Hijackthis Log

1. ## Hijackthis Log

Hello, wanted to get some help on a system that I had to restore. This is a system for a church I work with and it had a major malware infection. I've run Adaware, and Spybot S&D just to do a preliminary cleaning. I just ran Hijackthis and here is the log in case you spot something I missed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:33 PM, on 07/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\CAPM5RSK.EXE
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\WINNT\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINNT\system32\rhqetfyh.dll",forkonce
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1184813217765
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\WINNT\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msoclip1/01/clip_image002.gif

--
End of file - 4501 bytes

Right now I'm going to install AVG's rootkit detection package, and then I need to find some good free software for antivirus. I dont think they need a firewall on this system but if you want to reccomend one its encouraged. Anything you can do for me to help is greatly appreciated.

-Edit-

Just did a little more digging on a couple I wasnt sure about and found the info on both
C:\WINNT\system32\CAPM5RSK.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE

Found some instructions on a couple other cleanup methods so I'm going to run those quick and will update here if I fix the problem.

2. why bother with a duplicate post :?
or ask a mod to do so

and the file looks clear to me ............. but I'm no expert
we used to have a couple of members who did this type of stuff for work, but they don't frequent here anymore

I would consider 'upgrading' to XP Pro now, W2K is old, and not supported, you have it to SP4, so you must be aware of the update requirements
Vista is out now, so XP Pro won't be cheap yet, but it WILL be cheaper
and XP is still supported against the latest threats

also, have you tried one of the 'specialist' HJT analysis sites ??

3. I suggest deleting this:
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINNT\system32\ rhqetfyh.dll"
,forkonce

This is probably leftover from what you cleaned. I googled "forkonce" and it appears that many people suffering from malware had the same key, just a variation of the name of the file (xxxxxxx.dll). What caught my attention was the seemingly random sequence of letters in "rhqetfyh.dll"

Outside of that, it looks good to me.

4. Foxy - Realised that I would get a better response on this forum, and yes I do need to go back and delete the old one, sorry about that. This is not my system and the owner doesnt wish to upgrade so im stuck with trying to keep this as clean as possible. Thank you for the information tho.

Shag - KK thanks

5. Hi,

Post your log here: http://www.hijackthis.de/ and they will analyse it. Basically you need to check the "unknowns".

Windows 2000 is "supported" insofar as there are security updates, however, there are no longer any enhancements. Last time I looked, its EOL was 2014, which is strange as XP's is 2011.

You should not be on the internet without a firewall, you will simply get reinfected within a matter of minutes.

This machine is running Win 2000 SP4 and Zone Alarm. Its log tells me that it has blocked 707,866 access attempts and 43,266 intrusion attempts.

6. Thanks Nihil for the input, the system needs a lot of work and it looks like I'm going to have to go back to work on it. I guess I forgot to remove my copy of Nod32 from the system, and my mother used it to delete a .dll used by a couple programs that are of great importance to the church. Well she doesnt know the name of the DLL and I cant find any information on which one it might have been. I cant uninstall the program for fear of data loss, and repairing the program has no effect, which makes me think its a system DLL and not a DLL installed by the program itself. Any advice?

This is the error message:

error -2147023782 on line 1029 of S_GENRL.BAS(ContInitloadCW)
Automation error
A Dynamic link library (DLL) initialization routine failed

7. Hi Norrit,

You are not the first with this ..................

http://www.winehq.org/pipermail/wine...ly/033374.html

.BAS................? that's a QuickBasic program?............DOS 5.0?

Please tell me what the software is, and I will have a look at what data files need backing up.

Yours in Christ,

Johnno

8. If you're not using them I can also suggest removing/uninstalling the SNMP service and IIS.

9. Nihil - The software that was corrupted was "Church Windows" and another church based software package. I had found that website but didn't see anything helpful to my situation. If I missed something please point it out to me. My problem is strictly with the DLL and it looks as if his problem was dealing with Activex components.

Thanks again everyone, have to run to work.

10. OK, you might try this:

1. Install the latest VB6 runtime version:

2. Check that you have mfc40.dll and mfc42.dll

The VB6 runtime should just install over the top of what is there, so you don't have to worry about uninstalling anything.

Both the .dlls should be in c:\WINNT\system32\

The backup for mfc40.dll is in C:\WINNT\system32\dllcache
mfc42 is in c:\WINNT\ServicePackFiles\i386

Your problem appears to be with VB. I would recommend that you check which version your software is written in, as you will need the runtime files/app for that specific version.

VB5: http://support.microsoft.com/kb/q180071/

Just in case

Page 1 of 2 12 Last

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•