[Solved]Would someone PLZ examine this HjT Log ??

Discussion in 'adware, spyware & hijack cleaning' started by TCat, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. TCat

    TCat Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    8
    Hello:

    I was getting a homepage hijack from something called ExactSearch. I ran HjT and examined the log. I removed:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin2\apuc.dll
    O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
    O4 - HKLM\..\Run: [multiadmin] C:\PROGRA~1\bolt roam amen\license idol.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [msbb] c:\program files\internet optimizer\sim\msbb.exe
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm


    I remain suspicious of these (which remain):
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem218.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\Downloaded Program Files\bridge.dll
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/ClickYesToContinue/bridge.cab


    On reboot, I got a message (wish I could paste the image) from 180 searchAssistantAlert (never saw it before; seems bogus):
    ---------------------------------
    The system has detected that a 3rd party application has removed 180searchAssisant, possibly without your consent. This may cause some programs not to run as expected blah blah Options:

    Reinstall 180sA ...
    Leave 180sA Uninstalled
    Remond later ...

    Continue
    ----------------------------------

    Log file (after I removed the obvious items) is attached. Please suggest additional, and any comments on 180searchAssistant are welcome.

    Thanks as always.

    Tom
    _________________________________
    ***************************************
    Note:added TCat's attached log file
    _______________________________________
    Logfile of HijackThis v1.97.7
    Scan saved at 4:03:10 PM, on 6/28/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Downloads\Popup Killers\Another Popup Killer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\tsyuzk.exe
    C:\WINNT\ybkfwl.exe
    C:\WINNT\system32\cdral.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Downloads\Browser Hijax\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\Downloaded Program Files\bridge.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem218.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [aiepk] C:\Downloads\Popup Killers\Another Popup Killer.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [fwdvewzamueo] C:\WINNT\system32\tsyuzk.exe
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKLM\..\Run: [ybkfwl] C:\WINNT\ybkfwl.exe
    O4 - HKCU\..\Run: [cdral] C:\WINNT\system32\cdral.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/20...inue/bridge.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
     

    Attached Files:

    Last edited by a moderator: Jun 28, 2004
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Would someone PLZ examine this HjT Log ??

    Hi TCat

    Still some work to do.

    Check the following items in HijackThis - close ALL browsers\windows except HijackThis and click "Fix checked":

    C:\WINNT\system32\tsyuzk.exe

    C:\WINNT\ybkfwl.exe

    C:\WINNT\system32\cdral.exe

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\Downloaded Program Files\bridge.dll

    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem218.dll

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load

    O4 - HKLM\..\Run: [fwdvewzamueo] C:\WINNT\system32\tsyuzk.exe
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKLM\..\Run: [ybkfwl] C:\WINNT\ybkfwl.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/20...inue/bridge.cab


    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present :

    C:\WINNT\twaintec.dll
    C:\WINNT\Downloaded Program Files\bridge.dll
    C:\WINNT\alchem.exe

    Then reboot and use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Now, empty your TEMP Folder / Temporary Internet Files Folder and then empty your "Recycle Bin" and reboot.

    Run HJT again and pls. post a FRESH log. Thanks.
     
  3. TCat

    TCat Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    8
    Re: Marianna's advice ...

    Hi Marianna,

    Thanks for your help. I've attempted what I think you suggested and have the following remarks:

    I wasn't quite sure what you meant by
    Check the following items in HijackThis - close ALL browsers\windows except HijackThis and click "Fix checked":

    C:\WINNT\system32\tsyuzk.exe
    C:\WINNT\ybkfwl.exe
    C:\WINNT\system32\cdral.exe

    You can't "check" these. I did, however try to delete them and tsyuzk.exe wouldn't all allow it.

    Of the others that could be checked, I did them all, and "FIX"ed. Interestingly, this one returned (persisted); see new log, attached:
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    I booted to Safe, and deleted the 3 you listed; bridge.dll wasn't there.

    I cleared the cookies out of c:\Docs&Settings\Adminsistrator\Local Settings\Temporary Iternet Files

    1) In looking at the latest log, I am suspicious about:
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
    O4 - HKLM\..\Run: [gibsywatpf] C:\WINNT\system32\tsyuzk.exe

    2) I wonder if/whether I should delete c:\winnt\twain_32\
    It contains these subs (\fjscan, \logiscan, \miitwain); it didn't want to let me delete it (sharing violation ...)?

    4) My browser still isn't behaving right. It won't fire the dial-up utility (as it should); rather, it tries incessantly to access:
    http//:www.badurl.grandstreetinteractive.com
    in rapid fashion (the bottom status bar keeps flashing this address ...)
    Never seen this before. At best, I have to dial independently, then launch IE6, and it's still problematic. I was lucky to get to your forum. It's having real trouble accessing/loading pages

    I hope this description helps, and your further advice is welcome, Marianna.

    Tom
     

    Attached Files:

  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Would someone PLZ examine this HjT Log ??

    Here is your log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:26:15 PM, on 6/29/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Downloads\Popup Killers\Another Popup Killer.EXE
    C:\WINNT\system32\tsyuzk.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Downloads\Browser Hijax\Hijack This\HijackThis.exe


    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [aiepk] C:\Downloads\Popup Killers\Another Popup Killer.EXE
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
    O4 - HKLM\..\Run: [gibsywatpf] C:\WINNT\system32\tsyuzk.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    They showed up in YOUR log - you only have to make a check in the little box in front of the item.

