Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My Hijack This Logfile

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My Hijack This Logfile

Unread postby noodles » February 15th, 2008, 9:19 pm

I've tried going it alone, following the steps I've seen here and other fourms, but I can't get rid of the hijacker.

Here's my log file. Help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:06 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BMb74ae4e1] Rundll32.exe "C:\WINDOWS\system32\hhgxkxeh.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 3236 bytes
noodles
Active Member
 
Posts: 13
Joined: February 15th, 2008, 8:15 pm
Advertisement
Register to Remove

Re: My Hijack This Logfile

Unread postby Scotty » February 16th, 2008, 8:46 pm

Hi! Welcome to the MWR forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.

Please be patient as my posts to you have to be checked before I reply, so they make take longer.


Rename HijackThis
There is a possibility an infection which is hiding part of the HijackThis log because it's called hijackthis.exe.
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to iseeu.exe and post back a new Hijackthis log.



Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: My Hijack This Logfile

Unread postby noodles » February 16th, 2008, 10:07 pm

Thanks, Scotty! I appreciate the help. Ok, here's the uninstall log file:

3D Home Architect Home Design Deluxe 6
Ad-Aware 2007
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Stock Photos 1.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Digital Media Reader
DivX Codec
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
J2SE Runtime Environment 5.0 Update 2
LimeWire 4.16.6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Napster
Napster Burn Engine
Nero BurnRights
Nero OEM
OpenOffice.org 2.0
Panda ActiveScan
PowerDVD
QuickTime
RealPlayer
Realtek AC'97 Audio
Rhapsody Player Engine
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SoftV92 Data Fax Modem with SmartCP
Sun Download Manager 2.0 (web)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Media Player
ViewSonic Monitor Drivers
Windows Backup Utility
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472

I renamed Hijack this, and here's the newest file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:06 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\iseeu.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3BCA58E1-66A8-439C-A9F7-CA598C6C11C4} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {55E362F8-B5CC-4356-A6E8-A2B8526BF1D0} - C:\WINDOWS\system32\jkkji.dll
O2 - BHO: {c25866ae-a5ae-8579-9024-40e1ecd085ae} - {ea580dce-1e04-4209-9758-ea5aea66852c} - C:\WINDOWS\system32\erfcanym.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BMb74ae4e1] Rundll32.exe "C:\WINDOWS\system32\pjrtagax.dll",s
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 3571 bytes
noodles
Active Member
 
