Hijack This Log

Discussion in 'adware, spyware & hijack cleaning' started by zigner, May 21, 2004.

Thread Status:
Not open for further replies.
  1. zigner

    zigner Registered Member

    Joined:
    May 21, 2004
    Posts:
    2
    I am repairing a computer for a co-worker. I've used Spybot S&D 1.3 and also spyware sweeper to remove quite a few things. I am pasting the Hijack This log for review. She is still getting occasional IE popups (ads).
    TIA!

    Tony


    Logfile of HijackThis v1.97.7
    Scan saved at 9:09:44 AM, on 5/21/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\SHJGGNX.EXE
    C:\WINDOWS\SYSTEM\BRX21YM1.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {6F2FF1DF-A605-5FEC-1DF4-ACD942158CD3} - C:\windows\system\vkaxvlsa.dll
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
    O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBARBHO.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\Run: [mpwtmv] C:\WINDOWS\mpwtmv.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [SDVBNPM] C:\WINDOWS\SYSTEM\SDVBNPM.exe
    O4 - HKLM\..\Run: [4SEKPX425QY#XN] C:\WINDOWS\SYSTEM\Elq0i.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [Odeo] C:\WINDOWS\Application Data\rbro.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt0_x.cab
    O16 - DPF: Yahoo! Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vth_x.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38002.3374305556
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.217.120.83,206.13.29.12
     
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Welcome to Wilders, Tony !!

    As you frnd have a number of issues, I suggest you proceed as follows:

    On the top, your frnd machine has Pepper-Trojan. Download and run the uninstaller from here.. www.memorywatcher.com/uninst.exe

    You have to be connected and online for it to work. Very important otherwise it will not remove it.

    Now, Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/

    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.

    Now do the following:

    - Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
    check: "Unload recognized processes during scanning."

    - Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"

    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives... It will find a number of "bad" files and registry keys. Right-click in that pane and choose "select all" Now press "Next" again.

    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot. That ought to get rid of most of your spyware.

    When you've done all that, restart your computer, re-run Hijack This, and show us a fresh log. There will be more to do!

    With thanks !
    Newkid
     
  3. zigner

    zigner Registered Member

    Joined:
    May 21, 2004
    Posts:
    2
    Ok, steps followed - here is the new log. Thanks again!


    Logfile of HijackThis v1.97.7
    Scan saved at 12:23:28 PM, on 5/21/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MIPL9W3.EXE
    C:\WINDOWS\SYSTEM\SPYT34V2.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\SETUP\AVAST.SETUP

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {6F2FF1DF-A605-5FEC-1DF4-ACD942158CD3} - C:\windows\system\vkaxvlsa.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\Run: [mpwtmv] C:\WINDOWS\mpwtmv.exe
    O4 - HKLM\..\Run: [SDVBNPM] C:\WINDOWS\SYSTEM\SDVBNPM.exe
    O4 - HKLM\..\Run: [4SEKPX425QY#XN] C:\WINDOWS\SYSTEM\XelD.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [Odeo] C:\WINDOWS\Application Data\rbro.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt0_x.cab
    O16 - DPF: Yahoo! Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vth_x.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38002.3374305556
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.217.120.83,206.13.29.12
     
  4. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Tony,

    It looks as if you still have the Pepper Trojan. It'll be care later on.

    Now, Please close down all window instances and running programs and have hijackthis fix the following entries :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {6F2FF1DF-A605-5FEC-1DF4-ACD942158CD3} - C:\windows\system\vkaxvlsa.dll
    O4 - HKLM\..\Run: [mpwtmv] C:\WINDOWS\mpwtmv.exe
    O4 - HKLM\..\Run: [SDVBNPM] C:\WINDOWS\SYSTEM\SDVBNPM.exe
    O4 - HKLM\..\Run: [4SEKPX425QY#XN] C:\WINDOWS\SYSTEM\XelD.exe
    O4 - HKCU\..\Run: [Odeo] C:\WINDOWS\Application Data\rbro.exe

    Reboot your machine and boot into safe mode by tapping F8 key(8-9 times) at bootup.

    This may happen that file is hidden so first unhide the files using following instructions...
    http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=

    Search and If present delete all the instances of the following file..

    C:\WINDOWS\mpwtmv.exe<-- Delete this file
    C:\WINDOWS\SYSTEM\SDVBNPM.exe<-- Delete this file
    C:\WINDOWS\SYSTEM\XelD.exe<-- Delete this file
    C:\WINDOWS\Application Data\rbro.exe <-- Delete this file

    Now, Please re-run the Pepper trojan uninstaller which you downloaded recently. You must be online while this is being run, you will just get a v=black screen flash up and nothing else, no done or anything

    Reboot your machine and boot into normal mode.

    Now, scan your machine fully with updated antivirus(Like Avast) or scan it online from http://housecall.trendmicro.com/

    Reboot your machine and now Rescan it with hijackthis and please post a fresh log..

    With thanks !
    Newkid !
     
Thread Status:
Not open for further replies.