PDA

View Full Version : Hijack This! Trying to help a friend.

DeepC
31st Jan 2005, 12:39
Folks,

Sorry for the really long post....

My friend has sent the following HJT log to me. I have attempted to mark up the log with what I think he should do to fix it. Can anyone look at my efforts and pick any holes in it so that the advice I eventually give to my friend is kosher. This is my first attempt at deciphering a log and has taken a lot of Googling to sort the wheat from the chaff. This (http://www.pchell.com/support/hijackthistutorial.shtml) website was invaluable. If you think my friend should be running specific removal tools prior to fixing with HJT then please shout.

Many thanks

DeepC

The Log..... (Followed by my advice)

Logfile of HijackThis v1.99.0
Scan saved at 12:16:42, on 29/01/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\FLBRGY.EXE
C:\SAFSA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\TSARAXXA.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
C:\PROGRAM FILES\CASHBACK\BIN\CASHBACK.EXE
C:\WINDOWS\WINAGENT.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SSSASASB32.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R3 - URLSearchHook: (no name) - _{2E2F8541-8566-BB3A-952B-611ABCEB8B94} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI\PRIBI.DLL
O2 - BHO: (no name) - {512F0814-6C1C-9683-860B-699277AAF977} - C:\WINDOWS\Cvzcgzrq.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: Search - {88217D56-EE13-C3B1-858B-F54DB3108F07} - C:\WINDOWS\Cvzcgzrq.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [pdcrlu] C:\WINDOWS\SYSTEM\pdcrlu.exe
O4 - HKLM\..\Run: [SV2CJAVM] C:\WINDOWS\SYSTEM\SV2CJAVM.exe
O4 - HKLM\..\Run: [AG_HOOKM] C:\WINDOWS\SYSTEM\AG_HOOKM.exe
O4 - HKLM\..\Run: [avaj] C:\WINDOWS\SYSTEM\avaj.exe
O4 - HKLM\..\Run: [CMUII] C:\WINDOWS\SYSTEM\CMUII.exe
O4 - HKLM\..\Run: [dbc16gto] C:\WINDOWS\SYSTEM\dbc16gto.exe
O4 - HKLM\..\Run: [DCCM32R] C:\WINDOWS\SYSTEM\DCCM32R.exe
O4 - HKLM\..\Run: [E4UINITI] C:\WINDOWS\SYSTEM\E4UINITI.exe
O4 - HKLM\..\Run: [EDWIPESQ] C:\WINDOWS\SYSTEM\EDWIPESQ.exe
O4 - HKLM\..\Run: [EGWIZCR] C:\WINDOWS\SYSTEM\EGWIZCR.exe
O4 - HKLM\..\Run: [GAV] C:\WINDOWS\SYSTEM\GAV.exe
O4 - HKLM\..\Run: [liconfgc] C:\WINDOWS\SYSTEM\liconfgc.exe
O4 - HKLM\..\Run: [ncrtp] C:\WINDOWS\SYSTEM\ncrtp.exe
O4 - HKLM\..\Run: [PTENUML] C:\WINDOWS\SYSTEM\PTENUML.exe
O4 - HKLM\..\Run: [SVIDCM] C:\WINDOWS\SYSTEM\SVIDCM.exe
O4 - HKLM\..\Run: [ti64hl2a] C:\WINDOWS\SYSTEM\ti64hl2a.exe
O4 - HKLM\..\Run: [TIICDXXA] C:\WINDOWS\SYSTEM\TIICDXXA.exe
O4 - HKLM\..\Run: [TIVIFXXA] C:\WINDOWS\SYSTEM\TIVIFXXA.exe
O4 - HKLM\..\Run: [TL3DC] C:\WINDOWS\SYSTEM\TL3DC.exe
O4 - HKLM\..\Run: [V32QT32I] C:\WINDOWS\SYSTEM\V32QT32I.exe
O4 - HKLM\..\Run: [W3DPRO2S] C:\WINDOWS\SYSTEM\W3DPRO2S.exe
O4 - HKLM\..\Run: [WEDISHS] C:\WINDOWS\SYSTEM\WEDISHS.exe
O4 - HKLM\..\Run: [WVIEW32A] C:\WINDOWS\SYSTEM\WVIEW32A.exe
O4 - HKLM\..\Run: [XDIAGD] C:\WINDOWS\SYSTEM\XDIAGD.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [3DRG8FD] C:\WINDOWS\SYSTEM\3DRG8FD.exe
O4 - HKLM\..\Run: [AVAPRXYJ] C:\WINDOWS\SYSTEM\AVAPRXYJ.exe
O4 - HKLM\..\Run: [S3MSII] C:\WINDOWS\SYSTEM\S3MSII.exe
O4 - HKLM\..\Run: [SCONFIGM] C:\WINDOWS\SYSTEM\SCONFIGM.exe
O4 - HKLM\..\Run: [TSSVEXXA] C:\WINDOWS\SYSTEM\TSSVEXXA.exe
O4 - HKLM\..\Run: [TTSVEXXA] C:\WINDOWS\SYSTEM\TTSVEXXA.exe
O4 - HKLM\..\Run: [qgrhkkwpys] C:\WINDOWS\SYSTEM\flbrgy.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [BFbUYiFux] C:\SAFSA.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\SWITP_BUND_AR3.EXE
O4 - HKLM\..\Run: [¢‰¸ï0 4Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\SAFSA.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\SAFSA.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TSARAXXA] C:\WINDOWS\SYSTEM\TSARAXXA.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\winagent.exe /i
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [\Pribi.exe] C:\WINDOWS\ALLUSE~1\APPLIC~1\PRIBI\Pribi.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = hello.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.205.128.17,137.205.128.18,137.205.128.19