Posts: 13
Joined: February 15th, 2008, 8:15 pm

Re: My Hijack This Logfile

Unread postby Scotty » February 17th, 2008, 12:22 pm

Hi

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: My Hijack This Logfile

Unread postby noodles » February 17th, 2008, 2:15 pm

ComboFix 08-02-17.2 - Owner 2008-02-17 12:56:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.463 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkkji.dll
C:\Documents and Settings\Owner\Local Settings\Temp\sdexe.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aatbbxmj.ini
C:\WINDOWS\system32\amwauxrw.ini
C:\WINDOWS\system32\axkklufo.dll
C:\WINDOWS\system32\axqmbvhe.dll
C:\WINDOWS\system32\barmhjfr.dll
C:\WINDOWS\system32\bfaqineu.dll
C:\WINDOWS\system32\brdcjkcm.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cvmingbw.dll
C:\WINDOWS\system32\djpsokgx.ini
C:\WINDOWS\system32\ecxjkdyw.ini
C:\WINDOWS\system32\erfcanym.dll
C:\WINDOWS\system32\fdesaggl.dll
C:\WINDOWS\system32\ftsbdwpj.ini
C:\WINDOWS\system32\fuyfqurl.ini
C:\WINDOWS\system32\gbbpjgtm.ini
C:\WINDOWS\system32\gdxjihut.dll
C:\WINDOWS\system32\hhgxkxeh.dll
C:\WINDOWS\system32\hhjlunnq.dll
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini2
C:\WINDOWS\system32\jkbccgxt.ini
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jkkji.exe
C:\WINDOWS\system32\lbifqeeq.ini
C:\WINDOWS\system32\ludeblni.ini
C:\WINDOWS\system32\mdhdavnh.dll
C:\WINDOWS\system32\nueeptlt.ini
C:\WINDOWS\system32\oqxkqman.dll
C:\WINDOWS\system32\paujqpfv.dll
C:\WINDOWS\system32\pbbkmryh.ini
C:\WINDOWS\system32\pjrtagax.dll
C:\WINDOWS\system32\qbskcsfw.dll
C:\WINDOWS\system32\qclfjoep.dll
C:\WINDOWS\system32\qmpoccmj.dll
C:\WINDOWS\system32\qydyntco.dll
C:\WINDOWS\system32\RCX15.tmp
C:\WINDOWS\system32\RCX16.tmp
C:\WINDOWS\system32\RCX1B.tmp
C:\WINDOWS\system32\RCX1C.tmp
C:\WINDOWS\system32\RCX1D.tmp
C:\WINDOWS\system32\RCX1E.tmp
C:\WINDOWS\system32\RCX1F.tmp
C:\WINDOWS\system32\RCX20.tmp
C:\WINDOWS\system32\RCX21.tmp
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\RCX23.tmp
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX26.tmp
C:\WINDOWS\system32\RCX27.tmp
C:\WINDOWS\system32\RCX28.tmp
C:\WINDOWS\system32\RCX29.tmp
C:\WINDOWS\system32\RCX2A.tmp
C:\WINDOWS\system32\RCX2B.tmp
C:\WINDOWS\system32\RCX2C.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\RCX2F.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX31.tmp
C:\WINDOWS\system32\RCX3F.tmp
C:\WINDOWS\system32\RCX9.tmp
C:\WINDOWS\system32\RCXA.tmp
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\system32\suyhnejw.dll
C:\WINDOWS\system32\sxcpsacd.ini
C:\WINDOWS\system32\tqvmcshd.dll
C:\WINDOWS\system32\ueniqafb.ini
C:\WINDOWS\system32\uvintcke.dll
C:\WINDOWS\system32\uxvutevp.dll
C:\WINDOWS\system32\vfpqjuap.ini
C:\WINDOWS\system32\vwknqmpc.ini
C:\WINDOWS\system32\wfbrfnlu.ini
C:\WINDOWS\system32\wfscksbq.ini
C:\WINDOWS\system32\wnstsicom32.exe
C:\WINDOWS\system32\wywircbp.ini
C:\WINDOWS\system32\yllwvorn.ini
C:\WINDOWS\system32\yucpgiok.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-16 21:04 . 2008-02-16 21:05 <DIR> d-------- C:\ininstall_list
2008-02-15 19:51 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-15 19:32 . 2008-02-15 19:32 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-15 19:32 . 2008-02-15 19:32 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-14 21:08 . 2008-02-17 12:51 13,243 --a------ C:\WINDOWS\BMb74ae4e1.xml
2008-02-14 21:08 . 2008-02-17 12:48 22 --a------ C:\WINDOWS\pskt.ini
2008-02-13 21:14 . 2008-02-14 18:44 474 --ahs---- C:\WINDOWS\system32\byrxrgcg.ini
2008-02-08 22:28 . 2008-02-09 23:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 22:28 . 2008-02-08 22:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 22:40 . 2008-01-19 22:40 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-19 22:33 . 2008-01-19 22:33 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 17:59 --------- d-----w C:\Program Files\QuickTime
2008-02-16 04:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-16 02:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-12 01:47 --------- d-----w C:\Documents and Settings\Guest\Application Data\OpenOffice.org2
2008-02-12 01:45 --------- d-----w C:\Program Files\Digital Media Reader
2008-02-10 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 03:00 --------- d-----w C:\Program Files\LimeWire
2008-01-20 03:39 --------- d-----w C:\Program Files\Real
2008-01-20 03:39 --------- d-----w C:\Program Files\Common Files\Real
2008-01-12 03:52 --------- d-----w C:\Documents and Settings\Guest\Application Data\Talkback
2008-01-05 04:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Talkback
2007-12-31 04:51 380,416 ----a-w C:\WINDOWS\mrofinu11.exe.tmp
2007-12-30 16:42 --------- d-----w C:\Program Files\DB2000V3
2007-12-30 16:19 --------- d-----w C:\Program Files\Trend Micro
2007-12-30 16:03 --------- d-----w C:\Program Files\Lavasoft
2007-12-30 16:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.
Code: Select all
<pre>
----a-w           313,472 2008-02-17 17:48:43  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w           339,968 2008-02-17 17:48:35  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w           185,896 2008-02-17 17:48:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            32,768 2008-01-03 02:54:11  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w           135,168 2008-02-10 22:36:25  C:\Program Files\Digital Media Reader\shwiconem .exe
----a-w            98,304 2008-01-04 22:18:25  C:\Program Files\QuickTime\qttask                   .exe
----a-w            15,360 2007-12-31 04:51:35  C:\WINDOWS\system32\ctfmon .exe
----a-w           155,648 2007-12-31 02:47:59  C:\WINDOWS\system32\NeroCheck .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 21:42:22 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2006-04-14 09:39:27 729088]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2006-07-30 23:59:34 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-07-30 23:59:35 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-07-30 23:59:35 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 13:11:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-02-17 13:13:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 18:12:52
.
2008-02-13 21:08:50 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\iseeu.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 2667 bytes
noodles
Active Member
 
