shanenin Posted May 24, 2006 Report Share Posted May 24, 2006 I read alot of hjt threads, but they do not teach a lot. They mainly just tell you things to do. I have this computer I am working on, it seems to have two main adware infections. I am getting both popups from vegaspalms.com and one following virtually every link I click on from newads1.com. I have been reading over this tutorial (thanks to matt's suggestion). I am still pretty lost on where to start. Do you guys follow a plan for reading a log? What things do you check for? I would like to learn the process you HJT team members use. Below is the log. Please feel free to give me suggestions. I will post back with some ideas on the first step(still researching) Thanks for any suggestion or commentsLogfile of HijackThis v1.99.1Scan saved at 10:31:16 PM, on 5/23/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\SYMNET~1\SNDMon.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\system32\??pPatch\explorer.exeC:\WINDOWS\System32\msiexec.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\System32\MsiExec.exeC:\WINDOWS\FNTS~1\rundll32.exeC:\Documents and Settings\Victoriasmn\Desktop\hijackthis\HijackThis.exeR3 - URLSearchHook: (no name) - {107F4973-8F98-866E-C1AF-828AD0A2FB9F} - (no file)R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: (no name) - {E0584866-C8E7-FF39-8419-FCE4EEF043A4} - C:\WINDOWS\System32\iyynmv.dll (file missing)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /autoO4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exeO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKCU\..\Run: [Otdt] "C:\WINDOWS\FNTS~1\rundll32.exe" -vt ndrvO4 - HKCU\..\Run: [Rqed] C:\WINDOWS\system32\??pPatch\explorer.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O18 - Filter: text/html - {994D478A-2BD0-4DB4-AE77-288B1E346E99} - (no file)O20 - AppInit_DLLs: khbhckoa.dll,EQMini.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe Quote Link to post Share on other sites
shanenin Posted May 24, 2006 Author Report Share Posted May 24, 2006 (edited) I am kind of going throuth the tutorial, this is the first entry that I think may need to be looked at closer. I am not really sure thoughO20 - AppInit_DLLs: khbhckoa.dll,EQMini.dlledit added later//I googled eqmini, and it seemed to have been my culprit. It made reference to both of the popups I am getting. At this point what should I do, can I just delete it using hjt?edit added later//would I need to use something like "killbox" to remove this? Is so does khbhckoa.dll also need to be removed? I can't find anything on it using google. Edited May 24, 2006 by shanenin Quote Link to post Share on other sites
shanenin Posted May 24, 2006 Author Report Share Posted May 24, 2006 (edited) I tried to delete the EQMini.dll using pocket killbox versio 2.0.0.648. I chose the option delete at next reboot. One of two things seemed to happen. killbox did not delete the file, or second it did delete the file, but some process recreated it. I am tempted to boot the machine witrh linux and try and remove it that way. I will wait and see if I get some advice from an expert.Any suggestion would be appreciated, thanks :-)edit added later//I think the problem may have been I used killbox incorrectly. I think I just checked delete at next reboot, but did not click on "delete file". In essence killbox never even ran on reboot. In a few minutes I will try it again(waiting for a scan to stop running). Edited May 24, 2006 by shanenin Quote Link to post Share on other sites
Matt Posted May 24, 2006 Report Share Posted May 24, 2006 Hi Shane. 95% of all HJT analysis is done through research, not direct knowlege. That tutorial should include resources for looking up every kind of entry you need. If you haven't already been to castlecops.com you should pay it a visit. On the left will be links to their various databaes for researching HJT entries. (For example, O4 items are called 'startup items' and would be on the link called 'Startup List')CC won't have every thing you're looking for, but that tutorial should cover everything you neeed. While most new infections can't just be fixed using HJT and Killbox, we can help you along the way if you need a specialized tool. I haven't looked over the log, just replying generally on how to look over a log.Start with the R items and work down. When you research something, you won't search for the entire line, just key parts. For example, File names, file paths, process names, CLSIDs, etc.That tutorial also covers how to remove different types of HJT lines. For example, for O20 lines it says:When you fix this entry it will remove the key from the registry but leave the file. You must then manually delete this file Quote Link to post Share on other sites
