Hijack this logfrom troubled PC

Discussion in 'adware, spyware & hijack cleaning' started by harborg, May 26, 2004.

Thread Status:
Not open for further replies.
  1. harborg

    harborg Registered Member

    Joined:
    May 26, 2004
    Posts:
    2
    Hi everybody. My maters PC has suffered from some nasty trojans and pop ups and I'm trying to clean it for him. Can somebody please look through this log and let me know what needs to go?


    Logfile of HijackThis v1.97.7
    Scan saved at 17:51:00, on 25/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
    C:\windows\temp\pLZU.exe
    C:\WINDOWS\System32\msvnvoy.exe
    C:\WINDOWS\System32\dss_os.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\blueyonder IST\bin\mpbtn.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\Program Files\Grisoft\AVG6\avgw.exe
    C:\security\hijackthis\HijackThis.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
    O4 - HKLM\..\Run: [raxmf] C:\WINDOWS\raxmf.exe
    O4 - HKLM\..\Run: [pLZU] C:\windows\temp\pLZU.exe
    O4 - HKLM\..\Run: [tmenpt] C:\WINDOWS\System32\msvnvoy.exe
    O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\SYSTEM32\VICH.EXE
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [07rU35Q] dss_os.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Money Viewer (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi harborg,

    Download and run: http://www.memorywatcher.com/uninst.exe
    The program needs internet access to finish.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)

    O4 - HKLM\..\Run: [raxmf] C:\WINDOWS\raxmf.exe
    O4 - HKLM\..\Run: [pLZU] C:\windows\temp\pLZU.exe
    O4 - HKLM\..\Run: [tmenpt] C:\WINDOWS\System32\msvnvoy.exe
    O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\SYSTEM32\VICH.EXE
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [07rU35Q] dss_os.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab

    Then reboot into safe mode and delete:
    C:\Program Files\TV Media <= entire folder
    C:\Program Files\Common files\WinTools <= entire folder

    And use the DiskCleanup tool to empty all your Temp folders.

    Regards,

    Pieter
     
  3. harborg

    harborg Registered Member

    Joined:
    May 26, 2004
    Posts:
    2
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi harborg,

    It is the official uninstaller for the Peper Trojan aka Memorywatcher.
    It stops and removes all the files. In your log I saw this:
    O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\SYSTEM32\VICH.EXE which usually means you are/have been infected with it.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.