Posts: 13
Joined: February 15th, 2008, 8:15 pm

Re: My Hijack This Logfile

Unread postby Scotty » February 18th, 2008, 4:58 am

Hi

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System, which in your case is the SP2 version.

Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: My Hijack This Logfile

Unread postby noodles » February 18th, 2008, 9:58 pm

Well, for the first time in months, it looks like the adware/hijacker is gone! Thank you so much!!

Here's the logfile:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
noodles
Active Member
 
Posts: 13
Joined: February 15th, 2008, 8:15 pm

Re: My Hijack This Logfile

Unread postby Scotty » February 20th, 2008, 2:52 pm

Hello

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\ininstall_list
Click Submit.
Please post the results of this scan to this thread.


Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
KillAll::
 
File::
C:\WINDOWS\BMb74ae4e1.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byrxrgcg.ini
C:\WINDOWS\mrofinu11.exe.tmp

RenV::
----a-w           313,472 2008-02-17 17:48:43  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w           339,968 2008-02-17 17:48:35  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w           185,896 2008-02-17 17:48:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            32,768 2008-01-03 02:54:11  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w           135,168 2008-02-10 22:36:25  C:\Program Files\Digital Media Reader\shwiconem .exe
----a-w            98,304 2008-01-04 22:18:25  C:\Program Files\QuickTime\qttask                   .exe
----a-w            15,360 2007-12-31 04:51:35  C:\WINDOWS\system32\ctfmon .exe
----a-w           155,648 2007-12-31 02:47:59  C:\WINDOWS\system32\NeroCheck .exe
 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
Jotti results
ComboFix.txt
New HJT log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: My Hijack This Logfile

Unread postby noodles » February 20th, 2008, 7:10 pm

Quick question before I do this:

All evidence of the hijacker is gone. IE no longer automatically enables tracking cookies like it used to upon first startup, and I no longer have to disable mysterious plug-ins that keep appearing. Popups are a thing of the past as well.

Is this last step just a precaution, or is there evidence I still have malware? My computer has built-in flash card readers, and a DVD drive, so I'm worried I might uninstall the drivers to those features if I go too far.