    Well, your log was really hard to read the way you had copy\pasted it :(

    Yup - there is MORE in it.

    First of all there is a trojan in it! Troj/Imiserv-C
    http://www.sophos.com/virusinfo/analyses/trojimiservc.html !!!

    Check the following items in HijackThis - close ALL windows\browsers except HijackThis and click "Fix checked:

    C:\WINNT\system32\tsyuzk.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/

    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
    O4 - HKLM\..\Run: [gibsywatpf] C:\WINNT\system32\tsyuzk.exe

    Reboot

    Go here and get one of the free trials of an Anti Trojan and scan for Trojans.
    http://www.wilders.org/anti_trojans.htm

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    Empty your temp., Temp.Internet files and your recycle bin.

    Reboot

    Run HIjackThis again and post a FRESH log - only to see if the baddies are gone. Thanks.

    p.s. is this the correct Start Page = http://www.refdesk.com/ ??
     
  5. TCat

    TCat Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    8
    Re: Would someone PLZ examine this HjT Log ??

    Hi Marianna,

    Thanks again for your attention and help.

    Regarding your latest suggestion, you said

    1) Check the following items in HijackThis - close ALL windows\browsers except HijackThis and click "Fix checked":
    C:\WINNT\system32\tsyuzk.exe

    Again, this is NOT checkable/FIXable; it may not be obvious from the log file but certainly when SCAN is done in HijackThis, it's clear that tsyuzk.exe is only a "Running Process". It's NOT checkable. Items that are checkable begin with R0..., O2..., O3..., O4..., O9..., O16..., etc. (I've braketed in the attached log file to emphasize this point!) I hope you understand this.

    2) I ran updated versions of Ad-aware and Spybot S&D, and rebooted. Several problems were discovered. I also downloaded an eval. version of TrojanHunter and ran it in full scan; 5 trojans were detected; I cleaned them and rebooted.

    3) Of the items that were (indeed) checkable, RefDesk is my Homepage. I've attached the resultant HjT logfile. I may still be having some "interference" troubles, but I'd like you to please examine the log file (which is quite trimmed down now) and comment if you see anything amiss. It's certainly better ...

    4) Also, would you please describe EXACTLY where you mean when you say "
    empty your TEMP Folder / Temporary Internet Files Folder " ??

    5) I have the following info. from my workplace that suggests that IE is plagued hopelessly by such vexing problems, and that another browser is advisable:

    REF1: http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/

    "US CERT (the US Computer Emergency Readiness Team), is advising people to ditch Internet Explorer and use a different browser after the latest
    security vulnerability in the software was exposed." This is due to inheritant insecurities in Internet Explorer. Alternative browsers include Mozilla (free download) and Opera

    REF2: http://www.eweek.com/article2/0,1759,1617927,00.asp
    (Great article ...)

    Do you have any thoughts on this?

    Thanks,
    Tom
     

    Attached Files:

  6. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Would someone PLZ examine this HjT Log ??

    Here is your log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:46:13 PM, on 6/30/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\systemie.exe
    C:\WINNT\system32\systemp.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Downloads\Popup Killers\Another Popup Killer.EXE
    C:\Downloads\Browser Hijax\Hijack This\HijackThis.exe

    ========================================================================
    The following items are CHECKable/FIXable, Marianna; not the above items:
    ========================================================================

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [aiepk] C:\Downloads\Popup Killers\Another Popup Killer.EXE
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Hi Tom,

    seems to me, you have a lot of time :)

    I can't find anything in your latest log what looks suspicious.

    Pls. don't tell me you have never cleaned your temp. and temp. internet files.

    Yes, it is NOT new you should "dump" IE ! I guess, you have never seen this page:

    Unpatched Internet Explorer Bugs
    There are currently 24 items, updated on 2004/01/27 UTC+800

    http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatched/

    My choice is Firefox and I am VERY happy with it.
     
  7. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  8. TCat

    TCat Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    8
    IE6 is hosed

    Hi Marianna,

    Thanks for all your help and patience. I think my "invasion" problem is solved, but some previous functionality is missing (e.g., for some reason, when I launch IE6, it no longer automatically launches the dial-up script; I have to do that independently - first - then launch IE6). There are also a couple other quirks: when IE is launched, it loads pages very slooooowwwwwwwwwlllllllyyyyyyyy. As well, keyborard response is significantly slowed down. My IE has now been brought to its knees, ground to a virtual halt. You may find this strange, but I have to tell you - as I've browsed a few other HjT posts, I see many others reporting the same symptom: IE browser slows to a snail's pace. It's been hosed.

    I attempted to reply from home last night but couldln't even get my IE to process this reply, so I'm, posting from my work.

    I'm resolved to replace IE6 with Firefox ASAP. I planned to download it last night but, of course, that's now impossible from home. I'll copy to CD and do it that way. My IE now sucks and is useless. It's gone from bad to worse.

    So that's it. Thanks also for your purging instructions (temp files).
    You've been a big help. I'd buy you lunch if I could (grin).

    Regards,
    Tom
     
  9. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Would someone PLZ examine this HjT Log ??

    Hi TCat :)

    You're Welcome - Excellent move with Firefox !!
     
Thread Status:
Not open for further replies.