Trojans: Exploit-MhtRedir.gen & Exploit-Codebase.gen. Used Ad-Aware. What to delete?

Discussion in 'adware, spyware & hijack cleaning' started by nicoleleesoper, Apr 23, 2004.

Thread Status:
Not open for further replies.
  1. nicoleleesoper

    nicoleleesoper Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    1
    Pls let me know what to do next. This is the log file produced by HijackThis.
    I am getting lots of ads popping up when on the Internet and I can't stop them.
    Thanks Nicole. o_O

    Logfile of HijackThis v1.97.7
    Scan saved at 2:37:48 PM, on 4/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Internet Optimizer\actalert.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsMain.exe
    C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HiJackCleaner\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.portalsearching.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.portalsearching.com/search.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.portalsearching.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.portalsearching.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portalsearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.portalsearching.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.portalsearching.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.portalsearching.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.portalsearching.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.portalsearching.com/search.php?phrase=%s
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem217.dll
    O2 - BHO: (no name) - {D6862A22-1DD6-11D3-BB7C-444553540000} - C:\WINDOWS\System32\BHO.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {7EB2A76C-97AE-4CF3-9C6A-EA0F61F137E1} - http://www.sexxx-direct.com/psfiles/Updater.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Nicole, welcome to the forum!
    I have some ideas but i'm not one of the experts to tell you exactly what to fix, not sure if they want one of the downloaded files i see in your O16 area as a sample to make sure if anything else should be looked at on your system too, so please don't fix nothing yet till the experts tell you, so hold on a few minutes more please.


    EDIT: in the meantime your thread is moved to the HJT area so leaves my "heartly welcome" as appropriate only!
    Wait for the fix-team please!
     
    Last edited: Apr 23, 2004
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi nicoleleesoper,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.portalsearching.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.portalsearching.com/search.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.portalsearching.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.portalsearching.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portalsearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.portalsearching.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.portalsearching.com/search.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.portalsearching.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.portalsearching.com/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.portalsearching.com/search.php?phrase=%s
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem217.dll
    O2 - BHO: (no name) - {D6862A22-1DD6-11D3-BB7C-444553540000} - C:\WINDOWS\System32\BHO.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll

    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    O16 - DPF: {7EB2A76C-97AE-4CF3-9C6A-EA0F61F137E1} - http://www.sexxx-direct.com/psfiles/Updater.exe

    O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB

    Then reboot and follow the instructions for AdAware as posted here: https://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter

    PS @ Jooske: I didn't understand what you meant, so I left you the option to ask for any samples you might find interesting.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I'd be interested in receiving some samples.. am ALWAYS interested in them just in case ;) These files please

    C:\WINDOWS\twaintec.dll
    C:\WINDOWS\wsem217.dll
    C:\WINDOWS\System32\BHO.dll
    C:\WINDOWS\nem214.dll
    c:\Recycled\1.exe
     
Thread Status:
Not open for further replies.