View Full Version : Spyware help - HijackThis logfile included
Roliel
01-14-2005, 05:38 PM
Having problems with spyware, again. Spybot and Adaware have failed, so I'm resorting to HJT. If any of you tech types feel like lending a hand, here's the log:
Logfile of HijackThis v1.99.0
Scan saved at 5:30:54 PM, on 1/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
C:\Documents and Settings\RyanF\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\agfsj.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\agfsj.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6D9E2D31-EB57-F24B-9B0F-61D4FA3DB1F4} - C:\WINDOWS\system32\crcz.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Ywu4RPN5T] encrath.exe
O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095019350170
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\crsq.exe (file missing)
Palimax Sceleris
01-14-2005, 05:48 PM
O4 - HKCU\..\Run: [Ywu4RPN5T] encrath.exeVERY suspect.
O2 - BHO: (no name) - {6D9E2D31-EB57-F24B-9B0F-61D4FA3DB1F4} - C:\WINDOWS\system32\crcz.dllPossibly suspect.
Get to 2900.2180 IE while you're at it.
Roliel
01-14-2005, 06:17 PM
Ok. Updated IE, and was able to remove that O2 - BHOetc file, but the HKCU file I can't remove. When HJT fixes it, it's back immediately.
Gekster
01-14-2005, 06:31 PM
Catch me on aim
Palimax Sceleris
01-14-2005, 06:34 PM
Ok. Updated IE, and was able to remove that O2 - BHOetc file, but the HKCU file I can't remove. When HJT fixes it, it's back immediately.That's because the process that it launches (which obviously has a random keyname and random EXE name) watches to make certain that the value isn't removed - and re-ads it. The good news is that you've found your parasite (or part of it, or one of them...)
Go to www.sysinternals.com (http://www.sysinternals.com) and get their Task Manager replacement -- Process Explorer, and you can see, easily, what process in memory is doing the damage, kill it, and remove it.
Roliel
01-14-2005, 07:34 PM
Okay, I got that task manager (which is very neat by the way, thanks). From here, I'm not sure how to get rid of that process.
Palimax Sceleris
01-14-2005, 07:54 PM
You should be able to identify it in the list, you can also look at the PROPERTIES for each entry and see what command-line was used to call them, etc. Helps find the origin of the process, etc. Right-click and kill the process. Saving myself a few steps, you'll probalby end up just deleting the file in safe-mode anyway, so that's next on your list.
The file is in your %systemroot% or %systemroot%\system32 directories anyway (probably). [It's in your path somewhere, so probably there...] Kill the process, delete the file. Use 'dir %systemroot% /ah' from a command prompt to see hidden things if you can't see it.
Roliel
01-14-2005, 08:07 PM
Alright, it seems like I've gotten rid of that one, but I have some more popping up in its place, anyways. Here's a more recent HJT log:
Logfile of HijackThis v1.99.0
Scan saved at 8:06:08 PM, on 1/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mfcuw.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\crpp32.exe
C:\DOCUME~1\RyanF\LOCALS~1\Temp\22.tmp.exe
C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\RyanF\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {29F5CDA5-BEE3-3BFF-4545-58A0B85F3DCC} - C:\WINDOWS\ntnu32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [crpp32.exe] C:\WINDOWS\system32\crpp32.exe
O4 - HKLM\..\Run: [22.tmp] C:\DOCUME~1\RyanF\LOCALS~1\Temp\22.tmp.exe 0 28129
O4 - HKLM\..\Run: [22.tmp.exe] C:\DOCUME~1\RyanF\LOCALS~1\Temp\22.tmp.exe 0 28129
O4 - HKLM\..\RunOnce: [mfcuw.exe] C:\WINDOWS\system32\mfcuw.exe
O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095019350170
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\crsq.exe (file missing)
Palimax Sceleris
01-14-2005, 08:26 PM
C:\DOCUME~1\RyanF\LOCALS~1\Temp\22.tmp.exe
I'll give you one guess :)
Also..
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
Scares me a bit too, as I can't find a reference to it anywhere.
O4 - HKLM\..\Run: [crpp32.exe] C:\WINDOWS\system32\crpp32.exe
O4 - HKLM\..\Run: [22.tmp] C:\DOCUME~1\RyanF\LOCALS~1\Temp\22.tmp.exe 0 28129
O4 - HKLM\..\Run: [22.tmp.exe] C:\DOCUME~1\RyanF\LOCALS~1\Temp\22.tmp.exe 0 28129All of these are either suspect, or quite obvious.
Palimax Sceleris
01-14-2005, 08:27 PM
I'm going to guess that the referenced DLL on your machine loads a HTML file already on your machine that replants 22.exe. Good luck, and I'll check my mail one more time before my poker game starts.
Palimax Sceleris
01-14-2005, 08:38 PM
Actually, now that I look closer, it's OBVIOUS. 22.exe starts with a command-line parameter of '0 28129' - which is the launching parameter of fuken.dll
Roliel
01-14-2005, 08:38 PM
Okay, after fixing those items:
Logfile of HijackThis v1.99.0
Scan saved at 8:36:01 PM, on 1/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mfcuw.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\crpp32.exe
C:\DOCUME~1\RyanF\LOCALS~1\Temp\22.tmp.exe
C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Documents and Settings\RyanF\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fuken.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {29F5CDA5-BEE3-3BFF-4545-58A0B85F3DCC} - C:\WINDOWS\ntnu32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
Roliel
01-15-2005, 09:16 AM
Got it fixed last night. Had to shut down the processes, remove them via ad-aware, then head into safemode and delete the remaining buggy files. Thanks for your help. ;)
Ibudin
01-19-2005, 09:39 AM
Hey Palimax any slick and easy way to get rid of the freaking about:blank annoyance?
Ibudin
Palimax Sceleris
01-19-2005, 12:52 PM
about:blank - There's a fairly complex CoolWeb variant that does a fantastic job of screwing that up.
CWShredder, under new management, I think might actually fix it now; it used to just detect and then FAIL to fix it.
http://cwshredder.net/bin/CWShredder.exe
http://cwshredder.net/cwshredder/cwschronicles.html#aboutblank
BUT, if you have the "unremovable" one, your bets bet is here (and I've seen this one below in person)
http://www.securiteam.com/securityreviews/5RP0L0UD5U.html
Grumblin
01-19-2005, 08:07 PM
Holy crap Palimax, your knowledge and professional use of jargon makes me wet.
vBulletin® v3.8.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.