DeepC's Advice to Friend....

Make sure that HJT is sitting in it's own permanent folder to enable it to save backups to the same directory.

Reboot PC then in Task Manager shut down the following programs.

C:\WINDOWS\SYSTEM\FLBRGY.EXE
C:\SAFSA.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\TSARAXXA.EXE
C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
C:\PROGRAM FILES\CASHBACK\BIN\CASHBACK.EXEC:\WINDOWS\SSSASASB32.EXE

Then rerun HJT and check to fix the following entries.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R3 - URLSearchHook: (no name) - _{2E2F8541-8566-BB3A-952B-611ABCEB8B94} - (no file)

O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI\PRIBI.DLL
O2 - BHO: (no name) - {512F0814-6C1C-9683-860B-699277AAF977} - C:\WINDOWS\Cvzcgzrq.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: Search - {88217D56-EE13-C3B1-858B-F54DB3108F07} - C:\WINDOWS\Cvzcgzrq.dll

O4 - HKLM\..\Run: [pdcrlu] C:\WINDOWS\SYSTEM\pdcrlu.exe
O4 - HKLM\..\Run: [SV2CJAVM] C:\WINDOWS\SYSTEM\SV2CJAVM.exe
O4 - HKLM\..\Run: [AG_HOOKM] C:\WINDOWS\SYSTEM\AG_HOOKM.exe
O4 - HKLM\..\Run: [avaj] C:\WINDOWS\SYSTEM\avaj.exe
O4 - HKLM\..\Run: [CMUII] C:\WINDOWS\SYSTEM\CMUII.exe
O4 - HKLM\..\Run: [dbc16gto] C:\WINDOWS\SYSTEM\dbc16gto.exe
O4 - HKLM\..\Run: [DCCM32R] C:\WINDOWS\SYSTEM\DCCM32R.exe
O4 - HKLM\..\Run: [E4UINITI] C:\WINDOWS\SYSTEM\E4UINITI.exe
O4 - HKLM\..\Run: [EDWIPESQ] C:\WINDOWS\SYSTEM\EDWIPESQ.exe
O4 - HKLM\..\Run: [EGWIZCR] C:\WINDOWS\SYSTEM\EGWIZCR.exe
O4 - HKLM\..\Run: [GAV] C:\WINDOWS\SYSTEM\GAV.exe
O4 - HKLM\..\Run: [liconfgc] C:\WINDOWS\SYSTEM\liconfgc.exe
O4 - HKLM\..\Run: [ncrtp] C:\WINDOWS\SYSTEM\ncrtp.exe
O4 - HKLM\..\Run: [PTENUML] C:\WINDOWS\SYSTEM\PTENUML.exe
O4 - HKLM\..\Run: [SVIDCM] C:\WINDOWS\SYSTEM\SVIDCM.exe
O4 - HKLM\..\Run: [ti64hl2a] C:\WINDOWS\SYSTEM\ti64hl2a.exe
O4 - HKLM\..\Run: [TIICDXXA] C:\WINDOWS\SYSTEM\TIICDXXA.exe
O4 - HKLM\..\Run: [TIVIFXXA] C:\WINDOWS\SYSTEM\TIVIFXXA.exe
O4 - HKLM\..\Run: [TL3DC] C:\WINDOWS\SYSTEM\TL3DC.exe
O4 - HKLM\..\Run: [V32QT32I] C:\WINDOWS\SYSTEM\V32QT32I.exe
O4 - HKLM\..\Run: [W3DPRO2S] C:\WINDOWS\SYSTEM\W3DPRO2S.exe
O4 - HKLM\..\Run: [WEDISHS] C:\WINDOWS\SYSTEM\WEDISHS.exe
O4 - HKLM\..\Run: [WVIEW32A] C:\WINDOWS\SYSTEM\WVIEW32A.exe
O4 - HKLM\..\Run: [XDIAGD] C:\WINDOWS\SYSTEM\XDIAGD.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [3DRG8FD] C:\WINDOWS\SYSTEM\3DRG8FD.exe
O4 - HKLM\..\Run: [AVAPRXYJ] C:\WINDOWS\SYSTEM\AVAPRXYJ.exe
O4 - HKLM\..\Run: [S3MSII] C:\WINDOWS\SYSTEM\S3MSII.exe
O4 - HKLM\..\Run: [SCONFIGM] C:\WINDOWS\SYSTEM\SCONFIGM.exe
O4 - HKLM\..\Run: [TSSVEXXA] C:\WINDOWS\SYSTEM\TSSVEXXA.exe
O4 - HKLM\..\Run: [TTSVEXXA] C:\WINDOWS\SYSTEM\TTSVEXXA.exe
O4 - HKLM\..\Run: [qgrhkkwpys] C:\WINDOWS\SYSTEM\flbrgy.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [BFbUYiFux] C:\SAFSA.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\SWITP_BUND_AR3.EXE
O4 - HKLM\..\Run: [¢‰¸ï0 4Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\SAFSA.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\SAFSA.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TSARAXXA] C:\WINDOWS\SYSTEM\TSARAXXA.exe
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKCU\..\Run: [\Pribi.exe] C:\WINDOWS\ALLUSE~1\APPLIC~1\PRIBI\Pribi.exe

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = hello.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.205.128.17,137.205.128.18,137.205.128.19

When you have done this. Reboot your system and then rerun HJT and email me the Log.
E-Liam
31st Jan 2005, 17:57
High Deep,

That's a mess.. :)

You've done a good job of picking the baddies, from a quick glance.. :ok: :) except for the 017 entries.. they look like a local network.. is he at Warwick University by any chance? :)

Also, one thing that you need to remember is that fixing an entry in HJT, just stops it running.. usually until the next boot. Each individual file or folder must then be deleted manually.. but that's the easy bit.. you picked out the troublesome ones, which is the hardest job.. after that, the processes to deal with them are just a matter of remembering. That's why I have a 7 page Word document, with all the usual C&Ps in the order that I use them. That way it becomes nice and systematic.. he says.. (I wish it was that easy) :D

I know it's unusual fior me to do this, this way round, but as he has no protection whatsoever running on his machine, we'll start by cleaning it up automatically..

But first, get him to install a firewall and Anti-Virus, otherwise he's probably looking at a minute's surfing before he gets infected again.

Firewall (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=pdb_za1)

Anti-Virus (http://www.grisoft.com/us/us_dwnl_free.php)

Then get him to install and run the following.. (one C&P coming up)..

download AdAware SE from here (http://www.lavasoftusa.com/support/download/).

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file

· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed

3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information

4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot

5. Click on Proceed to save the settings.

6. Click Start and on the next screen choose:
· Use Custom Scanning Options

7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Next, please reboot again and download Spybot - Search & Destroy 1.3 from here (http://security.kolla.de): if you haven't already got the program.

Click on Updates | Download Updates, and follow the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

Next, download and run CCleaner (http://www.ccleaner.com/). If you have certain cookies you want to retain, then click on the Options button before running, and move across the ones that you want to keep...

Next reboot and go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log and we can see what's left..


Cheers

Liam
DeepC
31st Jan 2005, 21:12
E-Liam,

You are a star!

Thanks very much. I checked with the bloke about the URLs as I thought his family must have some connection with Warwick. They did not so that is why I had them knocked out.

I took the liberty of cutting an pasting your Ad-Aware etc notes. (I gave him the details of from whom and where I had nicked them from. Credit where it is certainly due)

I've already admonished him for not having a Firewall etc. Will reinforce the point tomorrow.

I really appreciate the way you are prepared to pass on some of your hard earned knowledge to us. It'll gradually start to pay off for you as other people step in to help PPRuNers in distress.

Cheers

DeepC
E-Liam
3rd Feb 2005, 18:35
You're welcome, DeepC,

let me know how he gets on.. :ok: :)

Cheers

Liam