Twaintec hell, my Hijackthis log

I ran spybot first then ad-aware. Ad-aware said it could not delete twaintec.dll untill i rebooted but I have done that countless times and it doesnt help. So twaintec.dll is on my PC at this point.


Here go's

Logfile of HijackThis v1.97.7
Scan saved at 8:00:41 PM, on 5/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\documents and settings\patrick sarni\local settings\temp\sjKCzgh.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ikikgg.exe
C:\WINDOWS\System32\lodups.exe
C:\WINDOWS\System32\lodups.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Windows Media Components\encoder\Wmencagt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\Mjeyapi.exe
C:\WINDOWS\System32\AfkeX.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchscavenger.com/bar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sjKCzgh] C:\documents and settings\patrick sarni\local settings\temp\sjKCzgh.exe
O4 - HKLM\..\Run: [48@@QEY4GBGS2F] C:\WINDOWS\System32\CnyMt4.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [eoupid] C:\WINDOWS\System32\ikikgg.exe
O4 - HKLM\..\Run: [AutoLoaderpAs71INlZJXI] "C:\WINDOWS\System32\lodups.exe" /PC= "AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [pp3h36Q] lodups.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" "+b1 "
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\encoder\WMENCAGT.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .fpx: C:\Program Files\Internet Explorer\PLUGINS\NPRVRT32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb026.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



any help you could offer would be great,

-Sarni

 

Quite a mess there. You might want to save this page or print it. First, click here and take advantage of the free trial. You will need the AV and firewall. Then, create a new folder in C:\ named HJT Then cut and paste HijackThis.exe from D: into the folder. Scan again and place a check next to the follwing entries. Close ALL other windows and click fix.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchscavenger.com/bar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [sjKCzgh] C:\documents and settings\patrick sarni\local settings\temp\sjKCzgh.exe
O4 - HKLM\..\Run: [48@@QEY4GBGS2F] C:\WINDOWS\System32\CnyMt4.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [eoupid] C:\WINDOWS\System32\ikikgg.exe
O4 - HKLM\..\Run: [AutoLoaderpAs71INlZJXI] "C:\WINDOWS\System32\lodups.exe" /PC= "AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [pp3h36Q] lodups.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" "+b1 "
O9 - Extra button: SideStep (HKLM)
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb026.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars...erxsigned41.cab


Right click My Compter and select properties. Click the system restore tab then check the box to turn off system restore.
Go to start>run, type msconfig and hit enter. Click the boot.ini tab then check the box /safeboot. Click OK and yes to restart. This will reboot your computer to safe mode. You will need to undo the checkbox to boot normally when done.

You will need to make sure you can see hidden files and folders.
In safe mode, verify none of the following processes are running in task manager. Highlight and end process on any that are.

av.exe
sjKCzgh.exe
CnyMt4.exe
IEHost.exe
dp-him.exe
WToolsA.exe
WToolsS.exe
ikikgg.exe
lodups.exe
AutoUpdate.exe

Search for and delete all instances of the following.

a.exe
av.ex
b.exe

Open C:\Windows\System32 and delete the follwing.

CnyMt4.exe
IEHost.exe
dp-him.exe
ikikgg.exe
lodups.exe

Open C:\Programs Files and delete the AutoUpdate folder. Open C:\Programs Files\Common Files and delete the Wintools folder. Open C:\documents and settings\patrick sarni\local settings\temp, right click and select all then right click and delete. Open C:\Windows\Prefetch, right click and select all then right click and delete. Open My computer and right click on Local Disk C:, choosing properties then disk cleanup. Check all except compress old files and OK. Uncheck the /safeboot box in msconfig and OK. Yes to restart.

Before connecting to the internet, install the AV and firewall and reboot. After connecting, right click the AV icon on the taskbar and select Autodownload. Allow to install now. Then run a full system scan. Next go to start>all programs>Windows Update. Install ALL critical updates offered. This may require restarts and revisits to get them all.

When you get all that done, scan with HJT again and post a new log.

 

Dave - what about deleting C:\Program Files\Common files\WinTools?

