hijackthis log May 18

Discussion in 'adware, spyware & hijack cleaning' started by LRS5, May 18, 2004.

Thread Status:
Not open for further replies.
  1. LRS5

    LRS5 Registered Member

    Joined:
    May 18, 2004
    Posts:
    7
    Hi, what should I get rid of here? My homepage is hijacked.
    Thanks!

    Logfile of HijackThis v1.97.7
    Scan saved at 9:59:31 AM, on 5/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\WINDOWS\System32\LMSXXD.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Starfish\TrueSync\tstool.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Lisah\Local Settings\Temp\Temporary Directory 1 for hijackthis1977[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {52BABAD3-A1C0-4F77-B23D-C208C9DF5B7E} - C:\WINDOWS\System32\gldjeea.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [LMSXXD] LMSXXD.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgins.biz/dl/dmitriy/x.chm::/load.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/066203f1866b709e3f20/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38047.5381481481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4330/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A883A89B-0F40-4E24-98C8-3623F4BDFF6E}: NameServer = 204.244.138.1,204.244.18.1,204.244.3.129
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi LRS5,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gldjeea.dll/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O2 - BHO: (no name) - {52BABAD3-A1C0-4F77-B23D-C208C9DF5B7E} - C:\WINDOWS\System32\gldjeea.dll

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgins.biz/dl/dmitriy/x.chm::/load.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/066203f1866b709e3f20/netzip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\services.exe
    C:\WINDOWS\system32\config\services.exe
    C:\Program Files\MyWay <= entire folder

    NOTE: the real services.exe can be found in the C:\WINDOWS\system32 directory, so leave that one alone. Only delete the two I listed.

    Then follow instructions here:
    https://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

    Regards,

    Pieter
     
  3. LRS5

    LRS5 Registered Member

    Joined:
    May 18, 2004
    Posts:
    7
    Hi and thanks for your reply but for some reason, oh I don't know maybe cause I'm an idiot :rolleyes: , I don't know how to open in safe mode in my windows XP. Windows 98 I could but not XP. How do I do this?
    Appreciate your help,
    LRS5
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  5. LRS5

    LRS5 Registered Member

    Joined:
    May 18, 2004
    Posts:
    7
    Hello again,
    thanks for instructions, i did all you suggested except that
    C:\WINDOWS\services.exe - was not there
    C:\WINDOWS\system32\config\services.exe - access was denied to me.

    Then I ran AVG and now I have these viruses:
    Trojan horse Downloader.Istbar.3.BC
    Trojan horse Downloader.Istbar.3.BE
    Trojan horse Dialer.8.U

    I have them quarantined but how do I get rid of them. AVG cannot clean them up!

    Your help is appreciated, Thanks. LRS5
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Can you post another HijackThis log and let me know the location of the files AVG finds? Full path and filename.

    Regards,

    Pieter
     
  7. LRS5

    LRS5 Registered Member

    Joined:
    May 18, 2004
    Posts:
    7
    Hello, here's my hijackthis log
    Logfile of HijackThis v1.97.7
    Scan saved at 12:02:05 PM, on 5/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\WINDOWS\System32\LMSXXD.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\config\services.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\Starfish\TrueSync\tstool.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\WinZip\WINZIP32.EXE
    C:\Documents and Settings\Lisah\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [LMSXXD] LMSXXD.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
    O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38047.5381481481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4330/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A883A89B-0F40-4E24-98C8-3623F4BDFF6E}: NameServer = 204.244.138.1,204.244.18.1,204.244.3.129

    and here are the full path and file names that were found by AVG:
    Trojan horse Downloader.Istbar.3.BC
    C:\Documents and Settings\LISAH\Local Settings\TEMP\IST_IN~/EXE

    Trojan horse Downloader.Istbar.3.BE
    C:\Documents and Settings\LISAH\Local Settings\TEMP\OPTIMIZE.EXE

    Trojan horse Dialer.8.U
    C:\Documents and Settings\LISAH\Local Settings\Temporary Internet Files\Content.IE5\RNFW48JT\xxx_1_~1.EXE

    My audio is now gone (particularly CD-Write+9100) and my emails are missing.
    Do I just need save my docs and reformat? o_O
    Thanks for all your help, Lisah :(
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi LRS5,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
    O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\config\services.exe
    C:\WINDOWS\services.exe

    Then use the DiskCleanup Toll to empty all your Temp folders.

    Then do an online virusscan, you will find several listed here: http://www.wilders.org/free_services_m.htm

    Having backups just in case is never a bad idea.

    Regards,

    Pieter
     
  9. LRS5

    LRS5 Registered Member

    Joined:
    May 18, 2004
    Posts:
    7
    Hello,
    Been away for awhile. so I did what you suggested except that once again:

    C:\WINDOWS\system32\config\services.exe-WILL NOT ALLOW ME TO DELETE
    C:\WINDOWS\services.exe-IS NOT FOUND IN MY C DRIVE

    Everytime I scan the system for viruses then clean it up, as soon as I restart my computer and go onto the internet it says that I have a trojan virus called Startpage 4.0.
    This is getting really frustrating. I could use your help again.
    Thank you, Lisah
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi LRS5,

    Is this file present?
    C:\WINDOWS\system32\services.exe

    Also surf to http://download.broadbandmedic.com/ and download The Killbox.
    I have a feeling you are going to need it.

    Regards,

    Pieter
     
  11. LRS5

    LRS5 Registered Member

    Joined:
    May 18, 2004
    Posts:
    7
    Hi Pieter,

    yes the file is present and have downloaded the killbox program. Should I use it on this file?

    Thanks,
    Lisah
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Lisah,

    Yes. Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

    C:\WINDOWS\system32\services.exe

    Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The filenameand path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

    Regads,

    Pieter
     
  13. LRS5

    LRS5 Registered Member

    Joined:
    May 18, 2004
    Posts:
    7
    Well, sure wish I had read that before I went ahead and deleted the file. Now my computer can't even get out the DOS stage and does nothing. Any advice for this one?
    Should I just reinstall XP pro? or will it damage anything else?
    thanks, Lisah
     
Thread Status:
Not open for further replies.