijack this log - getting fatal system errors please help

Megan,

Yes. After you 'flush' the restore point(s), go ahead and create one manually just to be safe.

Mike.
 
0 Kudos