Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Hijackthis Log

  1. #1
    Junior Member
    Join Date
    Jan 2006
    Posts
    13

    Hijackthis Log

    Hello, wanted to get some help on a system that I had to restore. This is a system for a church I work with and it had a major malware infection. I've run Adaware, and Spybot S&D just to do a preliminary cleaning. I just ran Hijackthis and here is the log in case you spot something I missed.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:45:33 PM, on 07/20/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\tcpsvcs.exe
    C:\WINNT\System32\snmp.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\inetsrv\inetinfo.exe
    C:\WINNT\system32\CAPM5RSK.EXE
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE
    C:\WINNT\system32\mqsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\WINNT\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINNT\system32\rhqetfyh.dll",forkonce
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1184813217765
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup150.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\WINNT\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msoclip1/01/clip_image002.gif

    --
    End of file - 4501 bytes


    Right now I'm going to install AVG's rootkit detection package, and then I need to find some good free software for antivirus. I dont think they need a firewall on this system but if you want to reccomend one its encouraged. Anything you can do for me to help is greatly appreciated.

    -Edit-

    Just did a little more digging on a couple I wasnt sure about and found the info on both
    C:\WINNT\system32\CAPM5RSK.EXE
    C:\WINNT\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE

    Found some instructions on a couple other cleanup methods so I'm going to run those quick and will update here if I fix the problem.
    Last edited by Norrit; July 20th, 2007 at 10:22 PM.

  2. #2
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,534
    why bother with a duplicate post :?
    please delete one
    or ask a mod to do so

    and the file looks clear to me ............. but I'm no expert
    we used to have a couple of members who did this type of stuff for work, but they don't frequent here anymore

    I would consider 'upgrading' to XP Pro now, W2K is old, and not supported, you have it to SP4, so you must be aware of the update requirements
    Vista is out now, so XP Pro won't be cheap yet, but it WILL be cheaper
    and XP is still supported against the latest threats

    also, have you tried one of the 'specialist' HJT analysis sites ??
    Last edited by foxyloxley; July 20th, 2007 at 10:29 PM.
    so now I'm in my SIXTIES FFS
    WTAF, how did that happen, so no more alterations to the sig, it will remain as is now

    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  3. #3
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    I suggest deleting this:
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINNT\system32\ rhqetfyh.dll"
    ,forkonce

    This is probably leftover from what you cleaned. I googled "forkonce" and it appears that many people suffering from malware had the same key, just a variation of the name of the file (xxxxxxx.dll). What caught my attention was the seemingly random sequence of letters in "rhqetfyh.dll"

    Outside of that, it looks good to me.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  4. #4
    Junior Member
    Join Date
    Jan 2006
    Posts
    13
    Foxy - Realised that I would get a better response on this forum, and yes I do need to go back and delete the old one, sorry about that. This is not my system and the owner doesnt wish to upgrade so im stuck with trying to keep this as clean as possible. Thank you for the information tho.

    Shag - KK thanks

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    Post your log here: http://www.hijackthis.de/ and they will analyse it. Basically you need to check the "unknowns".

    Windows 2000 is "supported" insofar as there are security updates, however, there are no longer any enhancements. Last time I looked, its EOL was 2014, which is strange as XP's is 2011.

    You should not be on the internet without a firewall, you will simply get reinfected within a matter of minutes.

    This machine is running Win 2000 SP4 and Zone Alarm. Its log tells me that it has blocked 707,866 access attempts and 43,266 intrusion attempts.

  6. #6
    Junior Member
    Join Date
    Jan 2006
    Posts
    13
    Thanks Nihil for the input, the system needs a lot of work and it looks like I'm going to have to go back to work on it. I guess I forgot to remove my copy of Nod32 from the system, and my mother used it to delete a .dll used by a couple programs that are of great importance to the church. Well she doesnt know the name of the DLL and I cant find any information on which one it might have been. I cant uninstall the program for fear of data loss, and repairing the program has no effect, which makes me think its a system DLL and not a DLL installed by the program itself. Any advice?

    This is the error message:

    error -2147023782 on line 1029 of S_GENRL.BAS(ContInitloadCW)
    Automation error
    A Dynamic link library (DLL) initialization routine failed

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Norrit,

    You are not the first with this ..................

    http://www.winehq.org/pipermail/wine...ly/033374.html

    .BAS................? that's a QuickBasic program?............DOS 5.0?

    Please tell me what the software is, and I will have a look at what data files need backing up.

    Yours in Christ,

    Johnno

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If you're not using them I can also suggest removing/uninstalling the SNMP service and IIS.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Junior Member
    Join Date
    Jan 2006
    Posts
    13
    Nihil - The software that was corrupted was "Church Windows" and another church based software package. I had found that website but didn't see anything helpful to my situation. If I missed something please point it out to me. My problem is strictly with the DLL and it looks as if his problem was dealing with Activex components.

    Thanks again everyone, have to run to work.
    Last edited by Norrit; July 24th, 2007 at 01:49 PM.

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK, you might try this:

    1. Install the latest VB6 runtime version:

    http://www.microsoft.com/downloads/d...displaylang=en

    2. Check that you have mfc40.dll and mfc42.dll

    The VB6 runtime should just install over the top of what is there, so you don't have to worry about uninstalling anything.

    Both the .dlls should be in c:\WINNT\system32\

    The backup for mfc40.dll is in C:\WINNT\system32\dllcache
    mfc42 is in c:\WINNT\ServicePackFiles\i386

    Your problem appears to be with VB. I would recommend that you check which version your software is written in, as you will need the runtime files/app for that specific version.

    VB5: http://support.microsoft.com/kb/q180071/

    Just in case

Similar Threads

  1. Help with hijackthis log.
    By DjM in forum Spyware / Adware
    Replies: 7
    Last Post: February 28th, 2006, 09:34 PM
  2. HijackThis - a multifaceted tool
    By meeeeeee in forum The Security Tutorials Forum
    Replies: 1
    Last Post: March 20th, 2005, 10:15 PM
  3. HijackThis: How to understand your logs
    By TidaLphasE23 in forum Spyware / Adware
    Replies: 3
    Last Post: July 18th, 2004, 01:47 AM
  4. Replies: 19
    Last Post: May 11th, 2004, 07:30 PM
  5. Dangerous Bug in HijackThis 1.97.7 Restoral Procedure
    By Grinler in forum Spyware / Adware
    Replies: 0
    Last Post: April 3rd, 2004, 05:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •