Solved

Spyware and Hijackthis log

Posted on 2004-09-15
10
1,976 Views
Last Modified: 2010-04-11
I ran the following utils.  
Spysweeper
Adaware
spybot

I am unable to clean this machine effectively.  I am running WINDOWS 2000 PRO with the latest updates.  Attached is a log from hijackthis.  I noticed that popups occur and cookies are added to my cookie folder without even launching internet explorer.  The list of usual suspects are the following:

z1.adserver[1].txt
www.sandboxer2.txt
servedby.advertising.txt

Attached is a log from hijackthis.

Logfile of HijackThis v1.97.7
Scan saved at 12:27:10 PM, on 9/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Paul Bunyan\pbserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\uptodate.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\WINNT\rundll16.exe
C:\WINNT\System32\Fqr9U5vF.exe
C:\WINNT\System32\Uguf65HV.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\taskmgr.exe
C:\TEMP\temp\JM\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32/left.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINNT\system32\inetp60.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\Vrxu.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINNT\system32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINNT\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINNT\system32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [zhkphwirubec] C:\WINNT\system32\wgrxffxd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.6120833333

Please help,

0
Comment
Question by:jmorin1
10 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 475 total points
ID: 12067746
Hello jmorin1 =)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32/left.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINNT\system32\inetp60.dll
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\Vrxu.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINNT\system32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINNT\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINNT\system32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [zhkphwirubec] C:\WINNT\system32\wgrxffxd.exe
============================

Close all ur browser and explorer windows, check the above line sin hiajckthis and lcikc on Fix Checked !!
then run these tools in safemode, to run everything they detect !!

========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================

emtpy the Temp internet files, cookies and TEMP folder !!
Restart in Normal Mode and check for the problem now ??

!! GOOD LUCK !!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12067753
and from next time u use Hijackthis, use the latest version >> http://tools.radiosplace.com/HijackThis.exe
and then post the LOG here >> http://www.hijackthis.de/index.php?langselect=english

it will automatically analyse it for u,,,,, so u can fix the entries urself :)
0
 

Author Comment

by:jmorin1
ID: 12068204
I am doing as you outlined. I have not finished and need to ask the following. Should I use stinger if I already have a Nortan Antivrus on the workstation? Thank you for the input.  
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 475 total points
ID: 12068239
Yes i will recommend to use two types of virus scanners, online virus scanners also do a good job, if u want to try them instead of stinger :)

1. http://us.mcafee.com/root/mfs/default.asp?cid=9059 
2. http://security.symantec.com/
3. http://housecall.trendmicro.com/ 
4. http://www.pandasoftware.com/activescan/com/activescan_principal.htm
5. http://www.pcpitstop.com/antivirus/default.asp

0
 
LVL 10

Expert Comment

by:ngravatt
ID: 12068781
run spybot search and destroy in safe mode. or better yet, run all the programs listed above in safe mode.
0
 

Author Comment

by:jmorin1
ID: 12070252
The problem appears to have been remedied.  Excellent feedback!  Thank you so much!  I will monitor the situation and add those suggestions and tools to my toolkit!  

A million thanks! One more thing if I might:

I noticed that a toolbar folder was created in the program files folder. I can't delete the folders. The OS responds by telling me access denied. I have administrative rights on this local machine.  The path is as follows:

program files\toolbar\skins
                       
I looked at the folder attributes and they are not restricted in any sence.  I will award you the points sheharyaasaahil but was wondering if I might run into future spyware issues if this folder does not get removed.  
0
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 475 total points
ID: 12070270
that's a great news... good job :)

>> I can't delete the folders. The OS responds by telling me access denied.

Just try to take the the ownership of this folder, and then delete it !!

HOW TO: Take Ownership of Files
http://support.microsoft.com/?id=268019

Good Luck :)
0
 

Accepted Solution

by:
llamasamurai earned 25 total points
ID: 12070590
If taking ownership of the files doesn't work, use <Ctrl><Alt><Del> and go to the Processes tab. Check for any processes that might be running to prevent you from deleting the files - something unusual, near the top of the list.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12071242
jmorin1

Perhaps a update on your situation is in order??
Any on-going problems?

RF
0
 

Author Comment

by:jmorin1
ID: 12079193
I will have an answer sometime tomorrow regarding the deleting of the folder.  I am concerned because I was logged in as the administrator and could not do anything with it by way of deletion.   I will be back in the location of the machine that I could not delete the folder.

I have to close out this origional issue and award the majority to the core of the main issue. Thank you one and all for your support!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Access 2016 5 64
Manage ASA using outside IP 14 62
Microsoft – Kerberos Configuration Manager. Delegation service account query 1 38
Home security 15 43
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question