Hijacked computer - please review my log

Discussion in 'adware, spyware & hijack cleaning' started by mollyd12, Jan 8, 2004.

Thread Status:
Not open for further replies.
  1. mollyd12

    mollyd12 Guest

    Hello. My computer has been overrun by spyware and adware. The problems included tons of pop-up ads, difficulty and errors shutting down, and weird keystroke errors. I followed the "Posting Policy" instructions and downloaded AdAware and scanned the computer several times. I think most of it has been fixed since all the above problems have ceased. However I downloaded HijackThis to be safe and here is the log if anyone could be kind enough to look it over for me:


    Logfile of HijackThis v1.97.7
    Scan saved at 10:00:49 PM, on 1/7/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\SYSTEM\HPLAMPC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\WCZ65.EXE
    C:\WINDOWS\SYSTEM\DVMLV4.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
    R3 - URLSearchHook: (no name) - - (no file)
    F1 - win.ini: run=hpfsched
    O1 - Hosts: 209.132.200.78 auto.search.msn.com
    O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL (file missing)
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL (file missing)
    O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - (no file)
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
    O3 - Toolbar: (no name) - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - (no file)
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\JpwpEw.exe
    O4 - HKLM\..\Run: [MHInit] C:\Program Files\CyberMedia UnInstaller\mhinit.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb01c.cab
    O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37875.6431597222
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab


    Thanks in advance!
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Mollyd12, and welcome to Wilders.

    You do still have a few things there that need removed, but first we have to take care of the Peper Trojan which must be dealt with separately.

    Follow the steps below carefully.

    1. Please download and run: http://home.iprimus.com.au/mbuchan/peperuninst.exe
    double click on 'peperuninst.exe', let it run and terminate. You must be online to have this work. If your firewall alerts you, do not block the program from accessing the internet.

    2. Then download this script by Mosaic1, which will delete all the associated files with drpeper - http://www.mjc1.com/files/mo/drpeper.html.
    Double click drpepertobackup.exe file; it will self extract to C: and create a 'drpeper' folder.
    With the text in the box highlighted and the 'overwrite' existing files checked, click start.

    3. Go to the file C:\drpeper\Find backup and Delete Peper files.vbs <-- and double click.

    4. A box will appear, copy and paste: WCZ65.EXE and hit ok.

    5. A second box will appear, copy and paste JpwpEw.exe and hit ok.

    6. It will find all the files, delete them and will make backups in the same folder. It willl open a text file (Peper.txt) with the list of all files deleted. Make sure it is saved. Then rescan with HJT, post a new HJT log and the contents of the Peper.txt file - the next stage will be to remove the rest of the bad stuff.

    regards,

    snap
     
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi all,

    After following snapdragins advise please fix the following with HijackThis as well :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm

    R3 - URLSearchHook: (no name) - - (no file)

    O1 - Hosts: 209.132.200.78 auto.search.msn.com

    O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL (file missing)
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL (file missing)
    O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - (no file)

    O3 - Toolbar: (no name) - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - (no file)

    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe


    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb01c.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

    Reboot after doing so and remove :

    C:\WINDOWS\emsw.exe <- this file
    C:\Program Files\Common files\updater\ <- this folder
    C:\WINDOWS\iedll.exe <- this file (if still present)
    C:\Program Files\Alset\ <- this folder
     
  4. mollyd12

    mollyd12 Guest

    Thanks for the advice. I followed your instructions and here are the latest logs:


    Peper.txt:

    1/8/04 9:40:15 PM
    C:\WINDOWS\SYSTEM\Allt5jp.exe
    C:\WINDOWS\SYSTEM\XmrTIB2.exe
    C:\WINDOWS\SYSTEM\BceU.exe
    C:\WINDOWS\SYSTEM\DvmlV4.exe
    C:\WINDOWS\SYSTEM\Qjd0GHW.exe
    C:\WINDOWS\SYSTEM\Wcz65.exe
    1/8/04 9:40:30 PM
    C:\WINDOWS\SYSTEM\GnsDj.exe
    C:\WINDOWS\SYSTEM\JpwpEw.exe
    C:\WINDOWS\SYSTEM\CldmNu.exe


    HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:27:53 PM, on 1/8/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\SYSTEM\HPLAMPC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    F1 - win.ini: run=hpfsched
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [MHInit] C:\Program Files\CyberMedia UnInstaller\mhinit.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37875.6431597222
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
     
  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi molly,

    Looks very clean to me :)

    Good job cleaning up

    Hope all is well again

    take care

    Cheers,
     
Thread Status:
Not open for further replies.