PDA

View Full Version : Hijack help please



paradox
27-04-2005, 07:58 PM
Hi...This is the hijack log from my grandaughter's PC, which is in very poor shape. I have already found a lot of nasties but some of them are reborn after a re-start. It also will not connect to the net but after dialling, the handshake just turns into a reset for the whole PC. I have been going to try a clean install but then I remembered seeing Highjack. Way out of my league but it would be great if one of you Hijack wizards could interpret the log for me and maybe find the problem. Cheers Ken.


Logfile of HijackThis v1.99.1
Scan saved at 11:12:31 AM, on 4/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\temp\salm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\TEMP\~compoundinst0\auto_update_loader. exe
C:\WINDOWS\System32\csrlogon.exe
C:\WINDOWS\System32\cneview.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\WINDOWS\System32\mpdat.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Documents and Settings\Lisa\Local Settings\Temp\Temporary Directory 3 for hijackthis-3.zip\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Lisa\Local Settings\Temp\Temporary Directory 4 for hijackthis-3.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
F2 - REG:system.ini: Shell=Explorer.exe mpdat.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [rodofoj] C:\WINDOWS\rodofoj.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~compoundinst0\auto_update_loader. exe" /PC=CP.CDT3 /ShowLegalNote=nonbranded /ForSupportedBrowsers
O4 - HKLM\..\Run: [438W3ti] csrlogon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [L0r6RjG2h] cneview.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - (no file)
O21 - SSODL: mtkle - {F9AB65F7-2084-4BAE-6C9C-54210ADCDEAF} - C:\WINDOWS\System32\yiba32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Edward
27-04-2005, 08:11 PM
Oh dear god. Right now I can see 5 spyware processes running

press ctrl + alt + delete and get into taskmanager

Kill these processes

salm.exe
auto_update_loader.exe
mediapassk.exe
cxtpls.exe
mpdat.exe
bargains.exe

Then, download and run

Spybot search & destroy
Lavasoft Ad-aware SE personal
Microsoft Antispyware beta

I recommend that you allow either Spybot S&D or Microsoft Antispyware to have live protection. Probably Microsoft's antispyware, as it has a nicer interface for your granddaughter

Then run hijackthis again

Peterj116
27-04-2005, 08:21 PM
Question number 1:
Did you disable System Restore before attempting any repairs?
If not, System Restore will helpfully put the crap back in for you.

Right-click My Computer on the desktop; go into Properties.
In the System Restore tab, click Turn off system restore on all drives.

:)

As well as Spybot & Ad Aware, download (from another computer) the standalone virus scanner Stinger (http://vil.nai.com/vil/stinger/). Not the best, but it may pick up a few things.

Speedy Gonzales
27-04-2005, 08:25 PM
C:\Program Files\Media Pass\MediaPass.exe

Uninstall Mediapass in Add/remove programs

Uninstalling Mediapass might disable it loading on bootup.

http://securityresponse.symantec.com/avcenter/venc/data/adware.mediapass.html

C:\temp\salm.exe
C:\WINDOWS\TEMP\~compoundinst0\auto_update_loader. exe

These are suss.

C:\WINDOWS\System32\csrlogon.exe
C:\WINDOWS\System32\cneview.exe

C:\Program Files\Media Pass\MediaPassK.exe

This file is related to a trojan

C:\WINDOWS\System32\mpdat.exe

This is spyware/adware

C:\Program Files\CxtPls\CxtPls.exe

C:\Program Files\BullsEye Network\bin\bargains.exe

F2 - REG:system.ini: Shell=Explorer.exe mpdat.exe

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (This is part of spybot but isnt
needed.

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll - This is a trojan

O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [rodofoj] C:\WINDOWS\rodofoj.exe

O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~compoundinst0\auto_update_loader. exe" /PC=CP.CDT3 /ShowLegalNote=nonbranded /ForSupportedBrowsers

O4 - HKLM\..\Run: [438W3ti] csrlogon.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [L0r6RjG2h] cneview.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - (no file)

Don't know what this file is

O21 - SSODL: mtkle - {F9AB65F7-2084-4BAE-6C9C-54210ADCDEAF} - C:\WINDOWS\System32\yiba32.dll


O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

If this computer is on a network, I WOULD remove it / unplug it from the network, until u remove the above in Hijackthis. That MPDAT.Exe file is possibly a worm, which is network aware, and it'll infect the rest of the computers, if this pc is on a network.

gibler
27-04-2005, 08:28 PM
I'd add that you definitely need to update this PC (i.e. Windows Update and find SP2 on CD) ASAP.

Also the ZESOFT service is dodgy see here (http://www.iamnotageek.com/a/zeta.exe.php)

Plus a mountain of other stuff...

And check the hosts file. Should be in: C:\WINDOWS\system32\drivers\etc

Fatjoz
27-04-2005, 08:37 PM
er you could just reinstall windows & install spybot etc etc.

Aurealis_
27-04-2005, 08:41 PM
All good solutions. Paradox, is it possible for you to download either Adaware or Microsoft Anti-Spyware? If not, I'm happy to write them to a CD and send them out to you.

pctek
27-04-2005, 08:55 PM
I'd enable immunize on Spybot. And install Spywareblaster or similar and enable everything on it.
Make sure her firewall is configured properly and she hasn't allowed everyhting like most people do.
The more protection the better.

lewisc
27-04-2005, 09:06 PM
Not sure how much this will help, but my friends mum had a computer full of spyware/adware that kept coming back on restart, Ibooted it in safe mode and ran Lavasoft Adaware, it completely cleaned all the bugs and there haven't been any problems since then.

sal
27-04-2005, 09:27 PM
I had a quick search, and it hasnt been mentioned in the forums yet, but concerning HijackThis logs, theres a great utility online that can you give you useful feedback about your logs -

http://hjt.iamnotageek.com/

I think this should also be mentioned in the FAQ on Spyware, adware and viruses (http://pressf1.co.nz/faq.php?faq=pressf1_faqs_security#faq_pressf1_faq_ 16) under the HJT section. Also it is suggested to not post HJT logs in forums, but instead link to a log file. Log files are welcome to be uploaded at IF1 (http://sal.neoburn.net/imagef1/) (.log is fine to upload).

Edward
27-04-2005, 09:45 PM
Not sure how much this will help, but my friends mum had a computer full of spyware/adware that kept coming back on restart, Ibooted it in safe mode and ran Lavasoft Adaware, it completely cleaned all the bugs and there haven't been any problems since then.

Indeed, booting into safe mode and running the antispy programs is recommended, as the nastyware won't be running, and they'll have a chance to delete it

zqwerty
27-04-2005, 10:30 PM
Thanks for that link, sal, I just tried it and got an almost clean bill of health except for all the about:blanks which I actually put in myself and one unnamed BHO which I have always wondered about.

Good stuff, thanks again.

paradox
27-04-2005, 10:46 PM
sal...

Thanks for the gentle hint about IF1. I've just been to take a look at it. Could you or anyone else who knows please let me know what address goes into the box labelled Relative Link. I'm sure that the answer is something really simple but I've never seen that request before.

Thanks to everyone for the replies...I'll get back and let you know what appens.

Cheers Ken. :)

sal
27-04-2005, 11:19 PM
Thanks for the gentle hint about IF1. I've just been to take a look at it. Could you or anyone else who knows please let me know what address goes into the box labelled Relative Link.
It wasnt entirely directed at you paradox, infact I think it is only my opinion at best. About IF1, the 'Relative Link' is optional (/me hurries off to label so).

FoxyMX
28-04-2005, 09:43 AM
I had a quick search, and it hasnt been mentioned in the forums yet, but concerning HijackThis logs, theres a great utility online that can you give you useful feedback about your logs -

http://hjt.iamnotageek.com/Wow, that's a really good utility! Thanks for the link, Sal.


Also it is suggested to not post HJT logs in forums, but instead link to a log file.
I strongly disagree with that. If log files are posted as files then Google will not be able to find the contents and searches for entries and their fixes will become quite fruitless.

sal
28-04-2005, 10:52 AM
Also it is suggested to not post HJT logs in forums, but instead link to a log file.
I strongly disagree with that. If log files are posted as files then Google will not be able to find the contents...
I recommended this because it was mentioned in a tutorial on the subject of posting HJT logs in (forums) (http://forums.majorgeeks.com/showthread.php?t=38752) which is linked to from the FAQ here (http://pressf1.co.nz/faq.php?faq=pressf1_faqs_security#faq_pressf1_faq_ 16).


...Due to Hijack This logs destroying search engine and website searches, we now ask you do not post your Hijack This log file unless requested by us...When, and if, we ask you to post your logfile, please attach it as a file.

Also, google (and the forum search) should pick up the parts it needs to when we highlight in thread posts what needs to be fixed.

FoxyMX
28-04-2005, 02:32 PM
I recommended this because it was mentioned in a tutorial on the subject of posting HJT logs in (forums) (http://forums.majorgeeks.com/showthread.php?t=38752) which is linked to from the FAQ here (http://pressf1.co.nz/faq.php?faq=pressf1_faqs_security#faq_pressf1_faq_ 16).Yes, I gathered that your suggestion was made after seeing it recommended somewhere else but I don't think that we have the same problem here as they do. At my other Home where hundreds (thousands?) of HJT logs are posted they prefer them posted on the forum as is done here rather than posted as files.


Also, google (and the forum search) should pick up the parts it needs to when we highlight in thread posts what needs to be fixed.Yes, you are quite right about that but I still prefer to see the whole log because it is helpful to see what entries in logs get a clean bill of health. Legitimate entries in logs would no longer appear in Google which would make it very time consuming and tedious to find out whether spyware/malware was present or not.

paradox
28-04-2005, 11:08 PM
thanks sal.... I think I'm having one of my mental blocks. At the risk of driving you nuts, what I'd like to know is. step by step, how IF 1 works. Where is my file stored after it's been up loaded? Where does the link on my post go to to get the file? Where does google come into it? Hope you're in a patient mood.

I couldn't find this in our faq and MajorGeeks small reference to it assumed that I new most of it anyway. cheers...Ken :)