View Full Version : Help with HJT Report
Guys,
I need some help please. A friend of mine has an old PC which they have asked me to look at for them. Like a fool I said 'yep, no problem!' That was my first mistake!!
Basically, their son decided to remove their firewall and they have continued to surf the net unprotected....until their next phone bill. They had all sorts of dialers on there and had two calls amounting to £60. The plug was pulled and my help requested.
Rather concerned about connecting to the net myself I have removed all the dial up connections except the one for virgin.net their ISP. I have run their old version of adaware (at least a year old) and removed everything it found (and boy it found some) From my PC I copied across CWS Shedder (the latest version) and ran that (it found 8 IE things it fixed) And I have just copied across the latest HJT and run it with the file attached.
Since running CWS I have noticed the screen resolution change to 800x600 and I now cant go any higher??
Please advice re: the HJT log
Thanks in advance
G
Logfile of HijackThis v1.98.2
Scan saved at 09:21:53, on 15/08/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\Mgmacpkh.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE
C:\winnt\msbb.exe
C:\WINNT\System32\blwoiv.exe
C:\WINNT\System32\internat.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ELITEB~2.DLL
O2 - BHO: (no name) - {E91996F3-B927-4873-89A6-B4DE44179E56} - C:\WINNT\System32\hidf.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [msbb] c:\winnt\msbb.exe
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [crczshch] C:\WINNT\crczshch.exe
O4 - HKLM\..\Run: [lqougqpreran] C:\WINNT\System32\blwoiv.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\trash.exe (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\trash.exe (HKCU)
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://connect.online-dialer.com/cax_gb.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge-c17.cab
O18 - Filter: text/plain - {B57675B8-97D6-42EB-A29E-80800AE54660} - C:\WINNT\System32\hidf.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINNT\System32\Okjllj32.dll
pop pop
08-15-2004, 05:35 AM
There is still work to be done on that PC. One of the experts will be along soon to help.
david eaton
08-15-2004, 10:06 AM
Hm......... It might be easier to list the items to stay!
Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ELITEB~2.DLL
O2 - BHO: (no name) - {E91996F3-B927-4873-89A6-B4DE44179E56} - C:\WINNT\System32\hidf.dll
O4 - HKLM\..\Run: [msbb] c:\winnt\msbb.exe
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [crczshch] C:\WINNT\crczshch.exe
O4 - HKLM\..\Run: [lqougqpreran] C:\WINNT\System32\blwoiv.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://connect.online-dialer.com/cax_gb.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000.../bridge-c17.cab
O18 - Filter: text/plain - {B57675B8-97D6-42EB-A29E-80800AE54660} - C:\WINNT\System32\hidf.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINNT\System32\Okjllj32.dll
Reboot and delete
files
c:\winnt\msbb.exe
C:\WINNT\alchem.exe
C:\WINNT\crczshch.exe
C:\WINNT\System32\blwoiv.exe
Win86.exe
win32x.exe
C:\WINNT\System32\hidf.dll
C:\WINNT\System32\Okjllj32.dll
These may be hidden files. See HERE (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) for how to show hidden files.
Please post a followup Hijack this log, and say if your problems persist.
Steve
08-15-2004, 10:07 AM
Hi gav,
Make sure all other windows are closed and fix the following with HJT:
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ELITEB~2.DLL
O2 - BHO: (no name) - {E91996F3-B927-4873-89A6-B4DE44179E56} - C:\WINNT\System32\hidf.dll
O4 - HKLM\..\Run: [msbb] c:\winnt\msbb.exe
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [crczshch] C:\WINNT\crczshch.exe
O4 - HKLM\..\Run: [lqougqpreran] C:\WINNT\System32\blwoiv.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://connect.online-dialer.com/cax_gb.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000.../bridge-c17.cab
O18 - Filter: text/plain - {B57675B8-97D6-42EB-A29E-80800AE54660} - C:\WINNT\System32\hidf.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINNT\System32\Okjllj32.dll
Then reboot into safe mode. Make sure the computer is set to show all hidden and system files (in folder options) and find and delete the following:
hidf.dll
msbb.exe
alchem.exe
crczshch.exe
blwoiv.exe
Win86.exe
win32x.exe
hidf.dll
Okjllj32.dll
Then download, UPDATE and run AdAware (http://www.lavasoftusa.com/support/download/) and Spybot Search & Destroy (http://www.safer-networking.org/en/download/) . Fix everything they find.
