Need help removing Search For... Hijaak

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by swassbac, Jul 3, 2004.

  1. swassbac

    swassbac Private E-2

    Spybot can't find anything and Adaware does but after the reboot, its scan shows up clean. Here is the dump from HijaakThis if anyone can help.

    Thanks,

    Dan

    Logfile of HijackThis v1.98.0
    Scan saved at 11:56:26 AM, on 7/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\APWEBGRB.EXE
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\TpChrSrv.exe
    C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\dan\Local Settings\Temporary Internet Files\Content.IE5\G9U3SDAN\spywareblastersetup[1].exe
    C:\DOCUME~1\dan\LOCALS~1\Temp\is-F0ERA.tmp\is-K4MJ2.tmp
    C:\Documents and Settings\dan\Desktop\Spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\dan\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\dan\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\dan\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\dan\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\dan\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\dan\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\dan\Application Data\Mozilla\Profiles\default\udhcxj6o.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\dan\Application Data\Mozilla\Profiles\default\udhcxj6o.slt\prefs.js)
    O1 - Hosts: 172.16.1.177 vdevmindsolve
    O1 - Hosts: 172.16.1.124 vmindsolve
    O2 - BHO: (no name) - {3711CAD6-D5FA-4DE6-B374-A36266E130E9} - C:\WINDOWS\System32\fnlak.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [LB55RgfqU] pmaautou.exe
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - (no file)
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Broken Internet access because of LSP provider 'bmi_lsp.dll' missing
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mindsolve.webex.com/client/latest/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bladeweb.com
    O17 - HKLM\Software\..\Telephony: DomainName = bladeweb.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bladeweb.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bladeweb.com
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - C:\WINDOWS\DOWNLO~1\mimectl.dll
    O18 - Filter: text/html - {2BFC5E84-03BE-4DB8-8771-B80F0A78A168} - C:\WINDOWS\System32\fnlak.dll
    O18 - Filter: text/plain - {2BFC5E84-03BE-4DB8-8771-B80F0A78A168} - C:\WINDOWS\System32\fnlak.dll
     
    swassbac, Jul 3, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Many of these are hard for us to recognize, meaning your going through your logfile first, then posting it is easier for everyone as you might recognize some of these that we are unsure of. Some reading BEFORE posting your logfile would have given you all of these steps. All the info is here for you. Hijack This is last :)

    http://www.majorgeeks.com/vb/showthread.php?t=35407

    Optionally,
    CWShredder should remove most known, simpler variants:
    http://www.majorgeeks.com/download4086.html

    HSRemove should remove the newest version CWShredder does not:
    http://www.majorgeeks.com/download4286.html
     
    Major Attitude, Jul 3, 2004
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds