1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Spywear HJT log included

Discussion in 'Malware and Virus Removal Archive' started by gerdcurli, 2005/02/08.

Thread Status:
Not open for further replies.
  1. 2005/02/08
    gerdcurli

    gerdcurli Inactive Thread Starter

    Joined:
    2003/01/22
    Messages:
    58
    Likes Received:
    0
    Folks, just came across one of the hardest infections to get rid off. Doesn't look familiar to me. I ran ad-aware and when I tried to delete the selected files, it just said 'deleting files' for hours. Therefore that failed. I then tried HJT and here is the log file:-

    {\rtf1\ansi\deff0{\fonttbl{\f0\fnil\fcharset0 Courier New;}}
    \viewkind4\uc1\pard\lang2057\f0\fs20 Logfile of HijackThis v1.99.0\par
    Scan saved at 21:05:06, on 07/02/05\par
    Platform: Windows 98 SE (Win9x 4.10.2222A)\par
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)\par
    \par
    Running processes:\par
    C:\\WINDOWS\\SYSTEM\\KERNEL32.DLL\par
    C:\\WINDOWS\\SYSTEM\\MSGSRV32.EXE\par
    C:\\WINDOWS\\SYSTEM\\MPREXE.EXE\par
    C:\\WINDOWS\\SYSTEM\\mmtask.tsk\par
    C:\\WINDOWS\\SYSTEM\\MSTASK.EXE\par
    C:\\WINDOWS\\EXPLORER.EXE\par
    C:\\WINDOWS\\SYSTEM\\SYSTRAY.EXE\par
    C:\\WINDOWS\\LOADQM.EXE\par
    C:\\WINDOWS\\SYSTEM\\STIMON.EXE\par
    C:\\PROGRAM FILES\\COMMON FILES\\REAL\\UPDATE_OB\\REALSCHED.EXE\par
    C:\\WINDOWS\\DIT.EXE\par
    C:\\WINDOWS\\SYSTEM\\SPOOL32.EXE\par
    C:\\WINDOWS\\SYSTEM\\WMIEXE.EXE\par
    C:\\WINDOWS\\SYSTEM\\DDHELP.EXE\par
    C:\\WINDOWS\\SYSTEM\\IPBM32.EXE\par
    C:\\PROGRAM FILES\\LAVASOFT\\AD-AWARE SE PERSONAL\\AD-AWARE.EXE\par
    C:\\WINDOWS\\APIWF.EXE\par
    C:\\UNZIPPED\\HIJACKTHIS\\HIJACKTHIS.EXE\par
    \par
    R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = about:blank\par
    R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R3 - Default URLSearchHook is missing\par
    O2 - BHO: Class - \{404E5F28-4F5E-24E2-B02E-43EB9C95C683\} - C:\\WINDOWS\\SYSWM.DLL\par
    O4 - HKLM\\..\\Run: [SystemTray] SysTray.Exe\par
    O4 - HKLM\\..\\Run: [IPBM32.EXE] C:\\WINDOWS\\SYSTEM\\IPBM32.EXE\par
    O4 - HKLM\\..\\RunServices: [APIWF.EXE] C:\\WINDOWS\\APIWF.EXE\par
    O15 - Trusted Zone: *.frame.crazywinnings.com\par
    O15 - Trusted Zone: *.static.topconverting.com\par
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)\par
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)\par
    O15 - Trusted IP range: 206.161.125.149\par
    O15 - Trusted IP range: 206.161.125.149 (HKLM)\par
    \par
    \par
    }

    All help will be appreciated, with great thanks,
    Gerd,ireland
     
    gerdcurli,
    #1
  2. 2005/02/08
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    What's the /par at end of each line above? From your text editor?

    Start computer in Safe Mode, use hjt to remove the following:

    C:\\WINDOWS\\APIWF.EXE\par
    C:\\WINDOWS\\SYSTEM\\IPBM32.EXE\par
    R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = about:blank\par
    R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant = res://C:\\WINDOWS\\system\\twvzx.dll/sp.html#93256\par
    R3 - Default URLSearchHook is missing\par
    O2 - BHO: Class - \{404E5F28-4F5E-24E2-B02E-43EB9C95C683\} - C:\\WINDOWS\\SYSWM.DLL\par
    O4 - HKLM\\..\\Run: [IPBM32.EXE] C:\\WINDOWS\\SYSTEM\\IPBM32.EXE\par
    O4 - HKLM\\..\\RunServices: [APIWF.EXE] C:\\WINDOWS\\APIWF.EXE\par
    O15 - Trusted Zone: *.frame.crazywinnings.com\par
    O15 - Trusted Zone: *.static.topconverting.com\par
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)\par
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)\par
    O15 - Trusted IP range: 206.161.125.149\par
    O15 - Trusted IP range: 206.161.125.149 (HKLM)\par

    Use Start menu\Find\Files and folders to locate & delete these files: (or rename them to .DLL.OLD - .EXE.OLD)
    IPBM32.EXE
    APIWF.EXE
    twvzx.dll
    SYSWM.DLL
     
    Last edited: 2005/02/08
    TonyT,
    #2


  3. to hide this advert.

Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...