Then run an UPDATED virus scan. I recommend Trend Micro HouseCall (http://housecall.trendmicro.com/) .
Then go to the Windows Update site and get all of the available updates for W2k and IE.
Then run HJT once more and post a follow up log. Just to see if we got everything and to see if the CWS infection comes back.
:)
EDIT: ooops, David jumped in there while I was day dreaming....;)
Guys,
Firstly a big thank you for your time.
This is what I have done so far with this damn machine;
I removed the items you both had suggested with HJT. A couple of them would not remove first time??? so I ran it a second time and was successful then.
I have updated the AVG antivirus definitions (they were only 13 months out of date!!) and run a scan. This detected several viruses which it has cleaned. A few of them had to be put into what it called the vault, not sure what that does as I use Norton myself, but subsequent scans show the system as being clean.
I have updated the firewall.......Outpost, and this seems fine.
I have d/l Ad-Aware SE Personal and also d/l the latest reference file for this.
Firstly, I assume this is the latest and greatest, as I was expecting Ad-aware 6.0????
Secondly, when I run Ad-aware it brings up the AVG Resident Shield saying that there are trojan Horses on the system and to run AVG to clean them. Further runs of AVG find nothing???
I have also updated IE up to IE6.
I am getting ready to set up some user accounts on the machine for his kids so that they cant mess with anything and prevent this in future, and obviously some training for my friend regarding the need to update firewalls and antivirus software weekly rather than yearly :-)
However I want to be sure the system is clean.
Let me know your thoughts on my finds above and let me know if my new HJT log is clean
Thanks in advance
G
Logfile of HijackThis v1.98.2
Scan saved at 20:37:18, on 15/08/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE
C:\WINNT\System32\internat.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O18 - Filter: text/html - {ECE733C7-3FF5-48C5-8392-778AD917EA26} - C:\WINNT\System32\hidf.dll
PrntRhd
08-15-2004, 05:09 PM
You need to update IE 6.0 to SP1 and keep downloading all critical updates.
Which AdAwareSE build are you using? Current one is Build 1.03.
You can download a 30 day free trial of
Trojan Hunter (http://www.misec.net/) if there are really trojans there, some AVs name some adware programs "trojans" but are not recognized as such by most dedicated trojan programs.
I recommend running a free online scan at Housecalls (http://housecall.antivirus.com/housecall/start_corp.asp) as a second check as well, it is a great complimentary check to resident AV programs.
jlreich
08-15-2004, 05:52 PM
Windows 2000 needs to be updated to SP4
Steve
08-15-2004, 06:47 PM
gav,
Were you able to find and delete the following file:
C:\WINNT\System32\hidf.dll
It's very important that you find and delete that file. You might have to enable viewing of hidden files and folders.
After you have found and deleted that file, fix the following with HJT:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O18 - Filter: text/html - {ECE733C7-3FF5-48C5-8392-778AD917EA26} - C:\WINNT\System32\hidf.dll
This CWS variant can be a real pain in the neck or fairly easy to remove. I hope this clears it for you. After you're done, reboot a few times, do some surfing and see if the hijack comes back. The R1 entries in the log are the signature of this hijack. Sometimes it comes right back, sometimes it takes a day or two. And sometimes you beat it. ;)
Hi,
Yes, I managed to get rid of the C:\WINNT\System32\hidf.dll file. I think that was the one that took a couple of attempts to get rid of, but it has gone.
I have now cleared the rest of the rubbish using HJT that you suggested and my new log is attached at the end.
My latest issue is that I run AVG (with the latest definitions) and this morning it picked up another virus which must have got onto the system since yesterday (when the scan was clean)!
I ran it and cleared off the one virus it found (startpage.6.AQ)
I re-ran it and it reported clean
I run Ad-Aware (with latest files) and during the scan AVG pops up and reports 2 trojan horses as follows;
Downloader.Alchemic.A
C:\Docs & Settings\Admin\Local Settings\Temp\AAWTMP\C169844\alchem.exe
and
Downloader.Agent.AS
C:\Docs & Settings\Admin\Local Settings\Temp\AAWTMP\C169844\polmx.exe
I have d/l trojanhunter and manually installed the latest files from a zip file also d/l. This reports No Trojans ???
If I re-run AVG scans and Ad-Aware after re-boots I get the same thing but with the C16**** number different each time??? (I hope that makes sense). Could this be a phantom Trojan??
I am getting ready to upgrade to SP4 but want to make sure I am clean before I move on.
Any advice welcome on the above and my new HJT log
Regards
G
Logfile of HijackThis v1.98.2
Scan saved at 12:28:22, on 16/08/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE
C:\WINNT\System32\internat.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
classicsoftware
08-16-2004, 09:39 AM
The spyware is hiding in your rtemp folder and the folder needs to go.
Download Eraser (http://www.heidi.ie/eraser/download.php) and have it remove the TEmp folder completely. Windows will re-create it when needed. Then re-post your HJT LOG.
Hi Classic,
Thanks for the reply.
I am a little uncertain which file you are suggesting I should remove so before going ahead I am hoping you can clarify for me
Do you mean the C:\Docs & Settings\Admin\Local Settings\Temp.... folder or are you refering to the C:\winnt\temp.... folder
Please advise
gav
classicsoftware
08-16-2004, 11:34 AM
It's usually:
C:\Docs & Settings\Admin\Local Settings\Temp
Thanks guys,
I think I am nearly there now!!! (thank god I hear you say!)
Her is my latest HJT log which is so small now even I think I can understand it, but thought I ought to check to be on the safe side.
Ad-Aware is working fine along with AVG now. I followed CLassic's advice and got rid of the temp file. When I scan through the file I noticed two suspicious files which the names of the trojans I was looking for. A scan of the PC was not picking it up because they had been zipped and labelled as .cab files (else I think that was why). Any how I deleted the lot using eraser. Sure enough windows recreated the temp folder but this time empty. THANKS CLASSIC
I now need to get my screen resolution back to 1024 x 768. For some reason I lost this during one of the scans with AVG and I am now stuck on 800 x 600 with no higher options. (any advice here would be useful)
Any advice on the screen resolution and a last look at my log would be most appreciated.
Thanks to everyone for the invaluable advice
Regards to all
gav
Logfile of HijackThis v1.98.2
Scan saved at 16:54:03, on 16/08/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE
C:\WINNT\System32\internat.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
Steve
08-16-2004, 04:06 PM
Well, your log looks clean to me. Keep in mind that the CWS infection could come back, but as time goes on it is less and less likely. Run HJT each day for a while and see if it shows up. I'm starting to like classicsoftwares tip of using eraser on the temp folder. Seems to do that extra little scrubbing that's often needed.
As for your video problem, about the only thing I can come up with right off is to reinstall the video drivers and see if that clears it up.
:)
Budfred
08-16-2004, 08:45 PM
You have a desperate, but probably unrecognized, need to update your Windows to SP4 and your IE to SP1 with all critical updates... Without that, you will be back soon with more infections....
Steve
08-16-2004, 09:15 PM
I am getting ready to upgrade to SP4 but want to make sure I am clean before I move on.
;)
Thanks Budfred for your comments. As Steve pointed out I was (on this occasion) aware of the need for the SP4 and IE SP1 which I am glad to report are all on now.
I think I am finally clean, and today I seem to have stayed that way. I think I will continue to hold on to this PC for a few days and use it on the web and ensure that I remain clean.
A big thank you again to everyone for their quick replies to my issues, especially Steve and Classic who helped weedle out those real buried nasties. I have learnt a lot!! :-)
ga
Well, It would appear that I spoke to soon.
I keep getting re-infected with the following;
Trojan horse
Startpage.6.AQ
C:\winnt\system32\lckfii.dll
I have the latest AVG definitions and outpost firewall but it keeps coming back from somewhere. This one seems to re-infect on a daily basis?? I am clean when I switch off in the evening and then the next day as soon as I open IE and start surfing I get the AVG warning saying I am infected again.
Avg deals with it and gets rid off it, but how do I keep the bugger out?
I have all the latest updates now as far as I am aware. Maybe there is a patch for this one??
Gav
Steve
08-18-2004, 07:02 PM
As time goes on, these trojans are getting harder and harder to clear. Sometimes they change their name, on each reboot, in order to avoid deletion. I know it's not politically correct here and not very geek like, but when time is of the essence, nothing fixes these problems like a good zero fill, partition, format and clean install.
That being said, the idea is to track down the file and kill it. Using Windows Explorer, in safe mode, hunt that file down. Use Eraser to make sure it is gone. You can also use the Killbox (http://www.downloads.subratam.org/KillBox.zip) to do it in. Killbox is one of my favorite programs for this kind of stuff. It will sometimes stop and delete running processes. And that's not easy.
So there you go. Go on a search and destroy mission. Hunt it down and kill it. Make it personal...;)
If you have more questions, you know where to ask. When you're done, one more HJT log would be a good idea.
:)
Budfred
08-18-2004, 08:16 PM
I suggest that you update TrojanHunter with the latest definitions, reboot and DON'T let AVG fix it, then run TrojanHunter to see if it can find and kill it... If it doesn't, you could also try TD3....
Well Guys sorry to bother you all again.
I dont mind admitting I am struggling, but I am sticking with it....IT WILL NOT BEAT ME!!!
I still seem unable to get rid of this startpage.6.AQ trojan. I have run trojan hunter and trojan remover but neither seem to find this particular trojan??
I have been all over the web looking for info and there seem to be a lot of people struggling with this one but no one seems to have the answer.
As tempting as it is to give in and re-format I am hoping you guys will still advise me.
I am able to find this trojan on about a daily basis. The first indication I have is when I run Ad Aware SE with the latest def. and as it scans the C:\winnt\system32 files it prompts AVG to say that I am infected. I assume it to be correct. It is always a .dll file which I am always able to get rid of by shift deleting or by using AVG. Each time it is a different .dll but always the same location.
I did a regestry search for startpage and deleted all it came up with as I recognised all the file extensions to this trojan. I then managed to run for 2 days but again today it is back.
Man made this machine and my engineers brain says man should be able to fix it :-)
I have tried eraser to get rid of the file but this will not allow me to delete it saying it does not have the rights
Is there anything else I can do??
going slowly insane
Gav
Budfred
08-23-2004, 08:45 PM
In reviewing your thread I am betting you still have the same CWS variant... Please stop fixing it the way you are doing it since that will just make it harder to track down... There are several different fixes for it, but we will start with the easiest...
Method 1: SPHJFIX
This is the easiest way. Unfortunately this method doesn’t always work. SPHJFIX works only on Windows 2000 and Windows XP systems.
Download Sphjfix HERE (http://www.trojaner-info.de/anleitungen/hijackthis/about_blank.html)
Unzip the program and start it.
After an automatic reboot run CWShredder.
Reboot again, run HijackThis and remove all entries related to the about :blank hijack.
In doubt, find expert help.
The page is in German, but you should be able to find the fix to download in there... Post back with a progress report and don't try to fix it with AVG or Ad-Aware if it appears again...
Steve
08-23-2004, 09:05 PM
I have tried eraser to get rid of the file but this will not allow me to delete it saying it does not have the rights
Have you tried it in safe mode?
Budfred may have a point. Men might have made this machine but some very smart men made the CWS trojan. It can't hurt to try the various programs that are available. I'm not sure it's the CWS trojan that's on your computer but it could be. If you are wacking it every day, it might not have had a chance to reactivate the hijack.
Hi Budfred,
Well I followed your instructions to the letter.
There was nothing found in the HJT log to delete (with ref to about_blank)??
I am at present infected and have not cleaned it off until you advise.
Whilst carrying out your steps the follwing happened;
I got a warning from the AVG control centre saying I had the 'trojan horse Startpage.6.AQ' in C:\winnt\system32\khi.dll
Then I got the another message from AVG control centre when I started HJT saying I had 'trojan horse BackDoor.Agent.BA in C:\winnt\system32\winpcmj.dll
As I said I am still infected and wont do anything until you advise
Thanks
Gav
Logfile of HijackThis v1.98.2
Scan saved at 13:23:31, on 24/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE
C:\WINNT\system32\internat.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [internat.exe] internat.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
Budfred
08-24-2004, 11:29 PM
Okay, CWS is not showing up... I think it is time for a blitz... Try this.... Get Stinger from McAfee and run it, reboot into Safe Mode and run it again... Get a-squared and/or TDS3 trial, update and run them in Normal and Safe Mode... When you get back online, you could also run an online AV scan or two... If all of this doesn't work, we will need to get help manually editing the Registry... This stuff is not going to show up in HJT, so you need to go with automatic scans at first...
Steve
08-25-2004, 09:15 PM
gav,
At the risk of being repetitious, have you tried to track down and delete the offending .dll in safe mode? It does make a difference. Did you try the killbox? It's a good tool.
Steve,
Thank you!
I am kicking myself, but no I was not in safe mode, and since deleting the offending .dll's in safe mode I have not been re-infected. I have only been using the PC for about 3 days with just a standard firewall and AV enabled and have not got anything. Daily updates along with scans have found nothing either so things now look good. (previously I was getting re-infected daily)
Thank you so much to everyone, especially Steve and Budfred, for all your replies
A very greatful
Gav :) ;) :p :cool:
P.S. Just out of interest why is 'safe mode' different?
I assume it is because certain services are not running where these nasties load themselves
Budfred
08-29-2004, 09:35 AM
P.S. Just out of interest why is 'safe mode' different?
I assume it is because certain services are not running where these nasties load themselves That is basically it... The malware is usually designed to load at boot and to resist being removed because it is running... Since it doesn't load in Safe Mode, usually, it is possible to remove it....
Steve
08-29-2004, 10:18 AM
Congratulation gav!
Nice job. You stuck with it and won. If you ever have reason to chase down these randonly named .dll or .exe files again, remember safe mode. ;)
As long as you can recognise the offending file, they usually go in safe mode. But not always. I have run across several that run in safe mode. When that happens, I check the running processes list in task manager (ctrl-alt-del) to see if I can "end process" on them there. If that works, they can be deleted.
And then there's the files that won't allow task manager to stop them. For those I use the Killbox program. With this program, you have a choice to kill it where it stands or on the next reboot. It's a pretty powerful little program. Best used as a last resort.
Once again, congratulations. It sounds like you had a good time with it...:)
Steve,
Thanks for the congrats. There is a feeling of achievment when you beat these things and the 'Bar Stewards' that design them. I would love to get my hands on some of these people.........although I am sure I am at the back of a long line on this one!!
You are right, I have had a good time and more importantly learnt a lot from it, thanks to the help from you guys.
I use the site regularly and recommend it to friends also. I have even been able to help and advise the odd person myself which is also quite satisfying.
Well time for a beer and the bar-b-q now (he said with a smug feeling of achievemnt)
Thanks again guys
Gav
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.