Recommended Posts

I read alot of hjt threads, but they do not teach a lot. They mainly just tell you things to do. I have this computer I am working on, it seems to have two main adware infections. I am getting both popups from vegaspalms.com and one following virtually every link I click on from newads1.com.

I have been reading over this tutorial (thanks to matt's suggestion). I am still pretty lost on where to start. Do you guys follow a plan for reading a log? What things do you check for? I would like to learn the process you HJT team members use. Below is the log. Please feel free to give me suggestions. I will post back with some ideas on the first step(still researching) Thanks for any suggestion or comments

Logfile of HijackThis v1.99.1

Scan saved at 10:31:16 PM, on 5/23/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMNET~1\SNDMon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\system32\??pPatch\explorer.exe

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\MsiExec.exe

C:\WINDOWS\FNTS~1\rundll32.exe

C:\Documents and Settings\Victoriasmn\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {107F4973-8F98-866E-C1AF-828AD0A2FB9F} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {E0584866-C8E7-FF39-8419-FCE4EEF043A4} - C:\WINDOWS\System32\iyynmv.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [Otdt] "C:\WINDOWS\FNTS~1\rundll32.exe" -vt ndrv

O4 - HKCU\..\Run: [Rqed] C:\WINDOWS\system32\??pPatch\explorer.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O18 - Filter: text/html - {994D478A-2BD0-4DB4-AE77-288B1E346E99} - (no file)

O20 - AppInit_DLLs: khbhckoa.dll,EQMini.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Link to post
Share on other sites

I am kind of going throuth the tutorial, this is the first entry that I think may need to be looked at closer. I am not really sure though

O20 - AppInit_DLLs: khbhckoa.dll,EQMini.dll

edit added later//

I googled eqmini, and it seemed to have been my culprit. It made reference to both of the popups I am getting. At this point what should I do, can I just delete it using hjt?

edit added later//

would I need to use something like "killbox" to remove this? Is so does khbhckoa.dll also need to be removed? I can't find anything on it using google.

Edited by shanenin
Link to post
Share on other sites

I tried to delete the EQMini.dll using pocket killbox versio 2.0.0.648. I chose the option delete at next reboot. One of two things seemed to happen. killbox did not delete the file, or second it did delete the file, but some process recreated it. I am tempted to boot the machine witrh linux and try and remove it that way. I will wait and see if I get some advice from an expert.

Any suggestion would be appreciated, thanks :-)

edit added later//

I think the problem may have been I used killbox incorrectly. I think I just checked delete at next reboot, but did not click on "delete file". In essence killbox never even ran on reboot. In a few minutes I will try it again(waiting for a scan to stop running).

Edited by shanenin
Link to post
Share on other sites

Hi Shane. 95% of all HJT analysis is done through research, not direct knowlege. That tutorial should include resources for looking up every kind of entry you need. If you haven't already been to castlecops.com you should pay it a visit. On the left will be links to their various databaes for researching HJT entries. (For example, O4 items are called 'startup items' and would be on the link called 'Startup List')

CC won't have every thing you're looking for, but that tutorial should cover everything you neeed. While most new infections can't just be fixed using HJT and Killbox, we can help you along the way if you need a specialized tool.

I haven't looked over the log, just replying generally on how to look over a log.

Start with the R items and work down. When you research something, you won't search for the entire line, just key parts. For example, File names, file paths, process names, CLSIDs, etc.

That tutorial also covers how to remove different types of HJT lines. For example, for O20 lines it says:

When you fix this entry it will remove the key from the registry but leave the file. You must then manually delete this file
Link to post
Share on other sites

after using killbox properly to remove the file, everything seems to be working well. If anyone cares to look, here is the final hjt log. Thanks again Matt, that tutorial is real easy to follow. Without it I would have had no idea where to start.

Logfile of HijackThis v1.99.1

Scan saved at 12:04:48 PM, on 5/24/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\FNTS~1\rundll32.exe

C:\WINDOWS\system32\??pPatch\explorer.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Victoriasmn\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {107F4973-8F98-866E-C1AF-828AD0A2FB9F} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {E0584866-C8E7-FF39-8419-FCE4EEF043A4} - C:\WINDOWS\System32\iyynmv.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [Otdt] "C:\WINDOWS\FNTS~1\rundll32.exe" -vt ndrv

O4 - HKCU\..\Run: [Rqed] C:\WINDOWS\system32\??pPatch\explorer.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O18 - Filter: text/html - {994D478A-2BD0-4DB4-AE77-288B1E346E99} - (no file)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Link to post
Share on other sites

I am still researching, but this is what panda scan shows

Incident Location

Adware:Adware/PurityScan C:\WINDOWS\FNTS~1\rundll32.exe

Adware:adware/powersearch c:\windows\system32\stlb2.xml

Spyware:spyware/surfsidekick C:\Documents and Settings\Victoriasmn\Local Settings\Temporary Internet Files\Ssk.log

Adware:adware/deskwizz c:\windows\dh.ini

Adware:adware/sqwire Windows Registry

Adware:adware/maxifiles Windows Registry

Adware:adware/cws.aboutblank Windows Registry

Spyware:Cookie/Date C:\Documents and Settings\User\Cookies\user@date[1].txt

Spyware:Cookie/Entrepreneur C:\Documents and Settings\User\Cookies\user@entrepreneur[1].txt

Adware:Adware/PurityScan C:\Documents and Settings\User\Local Settings\Temp\!update.exe

Edited by shanenin
Link to post
Share on other sites

ok so those cookies definately need to go, however you have O3's, an O2, and an O4 helping keep those on there.

don't be afraid to google those that you're not sure about.

Link to post
Share on other sites
Look over the

Rs (database)

what am I even supposed to google, I don't seem to have anything unique

R3 - URLSearchHook: (no name) - {107F4973-8F98-866E-C1AF-828AD0A2FB9F} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

am I supposed to be looking for something in the registry? I have read over the r3 section of the tutorial, but am not really following it

Link to post
Share on other sites
however you have O3's, an O2, and an O4 helping keep those on there
Sorry Dragon, I don't see the O3 :huh:
what am I even supposed to google, I don't seem to have anything unique

R3 - URLSearchHook: (no name) - {107F4973-8F98-866E-C1AF-828AD0A2FB9F} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

am I supposed to be looking for something in the registry? I have read over the r3 section of the tutorial, but am not really following it

When looking at HJT entries like Rs, O2s O3s etc that have a CLSID (the numbers/letters is braces) Your search (whether in google or within a database) would be the CLSID. So, if you are looking up the first one your query would be 107F4973-8F98-866E-C1AF-828AD0A2FB9F.

About the second one..

The tutorial says the following:

There are certain R3 entries that end with a underscore ( _ ) . An example of what one would look like is:

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

Notice the CLSID, the numbers between the { }, have a _ at the end of it and they may sometimes difficult to remove with HijackThis. To fix this you will need to delete the particular registry entry manually by going to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

Then delete the CLSID entry under it that you would like to remove. Please leave the CLSID , CFBFAE00-17A6-11D0-99CB-00C04FD64497, as it is the valid default one.

So, if you are familiar with working in the registry, this is what you are looking for. If you are not, however, I would HIGHLY reccomend posting and requesting for assistance. Always make a backup before tinkering with the registry. Chappy has also written a tutorial that introduces the registry. It is found in the tutorial section of the forums.

Just a general rule: Unless you recognize an R3, it should be removed.

Also remember, Panda Active Scan doesn't remove spyware/adware, it will only detect it. It does, however, remove most viruses/worms/trojans.

Matt

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...