 

It's in the list.

 

Oops. It certainly is. I just missed it when I read your directions.

Great job BTW. Lots and lots of bad stuff in this one.

 

Indeed there is! Probably not done yet.

Thanks!!

 

may I ask why O4 - HKLM\..\RunOnce: [Ad-aware]

and O4 - HKLM\..\Run: [48@@QEY4GBGS2F
as far as I know No online and 99% of av's wont do peper

 

In case Dave has gone to bed (like any reasonable person would have ), it occurs to me that will all this trash, the user probably isn't running a recent Ad-aware update so that particular run-once will just bog him down for no real benefit.

 

He Must not be resonable I can see he's online at the moment

niether of those will hurt a thing, I was just curious

 

maybe its just to late for me but I couldnt figure out how to download the av firewall, i filled out my address etc expecting a download box to come up but i didnt see it. Maybe im just loosing it.

Anyway I did everything else and here is the new log

Logfile of HijackThis v1.97.7
Scan saved at 1:43:58 AM, on 5/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Windows Media Components\encoder\Wmencagt.exe
C:\WINDOWS\System32\Ibd35ZW.exe
C:\WINDOWS\System32\MuqaZ.exe
D:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [48@@QEY4GBGS2F] C:\WINDOWS\System32\Xej7.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\encoder\WMENCAGT.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .fpx: C:\Program Files\Internet Explorer\PLUGINS\NPRVRT32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



let me know,
Thanks so much for your help! I don't know what I would have done.

-Sarni

 

Download this uninstall tool for peper infections
http://www.downloads.subratam.org/uninst.exe
Or from here http://www.memorywatcher.com/uninst.exe
Double click on uninst.exe, Make sure you let it have internet access through any firewalls and such.
Let it run and terminate.

Then run it again.

And then Reboot and Post another new log, But before you do I see you have been doing something with msconfig please undue anything you have disable then make and ost a new log


PS and It would be better to not update or install anything yet untill this is cleaned up, then when you do be sure to update then go back again to windows update to ensure you have them all, restart the PC afterwards then maybe install a firewall and av, so your avti virus/firewall knows what version of IE and operating system its working with for sure

 

Hi Lonny,

I would have preferred to discuss my recommendations through PM, but since you chose to question them and respond with different recommendations here, I will respond to your questions and recommendations here also.

Ad-aware had already run on reboot, therefore this entry O4 - HKLM\..\RunOnce: [Ad-aware] should not even be there, and at this point will do nothing for the system.

I prioritized.

1. Download AV/Firewall. Click no other links and get disconnected from the internet until this machine has protection, to help insure that the known virus running and any unknowns are not allowed access longer than necessary.
2. Deal with the known virus, install and update AV and scan for any unknowns while blocking their access to the internet, and reduce the risk of further infection by protecting the PC. Protect the PC from known patchable vulnerabilities until updated.
3. Update the PC to protect against further exploited vulnerabilities that have and will further allow infection.
4. If still present, deal with the peper infection, as it is IMO, a secondary and minimal threat. Will a freshly installed and updated AV detect and clean it? I don't know, but I took this opportunity to find out. If not, it is easy enough to deal with, and better done on a protected PC.

HUH? Since when does your AV/Firewall care what version of IE you have, lest it be old enough to be unsupported? This is contrary to sound recommendations given many times, at least on this board, to install and update AV/Firewall before connecting to the internet. It is well known that an unprotected computer can become infected not only by connecting to the internet, but even by visiting Windows Update. And if this computer does have further unknown infections, they will be allowed uninhibited access until the proper protection is put in place.

BTW, I fell asleep with the baby while connected last night. I actually wasn't on.

 

Yes PM's are in order thats why I have PM'd you and suggest when working On logs that we first propose a fix then say wait for our other forum members to also reply.

Im certainly not questioneing your methods they will work.and a great
On this log the biggest problem is peper.

the bit about an av and firewall being install to an updated OS is something I would do on my own pc if there were a major upgrade, Im probaly wrong.

Our perper uninstaler are now sometimes not working if it doesnt theres another plan of attack now.