Some help please with my log...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by LargoChuck, Jul 28, 2004.

  1. LargoChuck

    LargoChuck Private E-2

    Followed all procedured in the write-up. Ran SPybot, Ad-Aware, CWShredder, SpywareBlaster, Trojan Remover, and AVG-AntiVirus.

    Still getting occasional pop-ups.

    Alot of items in the 'O4' RUN section of the log don't look they should be there. SOme look like random character filenames (worm related?)

    THis machine had several virus's which SPYBOT was able to heal and/or remove.

    Can someone look at my log (it's attached) ?

    Thanks,
    Chuck
     

    Attached Files:

    LargoChuck, Jul 28, 2004
    #1
  2. NeoNemesis

    NeoNemesis Moutharrhea

    The only thing I could see were the things that said there weren't any files which is nothing so you can get rid of those. Other than that I didn't notice anything. Good that you were one of the few that did follow the rules and stuff.

    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
     
    NeoNemesis, Jul 28, 2004
    #2
  3. Kodo

    Kodo SNATCHSQUATCH

    No offense neo, but you need to watch and learn more on these posts than try to help. We appreciate your effort but you're just not providing solid support. Now don't get mad, take a step back and read the posts, learn something new..this is how we grow.

    Largo, please read the following again READ ME FIRST: Basic Spyware Removal & Hijack This Tutorial. Important!

    and pay special attention to this
    3: Spyware Scan And Removal; Scanned your machine with Ad-Aware including the VX2 plug-in and\or Spybot in safe mode for better results.

    Optionally consider tools that remove the Coolwebsearch and related parasites, the most known, scummy spyware, hijacker out there. Your best bet is CWShredder AND Kill2me. These are from Merjin, a trusted gentleman who has spent a lot of time and gone through a lot to help us all be rid of these parasites. The famous about:blank hijack can usually be solved with about:Buster or HSRemove in our spyware section. about:Buster and HSremove have specific instructions on the download page, please follow them.

    You still have a trojan on your machine. It is recommended that you perform all your scans while in safe mode.
     
    Kodo, Jul 28, 2004
    #3
  4. LargoChuck

    LargoChuck Private E-2

    Thank you both for your prompt reply and assistance!

    It seems I did not do the scans in SAFE MODE. I have since followed the Tutorial word for word in Safe Mode and with the System Restore OFF.

    I used TrendMicros online virus scan and it found ADW.SCANPORTAL.A, TROJ.STILEN.A, & BKDR.RULEDOR.E. 6 files were infected and then DELETED.

    Ran CCleaner, Ad-Aware w/VX2 Plug-In, then Spybot. Ran CWShredder and Kill2Me. Also ran About:Buster and HSRemove.

    Rebooted back into regular mode, and then Re-Enabled System Restore.

    Seems to be working fine right now. I have attached a NEW HiJackThis Log. Can you check it to make sure it looks ok? It still has ALOT of random character looking file names...??

    Thanks!
     

    Attached Files:

    LargoChuck, Jul 28, 2004
    #4
  5. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Only problem, you left everything open when you scanned. DirectCD, AVG. Im concerned about a LOT of executables running that I do not recognize and come up blank in Google. Usually these can be trojans. See if they are loading in startup for me or have AVG check them. TIP: Usually if you open and start browsing the C:\Windows\System32 folder in Windows Explorer, AVG will go off. Using this method, you can write down all trojan names for manual deletion if needed. More on that in a bit.

    C:\WINDOWS\ielziqd.exe
    C:\WINDOWS\wsnxeec.exe
    C:\WINDOWS\qdcjgqsr.exe
    C:\WINDOWS\wdcmh.exe
    C:\WINDOWS\System32\outanui2.exe
    C:\WINDOWS\vplc.exe
    C:\WINDOWS\itepc.exe
    C:\WINDOWS\xbzscllai.exe
    C:\WINDOWS\weqxc.exe
    C:\WINDOWS\opxorkf.exe
    C:\WINDOWS\cvzcs.exe
    C:\WINDOWS\szhuzhdei.exe
    C:\WINDOWS\mwsvm.exe
    C:\PROGRA~1\SYSTEM~1\soap.exe
    C:\WINDOWS\System32\xpokcert.exe


    Soap really rang a bell:
    Process File: soap or soap.exe
    Process Name: System Soap Pro
    Description: System Soap Pro Internet cleaning software that bundles foistware like HTTPER and Zipclix.
    Company: System Soap
    System Process: No
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
    Common Errors: N/A

    Naughty boy, use CCleaner as the tutorial suggests ;)

    Thats just your processes! I have not even gotten to your Hijack This log file itself yet! So, off to work, you got Trojan fever. Might need a Trojan remover like A2 from safe mode for these and BE SURE to check startup, start, run, type msconfig and enter, then startup tab, bet your loading a LOT of these. You can manually delete and remove the entries from safe mode if trojan cleaning fails.

