1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Computer Problems [Slow computer - HJT log]

Discussion in 'Malware and Virus Removal Archive' started by Ghandi88, 2005/08/27.

  1. 2005/08/27
    Ghandi88

    Ghandi88 Inactive Thread Starter

    Joined:
    2005/08/27
    Messages:
    1
    Likes Received:
    0
    My computer is so slow. I have eliminated my pop up problem for the most part but I just want to make sure I have all the "bad" things removed. My Hijack This log file is below. Thanks in advance...

    Logfile of HijackThis v1.99.1
    Scan saved at 11:17:27 AM, on 8/27/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Philips Photo Manager\FunCam\Philips FunCam Monitor.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\User\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R3 - URLSearchHook: (no name) - {BA8F12B5-3BAE-0B43-B2E6-7A4E1E7AD4F1} - qwe.dll (file missing)
    O2 - BHO: Class - {0317AD98-9368-D476-5B88-92ABD481A6D3} - C:\WINDOWS\iegw32.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {9CCC7378-3B3D-45D8-BF6B-07BA28181CA2} - C:\WINDOWS\System32\dgoe.dll (file missing)
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [bingo9] NopeZ.exe
    O4 - HKCU\..\Run: [syspanel] DCC_send.exe
    O4 - HKCU\..\Run: [dePloy] scanSYS.exe
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Philips FunCam Monitor.lnk = C:\Program Files\Philips Photo Manager\FunCam\Philips FunCam Monitor.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1118620133356
    O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1D17F81F-EF0F-41A0-B23D-6EBCC54F92C5}: NameServer = 69.50.176.158,85.255.112.8
    O17 - HKLM\System\CCS\Services\Tcpip\..\{30C8F68A-C64D-431C-A873-68881E728B53}: NameServer = 69.50.176.158,85.255.112.8
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58ADE3E2-249A-444D-A572-06B67B1D6070}: NameServer = 69.50.176.158,85.255.112.8
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1D17F81F-EF0F-41A0-B23D-6EBCC54F92C5}: NameServer = 69.50.176.158,85.255.112.8
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1D17F81F-EF0F-41A0-B23D-6EBCC54F92C5}: NameServer = 69.50.176.158,85.255.112.8
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
     
    Ghandi88,
    #1
  2. 2005/08/27
    oshwyn5

    oshwyn5 Inactive

    Joined:
    2005/08/25
    Messages:
    736
    Likes Received:
    0
    This combination makes me suspect coolweb search
    O2 - BHO: Class - {0317AD98-9368-D476-5B88-92ABD481A6D3} - C:\WINDOWS\iegw32.dll (file missing)
    O2 - BHO: (no name) - {9CCC7378-3B3D-45D8-BF6B-07BA28181CA2} - C:\WINDOWS\System32\dgoe.dll (file missing)


    I want you to download and run the removal tool CWShredder
    CWShredder - Defeat CoolWebSearch - Download CWShredder Free

    Run it and choose fix

    You may want to try downloading and running stinger first to see if it removes any of the others
    http://vil.nai.com/vil/stinger/

    You also have the trojan spoofdns
    O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
    http://vil.mcafeesecurity.com/vil/content/v_131693.htm
    Note the folders it adds in the registry which you will need to remove.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3713E0DC-CA27-407D-AC8D-45E5299D766D}
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{913486F9-51E6-4B44-9A7B-51A6D11B4F2D}
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AD57A22C-AF87-43F7-AB11-06962C070109}
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\Tcpip\Parameters\Interfaces\{3713E0DC-CA27-407D-AC8D-45E5299D766D}
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\Tcpip\Parameters\Interfaces\{913486F9-51E6-4B44-9A7B-51A6D11B4F2D}
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\Tcpip\Parameters\Interfaces\{AD57A22C-AF87-43F7-AB11-06962C070109}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\ruins "(random letters) "
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "(random letters).exe "
    Note, these are displayed as 017 and 04 entries in hijackthis and can be fixed with it.
    Code stuff starter
    Kill the process listed (using task manager or the process viewer in code stuff starter ) and delete the following files
    Go to control panel / folder options/ view
    set to show hidden and system files
    uncheck hide protected files
    uncheck hide known file extensions

    you will need to delete these files

    qwe.dl (Do a file search and delete if found.
    Delete file if found C:\WINDOWS\iegw32.dl
    Delete file if found C:\WINDOWS\System32\dgoe.dll

    Kill process [hgqhp.exe]
    Delete file C:\WINDOWS\System32\hgqhp.exe
    Kill process [bingo9] Locate and delete file NopeZ.exe
    Kill process [syspanel] Locate and delet file DCC_send.exe
    Kill process [dePloy] Locate and delete file scanSYS.exe


    THen run hijackthis, with all other windows closed , put a check beside the following and choose fix
    R3 - URLSearchHook: (no name) - {BA8F12B5-3BAE-0B43-B2E6-7A4E1E7AD4F1} - qwe.dll (file missing)
    O2 - BHO: Class - {0317AD98-9368-D476-5B88-92ABD481A6D3} - C:\WINDOWS\iegw32.dll (file missing)
    O2 - BHO: (no name) - {9CCC7378-3B3D-45D8-BF6B-07BA28181CA2} - C:\WINDOWS\System32\dgoe.dll (file missing)
    O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
    O4 - HKCU\..\Run: [bingo9] NopeZ.exe (Wareout trojan)
    O4 - HKCU\..\Run: [syspanel] DCC_send.exe (wareout trojan)
    O4 - HKCU\..\Run: [dePloy] scanSYS.exe (Trojan Wareout)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1D17F81F-EF0F-41A0-B23D-6EBCC54F92C5}: NameServer = 69.50.176.158,85.255.112.8
    O17 - HKLM\System\CCS\Services\Tcpip\..\{30C8F68A-C64D-431C-A873-68881E728B53}: NameServer = 69.50.176.158,85.255.112.8
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58ADE3E2-249A-444D-A572-06B67B1D6070}: NameServer = 69.50.176.158,85.255.112.8
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1D17F81F-EF0F-41A0-B23D-6EBCC54F92C5}: NameServer = 69.50.176.158,85.255.112.8
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1D17F81F-EF0F-41A0-B23D-6EBCC54F92C5}: NameServer = 69.50.176.158,85.255.112.8



    Reboot at least twice, Disable system restore (control panel / system / system restore => stop using system restore) and post a new hijackthis log for review to make sure you are clean.
    Then reactivate system restore and go to start/ programs/ system restore and create a new restore point.
     
    Last edited: 2005/08/27
    oshwyn5,
    #2


  3. to hide this advert.

  4. 2005/09/04
    -Geordie-

    -Geordie- Inactive

    Joined:
    2005/09/04
    Messages:
    1
    Likes Received:
    0
    Also a point to take note, this trojan also alters rasphone.pbk, you have to manually delete three lines the troj. put in there.

    quickest way to do it is search for rasphone.pbk, then when it is found, right click, open with word pad, scroll down to the lines

    IpDnsAddress = 195.95.218.4 (or variant shown in HT log)
    IpDns2Address = 85.255.112.9 (or variant shown in HT log)

    and a couple lines further down

    IpNameAssign = 2

    (this is why further HT scans still find the IP/DNS addy's)

    Then you need to reset your own DNS/IP settings by doing the following Windows commands.

    ipconfig.exe /flushdns
    ipconfig.exe /registerdns
    ipconfig.exe /dnsflush
    ipconfig.exe /renew
    ipconfig.exe /renew_all

    That's the complete fix now ;)
     
    -Geordie-,
    #3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...