Please check HJT log. [Archive] - The PC Guide Discussion Forums

View Full Version : Please check HJT log.

Relztrah

05-06-2004, 12:43 AM

Folks,

I've recently had some very strange symptoms of spyware, malware, gackware or something that has infected my computer. Please look at the following HJT log and give me some recommendations.

Thanks,
Relztrah

Logfile of HijackThis v1.97.7
Scan saved at 11:34:18 PM, on 5/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\BARGAIN BUDDY\BIN2\BARGAINS.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DRVDDLL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRAM FILES\BARGAIN BUDDY\BIN2\APUC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [mmpti] c:\windows\SYSTEM\m1mmpti.exe
O4 - HKLM\..\Run: [HPSCANMonitor] c:\windows\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\SYSTEM\dxdllreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [drvddll.exe] C:\WINDOWS\SYSTEM\drvddll.exe
O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\SYSTEM\irun4.exe
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\iowatch.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .htm: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.vtech.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38010.2135069444
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/98ME/new/bridge.cab

Budfred

05-06-2004, 01:20 AM

You have a mess and may have one of the nastier bits around right now... we will have to see...

First please download, update and run AdAware... Remove all things it identifies as bad.... particularly note if it says that you have a file that can't be removed.

Next you need to run at least one online virus scan. This is identified as a worm/virus. If you can't fix it that way, fix it in HJT:

O4 - HKCU\..\Run: [drvddll.exe] C:\WINDOWS\SYSTEM\drvddll.exe

After you finish that, reboot and run only HJT, mark/fix:

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRAM FILES\BARGAIN BUDDY\BIN2\APUC.DLL
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: C:\Program Files\Bargain Buddy\bin2\bargains.exe
O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\SYSTEM\irun4.exe
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/98ME/new/bridge.cab

I strongly urge fixing this, it is supposed to be optional, but I found it to be a real pain...

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

If this is not what you set for your homepage, fix it:

O14 - IERESET.INF: START_PAGE_URL=http://www.vtech.com

Then reboot into Safe Mode and remove these if they can be found. With luck the last one will have already be gone and other might be too. Make sure you have the system set to reveal hidden files to be sure...

C:\PROGRAM FILES\[b]BARGAIN BUDDY\BIN2\BARGAINS.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\WINDOWS\SYSTEM\DRVDDLL.EXE

Finally, reboot and post a fresh HJT log. Note the name and location of any file that AdAware said it couldn't fix. Note any other issues encountered as well.....

Relztrah

05-06-2004, 02:36 PM

Next you need to run at least one online virus scan. This is identified as a worm/virus. If you can't fix it that way, fix it in HJT:

O4 - HKCU\..\Run: [drvddll.exe] C:\WINDOWS\SYSTEM\drvddll.exe

Do you have a recommendation? I already use AVG, which I keep updated, but apparently that didn't prevent infection.

Relztrah

Budfred

05-06-2004, 08:07 PM

Sorry, I needed to point out that there are links to 2 common ones in my signature.... HouseCall seems to garner a bit more respect than Bitdefender....

Relztrah

05-07-2004, 10:36 AM

AdAware did indeed find a delete some junk but obviously my main problem is the BAGLE.Z worm which House Call identified as having infected 230 files...and it's still running as of this morning. All files are listed as "Non Cleanable" and I trust I can fix them with HJT. I'll wait until House Call finishes, follow the above instructions, and post a fresh HJT log.

Thanks again,
Relztrah

classicsoftware

05-07-2004, 10:51 AM

Hijack this will NOT fix the Bagle worm.

Download the fix after reading this page (http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.x@mm.html).

If the files infected are Windows files, once you have cleaned out virus, you can run SFC and windows will replace the files that are damaged. If the files are from other programs, they may have to be re-installed.

Relztrah

05-07-2004, 12:41 PM

Thanks for the tip. I will take care of this as soon as I get home from work. Do you suggest that I do this BEFORE deleting the entries in HJT as Budfred indicates or afterward? Or does it matter?

Relztrah

classicsoftware

05-07-2004, 05:07 PM

spyware +is always secondary to a virus infection. Address the virus first.

Relztrah

05-08-2004, 10:24 AM

Folks,

I'm sending a donation to the tip jar for this one. Thank you Budfred and classicsoftware for your help. I am guardedly optimistic about the health of my computer after following the above advice. AdAware shows nothing to remove. I ran HJT and most of the nasties from my previous post were gone. A couple follow-up questions:

1. I read the following on the Symantic site which I don't understand.

The attachment's extension will be the same as the type of file as Drvddll.exeopenopen. For example, if Drvddll.exeopenopen is dropped as a .zip file, the attachment will be a .zip file.
If Drvddll.exeopenopen is the worm itself, the extension will be .exe, .com, or .scr.

I still have the following files in my Windows\System folder:

drvddll.exeopenopenopen
drvddll.exeopenopenopenopen

I assume I sould delete them, but I'm not sure what they are.

2. Should I periodically run the revmoval tool to check for reinfection? Is there any danger in running it more than once?

Finally, here is a fresh HTJ log. Do you see anything unusual here?
Thanks again for getting me out of this mess.

Logfile of HijackThis v1.97.7
Scan saved at 8:54:02 AM, on 5/8/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [mmpti] c:\windows\SYSTEM\m1mmpti.exe
O4 - HKLM\..\Run: [HPSCANMonitor] c:\windows\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\SYSTEM\dxdllreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\iowatch.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .htm: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38010.2135069444
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

Budfred

05-08-2004, 11:44 AM

I am not familiar with that particular virus, but I would say that if those files are still there, they probably shouldn't be, so I would certainly kill them.... I am surprised that the cleanup tool didn't already.

I don't know that I would run the cleanup tool on a regular basis, but I would make sure your AV program is up to date and keep it that way... Make sure you have a good software firewall, install SpywareBlaster and IE-Spyads.... Read this article about security: http://boards.cexx.org/viewtopic.php?t=957

Your log looks clean at the moment....

PrntRhd

05-08-2004, 12:31 PM

It appears to be a Bagle variant, I would do a trojan scan as a precaution as Bagle installs a backdoor see zdnet article (http://reviews-zdnet.com.com/4520-6600_16-5132716.html):

These variations of Bagle do not rely upon a specific Microsoft vulnerability but on simple social engineering. Remember never to open attached e-mail files without first saving them to the hard drive and scanning for known viruses. The latest signature file from your antivirus vendor should protect you against these Bagle variations. Additionally, the use of a personal firewall will prevent the backdoor Trojan from communicating with the virus author.

classicsoftware

05-08-2004, 06:24 PM

1) Delete those files.
2) Keep your A/V up to date.
3) Keep Spyware Blaster up to date.
4) Install Zone Alaram (http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp?lid=zadb_zadown)
5)If you have cable or DSL get a Router. I prefer Linksys (http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=405) but I have also heard good things about Dlink (http://www.dlink.com/products/?pid=62)
6) For now run the Adaware and Spybot every week.
You should be good to go.