My HijackThis log

Discussion in 'Trojan Defence Suite' started by gmt1, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. gmt1

    gmt1 Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    13
    Hi,

    I've been having trouble getting rid of the 1on1 dialler/XXXServer which seems to have installed itself on my PC.

    Having read advice on another forum I have downloaded and run Ad-aware and Spybot S&D.

    Here is my HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 13:38:21, on 09/06/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\MSREXE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\TEXTBRIDGE PLUS\BIN\INSTANTACCESS.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IRUN4.EXE
    C:\ESM2\STMS.EXE
    C:\TBRIDGE\FLATBED.EXE
    C:\ESM2\EBRR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\PROFILES\TOYNE\MY DOCUMENTS\INTERNETSECURITY\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    F1 - win.ini: load=c:\windows\system\system.exe
    F1 - win.ini: run=MSREXE.exe
    O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~2\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [Atikey] Atitask.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Virgin Net User Check] C:\PROGRA~1\INTERN~1\CONNEC~2\vnet\runvnet.exe /c
    O4 - HKLM\..\Run: [Intercent] C:\PROGRAM FILES\FINIWARE\INTERCENT 98\INTERCENT.EXE
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [WinLoader] MSREXE.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [WinLoader] MSREXE.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\SYSTEM\irun4.exe
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - Startup: Detector.lnk = C:\Tbridge\Flatbed.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - User Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - User Startup: Detector.lnk = C:\Tbridge\Flatbed.exe
    O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm
    O9 - Extra button: Real.com (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    Any help would be much appreciated.
    Thanks,
    Graham Toyne.
    removed
     
    Last edited by a moderator: Jun 9, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi gmt1,

    Please download TDS-3 from http://tds.diamondcs.com.au/index.php?page=download
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    Then click System Testing > Full System scan.
    When it is done rightclick one of the entries in the bottom screen and choose save as txt.

    Post the content of that file.

    To make it easier to remove the trojans and worm, check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    F1 - win.ini: load=c:\windows\system\system.exe
    F1 - win.ini: run=MSREXE.exe
    O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)

    O4 - HKLM\..\Run: [WinLoader] MSREXE.exe

    O4 - HKLM\..\RunServices: [WinLoader] MSREXE.exe

    O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\SYSTEM\irun4.exe

    Then reboot.

    Regards,

    Pieter
     
  3. gmt1

    gmt1 Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    13
    Re: My HijackThis log - FAO Pieter

    Hi Pieter,

    Thanks for your reply. I have been unsucessful in running TDS-3. I've downloaded and installed the program without any problems however when I double-click the icon on my desktop to run TDS-3 an error message appears: TDS-3 has performed an illegal operation and will be shutdown. 2 or 3 times I've uninstalled the program and downloaded it again but the same occurs.

    I've downloaded and am running a firewall called ZoneAlarm and this seems to be keeping out intrusions - I'm not sure who from though!

    I've also run latest versions of Ad-aware and Spybot S&D and here is the current HijackThis log:


    Logfile of HijackThis v1.97.7
    Scan saved at 21:35:12, on 09/06/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\TEXTBRIDGE PLUS\BIN\INSTANTACCESS.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    C:\ESM2\STMS.EXE
    C:\TBRIDGE\FLATBED.EXE
    C:\ESM2\EBRR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\PROFILES\TOYNE\MY DOCUMENTS\INTERNETSECURITY\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~2\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [Atikey] Atitask.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Virgin Net User Check] C:\PROGRA~1\INTERN~1\CONNEC~2\vnet\runvnet.exe /c
    O4 - HKLM\..\Run: [Intercent] C:\PROGRAM FILES\FINIWARE\INTERCENT 98\INTERCENT.EXE
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - Startup: Detector.lnk = C:\Tbridge\Flatbed.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - User Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - User Startup: Detector.lnk = C:\Tbridge\Flatbed.exe
    O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm
    O9 - Extra button: Real.com (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38147.3100347222


    Any other ideas?

    Thanks again,
    Graham.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Graham,

    Your log is clean. I'll move this thread to te DCS forum to see if they can sort out your problems with running TDS.
    The trojans are dormant or your system and I would feel lots better if they were removed. And who know what else TDS finds.

    Regards,

    Pieter
     
  5. gmt1

    gmt1 Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    13
    Thanks for all your help Pieter, you guys do a great job!
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Please go to this page

    http://tds.diamondcs.com.au/index.php?page=files

    Download the MSVB6 Runtime SP6 and run it
    Once its extracted, run the file contained within, which will install the update

    Then reboot and try running TDS-3 again, if you get a crash, what does the error message give ? please paste the contents of the details..
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've noticed a few times that this worm C:\WINDOWS\SYSTEM\irun4.exe
    will affect alot of security programs in 98/ME systems

    we stopped it running before but the actual, file needs to be deleted from a 98 system

    boot into safe mode and delete C:\WINDOWS\SYSTEM\irun4.exe


    then see if TDS will run
     
  8. gmt1

    gmt1 Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    13
    Hi Gavin and dvk01,

    I've followed all your advice but when I try to run TDS-3 I still get:
    "This program has performed an illegal operation and will be shut down."

    Here is a copy of the details:

    TDS-3 caused an invalid page fault in
    module CW3220MT.DLL at 0177:02304a89.
    Registers:
    EAX=bff89dac CS=0177 EIP=02304a89 EFLGS=00010292
    EBX=0089e29c SS=017f ESP=007a0098 EBP=007a00d8
    ECX=008a0000 DS=017f ESI=816802c8 FS=2187
    EDX=388b5708 ES=017f EDI=022d7bb0 GS=0000
    Bytes at CS:EIP:
    83 3a 00 74 63 e8 39 10 00 00 64 8b 0d 04 00 00
    Stack dump:
    007a01a8 816802c8 0089e29c 00000000 00000000 00000000 00000000 00000000 00000000 0089e264 0089e2e8 00000000 0001001f 007a01c4 0089e29c 007a01a8


    Graham.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Graham,
    during install of TDS, did you have all other programs closed, especially anti-virus scanners etc?
    And did you reboot after install?
    I'm not familiar with the file from the error message, don't know where it belongs, googling for it did not give a real answer yet. Is that file on your system?
     
  10. gmt1

    gmt1 Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    13
    Hi Jooske,

    All other programs were closed as far as I know although the ZoneAlarm firewall I installed starts automatically on start-up. Have also downloaded Ad-aware, Spybot S&D, and Spyware Blaster. Not really sure how I should be using Spyware Blaster - is this a program that runs automatically?

    Yes, did reboot after install of TDS-3.

    I'm a bit of a novice so can't tell you much about the file CW3220MT.DLL however I did a search and it lives in the folder:
    C:\ViaVoice\tts\eloq
    I don't use ViaVoice so maybe I could just delete the file?

    Graham.
     
  11. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    answer here,

    http://www.javacoolsoftware.info/kb/idx/0/005/article/

    I'll leave your other enquiry to the TDS experts. ;)

    Hope this helps.


    snowbound
     
  12. gmt1

    gmt1 Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    13
    Thanks snowbound.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    ViaVoice and its components should not be a problem, so don't delete it yet.
    Did you also grab the speechpack for TDS from it's downloadpage?
    In that is among others the spchapi.exe file, which adds existing speech engines on your system to TDS. After installing TDS and extracting that speechpack, run the spchapi.exe in the TDS directory and give it another try with TDS.
    Let us know if that solved the problem please.
     
  14. gmt1

    gmt1 Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    13
    Hi Jooske,

    I downloaded and ran the spchapi.exe as you suggested but still get the same error message appear when I try to run TDS.

    I'm going on holiday for a week now but will get back on here as soon as I'm home as I'd like to clean-up my system as much as possible. Thanks for all your help so far.

    Graham.
     
  15. crim64

    crim64 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    12
    Thank you snowbound you answerd my questian!That is about Spyware Blaster!You are awsome!
     
  16. gmt1

    gmt1 Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    13
    Hi all,

    I know you're probably fed up with me by now but I'm back! Any other ideas on how I can get TDS-3 to run?

    Graham.
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Was hoping in the meantime you checked all the required system files and had the other programs down wiht installing TDs, including your spywareblaster etc and all resident protection registry protection, scanners, etc.
    Think FanK would advice to open your taskmanager and to close everything except systray and explorer before installing TDS or any other program, reboot and gtry to run it.
    The dll you mentioned -- i've never seen it making any trouble, first time in akll those years i saw it mentioned, so not sure if that other program got corrupt somehow, maybe because of some infection or removing a file you needed.

    Did an online scan find anything illigal on your system, like at http://housecall.antivirus.com for isntance?
    If you run viavoice, does that run well?

    Not sure if you installed TDS somwwhere in program files and if you tried to install it for instance in c:\

    Can't imagine the speech part from TDS and viavoice would not cooperate:
    look at www.microsoft.com/msagent and the third parties software pages they point to: -- the speech technology used in TDS is part of msagent.
    The only part i can imagine, go into the windows control panel, speech console, disable there the speech controls and only choose the SAPI4 speech engine. Now try TDS again.
     
Thread Status:
Not open for further replies.