Thanks,

-Greg
noodles
Active Member
 
Posts: 13
Joined: February 15th, 2008, 8:15 pm

Re: My Hijack This Logfile

Unread postby Scotty » February 21st, 2008, 5:16 am

Hi

You still have a bit of work to do yet. We wont be going near your DVD drive or card readers so dont worry about that.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: My Hijack This Logfile

Unread postby noodles » February 21st, 2008, 7:44 pm

Well, apparently so. Here's the result of what happened when I tried to submit C:\ininstall_list on that virisscan/jotti site:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
noodles
Active Member
 
Posts: 13
Joined: February 15th, 2008, 8:15 pm

Re: My Hijack This Logfile

Unread postby Scotty » February 22nd, 2008, 7:22 am

Hi

Just proceed with the rest for the moment.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: My Hijack This Logfile

Unread postby noodles » February 22nd, 2008, 7:30 pm

Ok,

The Jotti didn't work again, but here are the results from the other two:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:29, on 2008-02-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\iseeu.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 2785 bytes





ComboFix 08-02-17.2 - Owner 2008-02-22 18:17:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.489 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMb74ae4e1.xml
C:\WINDOWS\mrofinu11.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byrxrgcg.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMb74ae4e1.xml
C:\WINDOWS\mrofinu11.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byrxrgcg.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-16 21:04 . 2008-02-16 21:05 <DIR> d-------- C:\ininstall_list
2008-02-15 19:51 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-15 19:32 . 2008-02-15 19:32 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-15 19:32 . 2008-02-15 19:32 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-08 22:28 . 2008-02-21 22:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 22:28 . 2008-02-08 22:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 05:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-19 17:11 --------- d-----w C:\Documents and Settings\Guest\Application Data\OpenOffice.org2
2008-02-18 05:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-17 17:59 --------- d-----w C:\Program Files\QuickTime
2008-02-12 01:45 --------- d-----w C:\Program Files\Digital Media Reader
2008-02-10 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-09 03:00 --------- d-----w C:\Program Files\LimeWire
2008-01-20 03:40 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-20 03:39 --------- d-----w C:\Program Files\Real
2008-01-20 03:39 --------- d-----w C:\Program Files\Common Files\Real
2008-01-12 03:52 --------- d-----w C:\Documents and Settings\Guest\Application Data\Talkback
2008-01-05 04:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Talkback
2007-12-30 16:42 --------- d-----w C:\Program Files\DB2000V3
2007-12-30 16:19 --------- d-----w C:\Program Files\Trend Micro
2007-12-30 16:03 --------- d-----w C:\Program Files\Lavasoft
2007-12-30 16:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.
Code: Select all
<pre>
----a-w           339,968 2008-02-17 17:48:35  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w           185,896 2008-02-17 17:48:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            32,768 2008-01-03 02:54:11  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w           135,168 2008-02-10 22:36:25  C:\Program Files\Digital Media Reader\shwiconem .exe
----a-w            98,304 2008-01-04 22:18:25  C:\Program Files\QuickTime\qttask                   .exe
----a-w            15,360 2007-12-31 04:51:35  C:\WINDOWS\system32\ctfmon .exe
----a-w           155,648 2007-12-31 02:47:59  C:\WINDOWS\system32\NeroCheck .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-02-17 12:48 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 21:42:22 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2006-04-14 09:39:27 729088]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2006-07-30 23:59:34 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-07-30 23:59:35 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-07-30 23:59:35 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 18:22:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-02-22 18:25:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-22 23:25:18
ComboFix2.txt 2008-02-17 18:13:01
.
2008-02-13 21:08:50 --- E O F ---
noodles
Active Member
 
Posts: 13
Joined: February 15th, 2008, 8:15 pm

Re: My Hijack This Logfile

Unread postby Scotty » February 23rd, 2008, 1:28 pm

Hi

Just to let you know, we are trying to repair some programs that have been damaged by the malware, so it may seem we are repeating some of the steps. It is important you do things the way I set out and when copying the script from the code box, dont miss anything out.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
RenV::
----a-w           339,968 2008-02-17 17:48:35  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w           185,896 2008-02-17 17:48:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            32,768 2008-01-03 02:54:11  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w           135,168 2008-02-10 22:36:25  C:\Program Files\Digital Media Reader\shwiconem .exe
----a-w            98,304 2008-01-04 22:18:25  C:\Program Files\QuickTime\qttask                   .exe
----a-w            15,360 2007-12-31 04:51:35  C:\WINDOWS\system32\ctfmon .exe
----a-w           155,648 2007-12-31 02:47:59  C:\WINDOWS\system32\NeroCheck .exe

DirLook::
C:\ininstall_list 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop.

Reboot into SAFE MODE
    By pressing the F8 key right when Windows starts, usually right after you hear your computer
    beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
    you will be brought to a menu where you can choose to boot into safe mode.

    If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

    I have found that during boot up, right after the computer displays the equipment , memory, etc
    installed on your computer, if you start lightly tapping the F8 key, the system will usually display the menu.


Image


Refering to the picture above, drag CFScript into ComboFix.exe

If the computer does not reboot itself, reboot back into Normal Mode

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: My Hijack This Logfile

Unread postby noodles » February 23rd, 2008, 9:28 pm

Ok, I did the above. Here are my logfiles:

ComboFix 08-02-17.2 - Owner 2008-02-23 20:17:28.3 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-16 21:04 . 2008-02-16 21:05 <DIR> d-------- C:\ininstall_list
2008-02-15 19:51 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-15 19:32 . 2008-02-15 19:32 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-15 19:32 . 2008-02-15 19:32 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-08 22:28 . 2008-02-21 22:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-08 22:28 . 2008-02-08 22:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 04:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-19 17:11 --------- d-----w C:\Documents and Settings\Guest\Application Data\OpenOffice.org2
2008-02-18 05:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-17 17:59 --------- d-----w C:\Program Files\QuickTime
2008-02-12 01:45 --------- d-----w C:\Program Files\Digital Media Reader
2008-02-10 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 02:14 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-09 03:00 --------- d-----w C:\Program Files\LimeWire
2008-01-20 03:40 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-20 03:39 --------- d-----w C:\Program Files\Real
2008-01-20 03:39 --------- d-----w C:\Program Files\Common Files\Real
2008-01-20 03:38 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-20 03:38 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-12 03:52 --------- d-----w C:\Documents and Settings\Guest\Application Data\Talkback
2008-01-05 04:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Talkback
2008-01-03 00:15 329,728 ----a-w C:\WINDOWS\system32\RCXEF6.tmp
2007-12-31 04:51 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2007-12-31 02:47 155,648 ----a-w C:\WINDOWS\system32\NeroCheck .exe
2007-12-30 16:42 --------- d-----w C:\Program Files\DB2000V3
2007-12-30 16:19 --------- d-----w C:\Program Files\Trend Micro
2007-12-30 16:03 --------- d-----w C:\Program Files\Lavasoft
2007-12-30 16:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.
Code: Select all
<pre>
----a-w           185,896 2008-02-17 17:48:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            32,768 2008-01-03 02:54:11  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w           135,168 2008-02-10 22:36:25  C:\Program Files\Digital Media Reader\shwiconem .exe
----a-w            98,304 2008-01-04 22:18:25  C:\Program Files\QuickTime\qttask                   .exe
----a-w            15,360 2007-12-31 04:51:35  C:\WINDOWS\system32\ctfmon .exe
----a-w           155,648 2007-12-31 02:47:59  C:\WINDOWS\system32\NeroCheck .exe
</pre>



(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\ininstall_list ----

2008-02-16 21:05 6074 --a------ C:\ininstall_list\uninstall_list.txt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-02-17 12:48 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-17 12:48 339968]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 21:42:22 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2006-04-14 09:39:27 729088]


.
Contents of the 'Scheduled Tasks' folder
"2006-07-30 23:59:34 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-07-30 23:59:35 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-07-30 23:59:35 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 20:20:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-23 20:22:15
ComboFix-quarantined-files.txt 2008-02-24 01:21:27
ComboFix2.txt 2008-02-22 23:25:27
ComboFix3.txt 2008-02-17 18:13:01
.
2008-02-13 21:08:50 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:25, on 2008-02-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\HijackThis\iseeu.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 2703 bytes
noodles
Active Member
 
Posts: 13
Joined: February 15th, 2008, 8:15 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware