Help w/ HJT log please

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by datam0ver, Jun 3, 2004.

  1. datam0ver

    datam0ver Private E-2

    hello,
    this is an about:blank issue.     i would appreciate any help with this log file. i have tried to take out any programs / files that i know are valid and have run a program called spy sweeper.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:59:20 PM, on 6/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\trcboot.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\C4ebreg\isamsmt.exe
    c:\sdwork\issimsvc.exe
    C:\WINDOWS\System32\drivers\ldlcserv.exe
    C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
    C:\WINDOWS\System32\NMSSvc.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\pcssfrrx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\NavNT\vptray.exe
    C:\progra~1\c4ebreg\c4ebreg.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\HJT\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\system32\blank.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\system32\blank.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e-plus.cc/search.php?aff_id=46&keyword=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,pcssfrrx.exe
    N3 - Netscape 7: # Mozilla User Preferences
    /* Do not edit this file.
    *
    * If you make changes to this file while the browser is running,
    * the changes will be overwritten when the browser exits.
    *
    * To make a manual change to preferences, you can visit the URL about:config
    * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
    */
    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
    user_pref("intl.charsetmenu.browser.cache", "UTF-8, ISO-8859-1");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("security.warn_entering_secure", false);
    user_pref("signon.SignonFileName", "61924354.s");
    user_pref("timebomb.first_launch_time", "1061924279671875");
    user_pref("update_notifications.provider.0.last_checked", 1063067057);
    user_pref("
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {731B1FA0-4C8E-4215-A67C-0D55D7D1E26A} - C:\WINDOWS\System32\lij.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://adeskftp.autodesk.com/WebPub/...en/mgaxctrl.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/ac...en/IbmEgath.cab
    O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab
    O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Express Viewer Control) - http://www.autodesk.com/global/expr...ViewerSetup.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E1727639-4295-4119-A9AB-C68B6D39A393}: NameServer = 9.0.8.1,9.0.9.1


    thx....
     
    datam0ver, Jun 3, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay Datam, The about blank problem can be difficult. SpySweeper is a good start but please see this link. And get Ad-aware and SpyBot S&D and run them too. Make sure you update them after installation before scanning. Also, uninstall, if you have it, Spyware Begone. I saw it in your log. It is junk and consider to add spyware itself. There are many things in your Hijaak Log that will need to be fixed probably even after running the above scans but run the scans first. Then run Hijaak This again and have it fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\system32\blank.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\system32\blank.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lij.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =     http://e-plus.cc/search.php?aff_id=46&keyword=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    O2 - BHO: (no name) - {731B1FA0-4C8E-4215-A67C-0D55D7D1E26A} - C:\WINDOWS\System32\lij.dll
     
    chaslang, Jun 3, 2004
    #2
  3. datam0ver

    datam0ver Private E-2

    hello chas,
    here is my updated log after running ad-aware, spybot and hjt again, clearing out recommended files and running hjt again. i have run into an issue prior to removing all these registry entries with losing all my 'all programs' and 'ie favorates', i think it may be a pathing issue cause all the programs and favorates still exist, but i can only get to them via explorer. my shortcuts on the desktop are also grayed out but they all work when clicked, its an xp home system.
    anyway, here is the log. thanks a ton for your time!

    Logfile of HijackThis v1.97.7
    Scan saved at 11:11:20 AM, on 6/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\pcssfrrx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Personal Communications\PCS_AGNT.EXE
    C:\WINDOWS\System32\drivers\trcboot.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\C4ebreg\isamsmt.exe
    c:\sdwork\issimsvc.exe
    C:\WINDOWS\System32\drivers\ldlcserv.exe
    C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
    C:\WINDOWS\System32\NMSSvc.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\NavNT\vptray.exe
    C:\progra~1\c4ebreg\c4ebreg.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\notepad.exe
    C:\HJT\HijackThis.exe
    C:\WINDOWS\notepad.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,pcssfrrx.exe
    N3 - Netscape 7: # Mozilla User Preferences
    /* Do not edit this file.
    *
    * If you
    make changes to this file while the browser is running,
    * the changes will be
    overwritten when the browser exits.
    *
    * To make a manual change to preferences,
    you can visit the URL about:config
    * For more information, see http://www.
    mozilla.org/unix/customizing.html#prefs
    */
    user_pref("browser.activation.
    checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5
    CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    user_pref("browser.
    startup.homepage_override.mstone", "rv:1.4");
    user_pref("intl.charsetmenu.
    browser.cache", "UTF-8, ISO-8859-1");
    user_pref("prefs.converted-to-utf8", true
    );
    user_pref("security.warn_entering_secure", false);
    user_pref("signon.
    SignonFileName", "61924354.s");
    user_pref("timebomb.first_launch_time", "
    1061924279671875");
    user_pref("update_notifications.provider.0.last_checked",
    1063067057);
    user_pref("
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
    Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:
    \WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:
    \WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
    Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01
    \bin\jusched.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
    Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe"
    "+b1"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1
    \MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3
    .dll
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.
    com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX
    Control) - ftp://adeskftp.autodesk.com/WebPub/mapguide/ver5/viewer/en/mgaxctrl
    .cab
    O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Express Viewer
    Control) - http://www.autodesk.com/global/expressviewer/installer/
    ExpressViewerSetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    if everything looks good, then i have one last question. is it wise to leave these programs on my system? i would think that it could only be helpful?
    thanks,
    datam0ver
     
    datam0ver, Jun 3, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    datamOver,

    Not sure what is going on with All Programs and IE Favorites.

    You do need to fix the below line with Hijaak This:

    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan

    And then delete the c:\freescan directory and everything in it. Note: it may be necessary to reboot before this can be deleted. First try to delete without rebooting.
     
    chaslang, Jun 4, 2004
    #4
  5. Adrynalyne

    Adrynalyne Guest

    Ok, in re: to programs and favorites, I think your profile is corrupt. Have you checked to see exactly what directory your favorites are in? I think you might be surprised.

    These are my findings.

    When the ntuser files corrupt or are missing, the account will still log in, but it will rebuild the profile, so to speak.

    Let me explain.

    I have a profile named Jeremy.

    It has all my debugging tools on my desktop.

    When I rename ntuser and ntuser.dat, I logged back in.

    Those files were gone.

    What I found in Documents and Settings was a new profile folder. Windows created it because the last one was corrupt. It named the directory Jeremy.WIN2K. The original directory is Jeremy. All of my original data is in the Jeremy folder.

    The missing favorites and programs from your start menu, coupled with the greyed desktop items just sound to me like profile corruption.

    But, this is all just a theory from a tired Windows 2000 tech who needs sleep ;) I'll do some more research tomorrow.
     
    Adrynalyne, Jun 4, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks for answering Adryn! Get some sleep. I just got in a little while ago! I had a night baseball game and I'm all pumped up and can't sleep yet. We won it in the bottom of the ninth scoring 5 runs to steal the win.
     
    chaslang, Jun 4, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes!! Leave Ad-aware, SpyBot S&D, and SpySweeper on your system. Leave Spysweeper running to block all the crapware. Also have it protect your home page. Make sure you use SpyBot S&D's immunize feature. And perform weekly system scans with all three. You will see that each one can find things the others do not.

    Also keep Hijaak This.
     
    chaslang, Jun 4, 2004
    #7
  8. Adrynalyne

    Adrynalyne Guest

    I just wanted to add, although I only talked about the desktop, a corrupt profile would affect favorites, my documents, start menu, and desktop.
     
    Adrynalyne, Jun 4, 2004
    #8
  9. datam0ver

    datam0ver Private E-2

    Thanks for all the input and help! This site rocks.:)
     
    datam0ver, Jun 10, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds