My HJT Log.. *sigh*

Discussion in 'adware, spyware & hijack cleaning' started by Krys, Jun 18, 2004.

Thread Status:
Not open for further replies.
  1. Krys

    Krys Registered Member

    Joined:
    Jun 14, 2004
    Posts:
    6
    where to begin hereo_O
    This computer has AVG, and the resident shield, keeps popping up a screen saying the following:
    Virus:
    Trojan Horse Dialer.8.U
    Found In File:
    C:\Windows\wincall.exe
    C:\Windows\DL0001.exe
    C:\Windows\DL.HTML

    I ran AVG, and it found one virus, and sent it to the vault. Then I ran TrojanHunter, and it detected and fixed 3 additional viruses, After that, I ran spybot, cleaned off the adware and spyware, rebooted the machine, and got the same message from AVG again. Another virus scan, produced the same results.. the virus was detected, and sent to the vault (for the 3rd time this week). It seems to reinstall itself upon reboot. Here is the log file from HJT after running TrojanHunter, and AVG. Can someone tell me what on earth to do here?? I'm down to one last, very frayed, nerve!! :mad:
    (an additional note.. spybot found and said it removed the magicsearch browser bar, but HJT found it still on the system according to the log file)

    Logfile of HijackThis v1.97.7
    Scan saved at 1:49:58 PM, on 6/17/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\MSUPDATE.EXE
    C:\WINDOWS\SYSTEM32\WINTIME.EXE
    C:\WINDOWS\SYSTEM32\CONFIG\SERVICES.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WMCONNECT\WMTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.us/browser/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.us/browser/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.us/browser/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    O2 - BHO: (no name) - {DE614603-6320-4046-A7A7-6A69CEC26F14} - C:\WINDOWS\MSLAGENT\4B_1,0,0,9_MSLAGENT.DLL (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [MSConfig Manager] C:\WINDOWS\MSUPDATE.EXE
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\MSLAGENT_.EXE
    O4 - HKCU\..\Run: [MSConfig Manager] C:\WINDOWS\MSUPDATE.EXE
    O4 - HKCU\..\Run: [PowerProf] PowerProf.exe
    O4 - HKCU\..\RunServices: [mslagent] C:\WINDOWS\mslagent\MSLAGENT_.EXE
    O4 - HKCU\..\RunServices: [MSConfig Manager] C:\WINDOWS\MSUPDATE.EXE
    O4 - HKCU\..\RunServices: [PowerProf] PowerProf.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Wal-Mart Connect Tray Icon.lnk = C:\wmconnect\wmtray.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Krys,

    You should install IE6 SP1, if only for security reasons.

    Before you start could you mail me a (preferably zipped) copy of C:\WINDOWS\MSUPDATE.EXE ?
    The address is pieterATwilderssecurity.org (replace AT with @)

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.us/browser/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.us/browser/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.us/browser/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    O2 - BHO: (no name) - {DE614603-6320-4046-A7A7-6A69CEC26F14} - C:\WINDOWS\MSLAGENT\4B_1,0,0,9_MSLAGENT.DLL (file missing)

    O4 - HKLM\..\Run: [MSConfig Manager] C:\WINDOWS\MSUPDATE.EXE
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe

    O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\MSLAGENT_.EXE
    O4 - HKCU\..\Run: [MSConfig Manager] C:\WINDOWS\MSUPDATE.EXE

    O4 - HKCU\..\RunServices: [mslagent] C:\WINDOWS\mslagent\MSLAGENT_.EXE
    O4 - HKCU\..\RunServices: [MSConfig Manager] C:\WINDOWS\MSUPDATE.EXE

    O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab


    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Reboot into safe mode and delete:
    C:\WINDOWS\mslagent <= entire folder
    C:\WINDOWS\system32\config\services.exe <= NOTE: only the one in that folder
    C:\WINDOWS\MSUPDATE.EXE
    C:\WINDOWS\system32\wintime.exe

    Regards,

    Pieter
     
  3. Krys

    Krys Registered Member

    Joined:
    Jun 14, 2004
    Posts:
    6

    The requested file has been sent to your email :-*
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Thanks. I'll let you know what I find out. [​IMG]

    Regards,

    Pieter
     
  5. Krys

    Krys Registered Member

    Joined:
    Jun 14, 2004
    Posts:
    6
    This is the new log.. After having HJT correct the former problems, running CWShredder, and Spybot, AVG was still picking up a trojan dialer, and once again, it sent it to the vault, but this time it doesnt seem to have reinstalled itself after a reboot, so I think the problem may have been cured. Crossing my fingers here.. This is the most recent HJT log, taken after the latest reboot.. looks better now?


    Logfile of HijackThis v1.97.7
    Scan saved at 9:48:46 AM, on 6/19/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WMCONNECT\WMTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [PowerProf] PowerProf.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Wal-Mart Connect Tray Icon.lnk = C:\wmconnect\wmtray.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab
     
  6. Krys

    Krys Registered Member

    Joined:
    Jun 14, 2004
    Posts:
    6
    One thing I forgot to mention. I couldnt find a folder with this name in the windows file.. there is one named msagent, but not mslagent. I didnt delete the similarly named folder.. should I have?
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    No. The msagent folder is there by design.
    AdAware probably got the other one.

    Your log is clean now. :cool:

    I'm still waiting for the results on msupdate.exe
    Will let you know by mail.

    Regards,

    Pieter
     
  8. Krys

    Krys Registered Member

    Joined:
    Jun 14, 2004
    Posts:
    6
    Thank you SO much!! You are truly appreciated :D
     
Thread Status:
Not open for further replies.