shanenin Posted May 24, 2006 Author Report Share Posted May 24, 2006 after using killbox properly to remove the file, everything seems to be working well. If anyone cares to look, here is the final hjt log. Thanks again Matt, that tutorial is real easy to follow. Without it I would have had no idea where to start.Logfile of HijackThis v1.99.1Scan saved at 12:04:48 PM, on 5/24/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\FNTS~1\rundll32.exeC:\WINDOWS\system32\??pPatch\explorer.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Victoriasmn\Desktop\hijackthis\HijackThis.exeR3 - URLSearchHook: (no name) - {107F4973-8F98-866E-C1AF-828AD0A2FB9F} - (no file)R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: (no name) - {E0584866-C8E7-FF39-8419-FCE4EEF043A4} - C:\WINDOWS\System32\iyynmv.dll (file missing)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /autoO4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKCU\..\Run: [Otdt] "C:\WINDOWS\FNTS~1\rundll32.exe" -vt ndrvO4 - HKCU\..\Run: [Rqed] C:\WINDOWS\system32\??pPatch\explorer.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O18 - Filter: text/html - {994D478A-2BD0-4DB4-AE77-288B1E346E99} - (no file)O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe Quote Link to post Share on other sites
Matt Posted May 24, 2006 Report Share Posted May 24, 2006 Hi again Shane. There are still baddies in that log.Look over the Rs (database)O2s (database)O4s (database)If you need help researching, feel free to ask.*Tip* Online virus scans, such as Panda Active Scan come in handy.Matt Quote Link to post Share on other sites
shanenin Posted May 25, 2006 Author Report Share Posted May 25, 2006 (edited) I am still researching, but this is what panda scan showsIncident Location Adware:Adware/PurityScan C:\WINDOWS\FNTS~1\rundll32.exe Adware:adware/powersearch c:\windows\system32\stlb2.xml Spyware:spyware/surfsidekick C:\Documents and Settings\Victoriasmn\Local Settings\Temporary Internet Files\Ssk.log Adware:adware/deskwizz c:\windows\dh.ini Adware:adware/sqwire Windows Registry Adware:adware/maxifiles Windows Registry Adware:adware/cws.aboutblank Windows Registry Spyware:Cookie/Date C:\Documents and Settings\User\Cookies\user@date[1].txt Spyware:Cookie/Entrepreneur C:\Documents and Settings\User\Cookies\user@entrepreneur[1].txt Adware:Adware/PurityScan C:\Documents and Settings\User\Local Settings\Temp\!update.exe Edited May 25, 2006 by shanenin Quote Link to post Share on other sites
Dragon Posted May 25, 2006 Report Share Posted May 25, 2006 ok so those cookies definately need to go, however you have O3's, an O2, and an O4 helping keep those on there. don't be afraid to google those that you're not sure about. Quote Link to post Share on other sites
shanenin Posted May 25, 2006 Author Report Share Posted May 25, 2006 isn't my only 03 for my google tool bar, if so isn't that not malware? Quote Link to post Share on other sites
shanenin Posted May 25, 2006 Author Report Share Posted May 25, 2006 Look over the Rs (database)what am I even supposed to google, I don't seem to have anything uniqueR3 - URLSearchHook: (no name) - {107F4973-8F98-866E-C1AF-828AD0A2FB9F} - (no file)R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)am I supposed to be looking for something in the registry? I have read over the r3 section of the tutorial, but am not really following it Quote Link to post Share on other sites
Matt Posted May 25, 2006 Report Share Posted May 25, 2006 however you have O3's, an O2, and an O4 helping keep those on thereSorry Dragon, I don't see the O3 what am I even supposed to google, I don't seem to have anything uniqueR3 - URLSearchHook: (no name) - {107F4973-8F98-866E-C1AF-828AD0A2FB9F} - (no file)R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)am I supposed to be looking for something in the registry? I have read over the r3 section of the tutorial, but am not really following it When looking at HJT entries like Rs, O2s O3s etc that have a CLSID (the numbers/letters is braces) Your search (whether in google or within a database) would be the CLSID. So, if you are looking up the first one your query would be 107F4973-8F98-866E-C1AF-828AD0A2FB9F.About the second one..The tutorial says the following:There are certain R3 entries that end with a underscore ( _ ) . An example of what one would look like is:R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)Notice the CLSID, the numbers between the { }, have a _ at the end of it and they may sometimes difficult to remove with HijackThis. To fix this you will need to delete the particular registry entry manually by going to the following key:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooksThen delete the CLSID entry under it that you would like to remove. Please leave the CLSID , CFBFAE00-17A6-11D0-99CB-00C04FD64497, as it is the valid default one.So, if you are familiar with working in the registry, this is what you are looking for. If you are not, however, I would HIGHLY reccomend posting and requesting for assistance. Always make a backup before tinkering with the registry. Chappy has also written a tutorial that introduces the registry. It is found in the tutorial section of the forums.Just a general rule: Unless you recognize an R3, it should be removed.Also remember, Panda Active Scan doesn't remove spyware/adware, it will only detect it. It does, however, remove most viruses/worms/trojans.Matt Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.