Can You Please Help Me Hjlogfile

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bonk2, Jun 3, 2004.

  1. bonk2

    bonk2 Private E-2

    Logfile of HijackThis v1.97.7
    Scan saved at 3:42:41 PM, on 6/3/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    D:\Program Files\IBM\Application Developer\IBM Agent Controller\bin\RAServer.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\documents and settings\guest\local settings\temp\pyHUL.exe
    C:\WINNT\System32\mscmgr.exe
    C:\WINNT\explorer.exe
    D:\HijackThis.exe
    C:\DOCUME~1\guest\LOCALS~1\Temp\imak.dat
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Spyware Nuker 2004\swn2.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
    O2 - BHO: (no name) - {2E12B523-3D4C-4FAC-9B04-0376A8F5E879} - (no file)
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinUpdate] C:\windows\p385.hta
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [lsjwpwv] C:\WINNT\lsjwpwv.exe
    O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\DOCUME~1\guest\LOCALS~1\Temp\WTuninst.exe remove
    O4 - HKLM\..\Run: [pyHUL] C:\documents and settings\guest\local settings\temp\pyHUL.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AutoLoaderoFt21WLjKIaJ] "C:\WINNT\System32\quaaux.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKCU\..\Run: [SpyKiller] D:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [thumbvw] C:\WINNT\System32\thumbvw.exe
    O4 - HKCU\..\Run: [Chwl] C:\Documents and Settings\guest\Application Data\mcbo.exe
    O4 - HKCU\..\Run: [WTSS] C:\WINNT\System32\wapicc.exe
    O4 - HKLM\..\RunOnce: [Ad-aware] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O10 - Unknown file in Winsock LSP: d:\program files\websphere\studio40\pagedetailer\wd_ws2s.lsp
    O10 - Unknown file in Winsock LSP: d:\program files\websphere\studio40\pagedetailer\wd_ws2s.lsp
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com/products/swn2004/installers/default/SpyWareNukerInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab
     
    bonk2, Jun 3, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 4, 2004
    #2
  3. bonk2

    bonk2 Private E-2

    Logfile of HijackThis v1.97.7 here is the second scan
    Scan saved at 3:01:23 PM, on 6/4/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    D:\Program Files\IBM\Application Developer\IBM Agent Controller\bin\RAServer.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\documents and settings\guest\local settings\temp\pyHUL.exe
    C:\WINNT\explorer.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\cmd.exe
    D:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinUpdate] C:\windows\p385.hta
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [lsjwpwv] C:\WINNT\lsjwpwv.exe
    O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\DOCUME~1\guest\LOCALS~1\Temp\WTuninst.exe remove
    O4 - HKLM\..\Run: [pyHUL] C:\documents and settings\guest\local settings\temp\pyHUL.exe
    O4 - HKLM\..\Run: [AutoLoaderoFt21WLjKIaJ] "C:\WINNT\System32\quaaux.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [MSN Manager] C:\WINNT\System32\mscmgr.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [thumbvw] C:\WINNT\System32\thumbvw.exe
    O4 - HKLM\..\RunOnce: [Ad-aware] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
    O4 - HKLM\..\RunOnce: [ACMWrapperV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\ACMWrapperV2.dll"
    O4 - HKLM\..\RunOnce: [MediaPlayerV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\MediaPlayerV2.dll"
    O4 - HKLM\..\RunOnce: [driversV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\driversV2.dll"
    O4 - HKLM\..\RunOnce: [Cdbootable.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Cdbootable.dll"
    O4 - HKLM\..\RunOnce: [cdDataPS.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdDataPS.dll"
    O4 - HKLM\..\RunOnce: [cdExtra.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdExtra.dll"
    O4 - HKLM\..\RunOnce: [cdmp3.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdmp3.dll"
    O4 - HKLM\..\RunOnce: [database.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\database.dll"
    O4 - HKLM\..\RunOnce: [ISO9660.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\ISO9660.dll"
    O4 - HKLM\..\RunOnce: [Joliet.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Joliet.dll"
    O4 - HKLM\..\RunOnce: [Udf.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Udf.dll"
    O4 - HKLM\..\RunOnce: [creator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll"
    O4 - HKLM\..\RunOnce: [Translator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Translator.dll"
    O4 - HKLM\..\RunOnce: [CDEngine.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common Files\Adaptec Shared\CDEngine\CDEngine.dll"
    O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINNT\inf\unregmp2.exe /FixUps
    O4 - HKLM\..\RunOnce: [wu] C:\DOCUME~1\guest\LOCALS~1\Temp\wu.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O10 - Unknown file in Winsock LSP: d:\program files\websphere\studio40\pagedetailer\wd_ws2s.lsp
    O10 - Unknown file in Winsock LSP: d:\program files\websphere\studio40\pagedetailer\wd_ws2s.lsp
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab
     
    bonk2, Jun 4, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Where did all that Adaptec stuff come from? It was not there last time. Are you right in the middle of an install and you have not performed a reboot? You have a Trojan running too:

    Windows NT/2000/XP
    To end the Trojan process:
    1. Press Ctrl+Alt+Delete once.
    2. Click Task Manager.
    3. Click the Processes tab.
    4. Double-click the Image Name column header to alphabetically sort the processes.
    5. Scroll through the list and look for "Svcinit.exe."
    6. If you find the file, click it, and then click End Process.
    7. Exit the Task Manager.
    Now run Hijaak This and have it fix this next line:
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe

    Now go to the C:\WINNT\System32 directory and delete the Userinit.exe file.

    Now run this on line scan: http://housecall.trendmicro.com/housecall/start_corp.asp
    and clean whatever it finds.

    Reboot and run Hijaak This again. But this time shut everything down especially Internet Explorer and Windows Explorer sessions before running Hijaak This. Post a new log. Just a heads up all the TV Media stuff has to go.
     
    chaslang, Jun 4, 2004
    #4
  5. bonk2

    bonk2 Private E-2

    here is the new log im curious about the quaaux.exe

    Logfile of HijackThis v1.97.7
    Scan saved at 12:32:48 AM, on 6/5/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    D:\Program Files\IBM\Application Developer\IBM Agent Controller\bin\RAServer.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\quaaux.exe
    C:\WINNT\System32\mscmgr.exe
    D:\HijackThis.exe
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
    O4 - HKLM\..\Run: [AutoLoaderoFt21WLjKIaJ] "C:\WINNT\System32\quaaux.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [os2k3qW] quaaux.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O10 - Unknown file in Winsock LSP: d:\program files\websphere\studio40\pagedetailer\wd_ws2s.lsp
    O10 - Unknown file in Winsock LSP: d:\program files\websphere\studio40\pagedetailer\wd_ws2s.lsp
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab
     
    bonk2, Jun 5, 2004
    #5
  6. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    hi bonk
    i would clean up this line
    O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
    then reboot and delete
    C:\WINNT\fash.exe

    I would also fix these with Hijack This
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - (no file)

    As for quaaux.exe i have no idea what this is but certainly looks strange :confused:
    Myself i would fix these lines with Hijack
    O4 - HKLM\..\Run: [AutoLoaderoFt21WLjKIaJ] "C:\WINNT\System32\quaaux.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [os2k3qW] quaaux.exe
    reboot into safe mode and rename the quaaux.exe to something like quaaux.old and run my machine for a while(a week maybe) and if all my apps etc run ok i would then go back and nuke it


    @Chaslang
    Hi m8 i thought this line was a normal Windows service
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
    Have you info that you can let me have to show otherwise
     
    General_Lee_Stoned, Jun 5, 2004
    #6
  7. bonk2

    bonk2 Private E-2

    ok thanks a lot i ran the house scan and the userinit did come up and it wasnt cleanable all i could do was delete it and i have tried googling the quaaux.exe but nothin has came up.
     
    bonk2, Jun 5, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hi General,

    I had quite a few links that indicated that the F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe needed to be removed. However, now checking in more detail you are correct and I'm wrong. The userint.exe function is used by Win NT to restore a user's profile, fonts, colors, etc. I think what probably was tricking people (and me too) was some of the words in a "How to use HijackThis" document that had the following words "and is a common place for trojans, hijackers, and spyware to launch from." This did not mean userinit.exe is bad. It means that the F2 entry is common place where the malware would attached itself too.
    I just went over to a Win2K pc and check with HijaakThis. That F2 entry does not show on my system, however, the registry key is there when I check the registry.
    At any rate, I need to get Bonk fixed to make up for my screw up.

    Bonk, if you deleted the userinit.exe file from the C:\WINNT\System32 folder, we need to copy it back there. Either from your c:\i386 directory (if you have that) or from your Win2K CD in the \i386 directory, you need to expand the userinit.ex_ file to userinit.exe. Here is an example to expand (the file is compressed) the file right off your CD and into the c:\winnt\system32 folder:
    Click Start, run and enter the following command (assuming you CD drive is D:)
    expand d:\i386\userinit.ex_ c:\winnt\system32\userinit.exe
    Now we need to add the registry entry back in. Run HiJaakThis again, click on config in the lower right corner and then select Backups. Find line with F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe from the date it was removed and click on that line. Then click restore.

    Sorry about this.
     
    chaslang, Jun 5, 2004
    #8
  9. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    hI Chas
    dont worry about it dude, its just one of those strange ones for some reason it shows up in some logs and not others
     
    General_Lee_Stoned, Jun 5, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds