Got Hijacked

Hope you guys can help.

I used to keep a ghost of my c: drive so whenever something like this happened, I would just reload the ghost. But that was on 98se. I updated to xp so that I could play Doom3... apparently xp doesn't like my version of ghost. Ghost 5 i believe... kinda old.

I have run Spybot Search & destroy, no anti-virus softerware or anything else...

was reading up on some of this... but gonna be awhile before i understand all the terminolgy for hijackthis.

here's the hijackthis log.


Logfile of HijackThis v1.97.7
Scan saved at 3:39:58 PM, on 8/31/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Himura Glennshin\Application Data\retw.exe
C:\WINDOWS\System32\uavfr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Downloads\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {12A76F0F-CE6B-7DC4-D507-6D5508AD7045} - C:\WINDOWS\System32\fjvfsvj.dll
O2 - BHO: (no name) - {47F3C2E8-215B-492F-B8FD-C644D5568CAB} - C:\WINDOWS\System32\naib.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Omtp] C:\Documents and Settings\Himura Glennshin\Application Data\retw.exe
O4 - HKCU\..\Run: [Qbaqfc] C:\WINDOWS\System32\uavfr.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

thanks for any help in advance ^_^

 

Hi glennshin and welcome to the forum.

The Hijackthis version is not the latest so you need to download v1.98.2 and just overwrite the one you have so your next log will be generated with the latest version. Spybot should be v1.3 and you have to download the whole thing as updating the ref files won't do it. If you now have an earlier version, run it and uncheck any protections then uninstall it and install the new one then update. Ad-Aware is also a good spyware removal app (see Quicklinks in my signature) and you want their new SE version.

I take it from your comment about "no anti-virus software" and the fact that I don't see any signs that you have an AV program on your PC that you really aren't running any. If not you really need to get one to help protect the PC. You can find both online and free local AV programs in Quicklinks.

Neither of these .exe files shows up on a search which is often a sign they were dropped on you by a virus so an online virus scan is certainly in order.
C:\Documents and Settings\Himura Glennshin\Application Data\retw.exe
C:\WINDOWS\System32\uavfr.exe


However, none of those would have prevented or removed the particular hijack you have.

Open Hijackthis and check the following items then let HJT remove them:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {12A76F0F-CE6B-7DC4-D507-6D5508AD7045} - C:\WINDOWS\System32\fjvfsvj.dll
O2 - BHO: (no name) - {47F3C2E8-215B-492F-B8FD-C644D5568CAB} - C:\WINDOWS\System32\naib.dll
O4 - HKCU\..\Run: [Omtp] C:\Documents and Settings\Himura Glennshin\Application Data\retw.exe
O4 - HKCU\..\Run: [Qbaqfc] C:\WINDOWS\System32\uavfr.exe

Download CWShredder.exe from here and save it to your desktop.

Boot to safe mode.
Turn off system restore.
Close ALL other windows, open CWShredder and click fix.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.

Boot back to normal mode.
Run an online virus scan and remove any baddies it finds. If there are any found that can't be cleaned/deleted copy down details and post them here.
Download the latest version of Hijackthis and overwrite the one you have now. Then run it and post the new log back here.

 

I would first disable System Restore, then clean out all Temp folders for all users.

Fix these with HJT;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {12A76F0F-CE6B-7DC4-D507-6D5508AD7045} - C:\WINDOWS\System32\fjvfsvj.dll
O2 - BHO: (no name) - {47F3C2E8-215B-492F-B8FD-C644D5568CAB} - C:\WINDOWS\System32\naib.dll
O4 - HKCU\..\Run: [Omtp] C:\Documents and Settings\Himura Glennshin\Application Data\retw.exe
O4 - HKCU\..\Run: [Qbaqfc] C:\WINDOWS\System32\uavfr.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab

Reboot and then delete these files.
C:\WINDOWS\System32\fjvfsvj.dll
C:\WINDOWS\System32\naib.dll
C:\WINDOWS\System32\uavfr.exe
c:\x.cab
I am not sure of the following, do you know what it is?
C:\Documents and Settings\Himura Glennshin\Application Data\retw.exe

 

Hi Mark. Looks like we were working on replies at the same time. Wish I'd known you were on it - I'd have read a book.

Question - MediaTicketsInstaller seems to be a legit item from what I managed to read about it. Did I miss the bad stuff or is c:\x.cab a baddie? I know that removing the 016 entries is no biggie since they rebuild when you hit a site that needs them but just trying to further my education.

Sorry about the sidebar glennshin but he's been doing this security thing lots longer than I have and I'll pick his brain any chance I get.

 

thanks for quick response guys

Newt: no worries, thats the only way to make others knowledge your own eh?

Mark: I have no idea what retw.exe is. As I only install to e:/Games,e:/programs & c:/program files, I would never install any program in such a random location. So i went ahead and just deleted that as well.

ran hjt, cwshredder, deleted temps and it seems all well and good.

here is the new hjt log

Logfile of HijackThis v1.98.2
Scan saved at 12:03:53 AM, on 9/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
E:\Downloads\antispyware\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


Everything's cool no?
if so, thanks alot...

oh, on a side note... the only curious thing i've noticed on winxp pro is that my desktop icons won't stay to the custom ones. I've done some searches but haven't found anything to really help. I have unsuccessfully tried deleting iconcache...

 

You need to visit Windows Updates, as you are behind on some criticals that will patch security holes.

 

I will not get into the clean up part but I do see some items that I am very glad to see mentioned.

One is to Shut down System Restore. Some times I myself do not shut it down until I get tihings cleaned up, ( just in case ) but I do shut it down for sure after the clean up and make a new one.

I also saw the word GHOST mentioned. That also should be shut down and a new ghost copy made.

I also saw the TEMP files mentioned. ( I believe I did anyway ). There are times ( unknown to us ) that some trash programs USE THE TEMP FOLDER to work from. I just looked on my Wifes machine and I HAVE NO IDEA where two .EXE files came from. I think STRONGLY that I need to watch some kids and find out were they are going ( or have been ) on the Internet. ( may be related to the next paragraph ) I suspect that one of them has learned how to bypass the Firewall.

In Windows 98 & 98SE the RB00x.cab files in the C:\Windows\Sysbackup folder should be deleted. I just did that on my Wifes machine because Ad-Aware & Spybot found some not so nice stuff hanging around in the reg. ( related to the TEMP folder files )

Running an Anti-Virus program FULL TIME is another good idea.

Also I see WINDOWS UPDATES mentioned. That is another important part of helping to keep things clean. Especially the critical ones. There are many holes plugs there.

So. Is the the cleanout of the actuall problem enough ? I do not think so. I think other things need to be done so that it does not ( even un-intentionally ) get put back.

BillyBob

 

Newt, I was being a bit on the cautious side about c:\x.cab, and MediaTicketsInstaller. If the line was as the below 016, I wouldn't have suggested the removal. MediaTicketsInstaller as itself is not considered bad from what I have found, and the URL is not included in the IEspyads.Reg file.
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

Glennshin, your log looks clean but you do need to go to windows update and get all the criticals offered.

 

Thanks Mark. With the 016 stuff, removal is always safe so probably an excellent idea to blitz that one.