Hijack this Log

All,

I have had problems with the XXXServer dial up hijack, i have run AdAware and deleted all files it recognised. This is the hijack log file, do i need to do anything more.

Thanks for any help.

Steve.

Logfile of HijackThis v1.97.7
Scan saved at 06:54:57, on 14/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\enbiei.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\mslaugh.exe
C:\WINDOWS\System32\wkssvrs.exe
C:\WINDOWS\s_menu.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\BT Yahoo! Internet\DialBTYahoo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pureseeker.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/togetherinternet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Together with 24/7 Internet
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btopenworld.com/togetherinternet
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [B6BE4555] C:\WINDOWS\System32\jojrelxhzavpl.exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [StartMenu] C:\WINDOWS\s_menu.exe /i
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [3D131D72] C:\WINDOWS\System32\jojrelxhzavpl.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: Money Viewer (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/togetherinternet
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - http://register.btinternet.com/templates/btmailcontrol013.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B89370BE-82EA-4067-A9A7-C5DB1FFB79F2}: NameServer = 213.1.119.97 213.1.119.98

 

You have several blaster like and sdbot like worms and viruses on the machine
represented by these processes
C:\WINDOWS\System32\enbiei.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\mslaugh.exe
C:\WINDOWS\System32\wkssvrs.exe
C:\WINDOWS\s_menu.exe

Start by downloading and running the fix tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Patch your system as soon as you can using M$ updates

Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pureseeker.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [B6BE4555] C:\WINDOWS\System32\jojrelxhzavpl.exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\Run: [StartMenu] C:\WINDOWS\s_menu.exe /i
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [3D131D72] C:\WINDOWS\System32\jojrelxhzavpl.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Updates] wkssvrs.exe
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab

Empty the TIF (Temporary Internet Files)
To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

Set your Explorer up using the info in this link so that hidden and System files are visible
Also Uncheck the "Hide extensions for known file types" box

Reboot to SAFE mode
How to start the computer in Safe mode

Delete the following files:
c:\info6_s.cab
C:\WINDOWS\System32\enbiei.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\mslaugh.exe
C:\WINDOWS\System32\wkssvrs.exe

Reboot to normal mode and get a good online virus scan at HouseCall


------ some partial info (for further cleanup)
enbiei -- http://www.sophos.com/virusinfo/analyses/w32blasterf.html
mslaugh.exe -- http://www.sophos.com/virusinfo/analyses/w32blastere.html
wkssvrs.exe -- http://uk.trendmicro-europe.com/ent...ail.php?id=59529&VName=WORM_SPYBOT.AP&VSect=O
and http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.AP&VSect=T