    Examples of just a few more spotted in your log:

    O4 - HKLM\..\Run: [uhcm] C:\WINDOWS\ielziqd.exe
    O4 - HKLM\..\Run: [tozxj] C:\WINDOWS\wsnxeec.exe
    O4 - HKLM\..\Run: [pttgpohej] C:\WINDOWS\qdcjgqsr.exe

    Whew.
     
    Major Attitude, Jul 28, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In addition to what Major has already indicated there are other problems.

    The 2nd Thought trojan which is indicated by this line:

    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

    See this for information on that: http://www.pestpatrol.com/PestInfo/other/2nd_thought.asp

    You also need to cleanup the WinTools stuff:

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

    Also fix:
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)

    See this: http://www.pchell.com/support/wintools.shtml

    All of this need to be fixed and files removed (some of these are duplicates of what Major already said):
    O4 - HKLM\..\Run: [uhcm] C:\WINDOWS\ielziqd.exe
    O4 - HKLM\..\Run: [tozxj] C:\WINDOWS\wsnxeec.exe
    O4 - HKLM\..\Run: [pttgpohej] C:\WINDOWS\qdcjgqsr.exe
    O4 - HKLM\..\Run: [vovsk] C:\WINDOWS\wdcmh.exe
    O4 - HKLM\..\Run: [ZMDmOvQaP] C:\documents and settings\main\local settings\temp\ZMDmOvQaP.exe
    O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
    O4 - HKLM\..\Run: [wFFh38O] outanui2.exe
    O4 - HKLM\..\Run: [mjcsmvk] C:\WINDOWS\vplc.exe
    O4 - HKLM\..\Run: [ultyqq] C:\WINDOWS\itepc.exe
    O4 - HKLM\..\Run: [kwugu] C:\WINDOWS\xbzscllai.exe
    O4 - HKLM\..\Run: [vfqwdinv] C:\WINDOWS\weqxc.exe
    O4 - HKLM\..\Run: [agmvngx] C:\WINDOWS\opxorkf.exe
    O4 - HKLM\..\Run: [axut] C:\WINDOWS\cvzcs.exe
    O4 - HKLM\..\Run: [kjyx] C:\WINDOWS\szhuzhdei.exe
    O4 - HKLM\..\Run: [Y4vR] C:\documents and settings\main\local settings\temp\Y4vR.exe
    O4 - HKLM\..\Run: [mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKCU\..\Run: [hownRUi3e] xpokcert.exe

    It may be worth while given the peper trojan cleaner a run: http://www.memorywatcher.com/uninst.exe

    Not sure about the line below but it looks fishy:
    O4 - HKLM\..\Run: [Qi] C:\documents and settings\main\local settings\temp\Qi.exe

    Also, these have been associated with a virus or trojan:
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll

    May need to run LSP-fix to correct this.
     
    chaslang, Jul 28, 2004
    #6
  7. LargoChuck

    LargoChuck Private E-2

    Thanks for your help!

    I didn't see any special procedures to run CCleaner...
     
    LargoChuck, Jul 28, 2004
    #7
  8. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Chaslang, sorry for any confusion, I basically stopped at the running processes figuring that indicated the problem.

    LargoChuck,
    System Soap is a drive cleaner bundled with spyware. You might want to also check your add remove programs for suspicious items as well as delete that program and replace with CCleaner, which is int he tutorial I thought you read... http://forums.majorgeeks.com/showthread.php?t=35407 Just download it, pick what you want it to delete and run it :)
     
    Major Attitude, Jul 28, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem Major! I just saw some additional items there I felt were worth pointing out.

    Largo, only do the basic cleanup using CCleaner. Just run it and leave the default options on the Windows tab. The click Run Cleaner on the lower right. Don't play with the other stuff right now.
     
    chaslang, Jul 28, 2004
    #9
  10. LargoChuck

    LargoChuck Private E-2

    I did run CCleaner as the tutorial said. I thought when you said 'use CCleaner as the Tutorial said', that there were some special settings I had to change in CCleaner before running it. :) I ran it with the Defaults.

    Anyways, I took yall's suggestions and deleted/fixed the appropriate lines in HiJackThis. The PC seems to be running fine now. Took me 8 hours over 3 days and YOUR HELP to finally get this beast under control. It is a friends computer with XP, come to find out they had never loaded any XP Critical Updates, their virus software expired 6 months ago, and they had been clicking on several of the various pop-up ads that appeared for fake anti-spyware and other things.

    THANK YOU all again for your assistance. My friend and I were amazed at how quickly you all reply with your knowledge and help. :)

    The MAJORGEEKS.COM website is now part of my daily read.
     
    LargoChuck, Jul 28, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does this mean you were able to get rid of all of those questionable files we listed?
     
    chaslang, Jul 28, 2004
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds