Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This log - multiple dll files w/random names

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack This log - multiple dll files w/random names

Unread postby prologic08 » July 23rd, 2008, 5:27 pm

Hello,

I am having an issue with popups to install AV 2008 which has Not been installed. I have been trying for 2 days to stop this issue. So far, I have been having multiple DLL files regenerating with random names. I have shut off system restore and ran Trend Sysclean with no luck. I use Autoruns to see these DLL files (located in System32 folder) and have deleted them to see them immediatley come back. I have used Killbox to delete on boot up with no luck and I do not see anything running in Process Explorer. Currently, Trend sees TROJ_CONHOOK.DQ as the problem. The current DLL's that will not go away are 2 random dll's (khfcutka & ljjbqplx) and WINCTRL32. I am currently running SDFix and will not be checking it again until the morning. Below is the Hijack This file:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:34 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SUSS.EXE
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\WVC691.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planetarrow.com/na/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.planetarrow.com/na/index.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.planetarrow.com/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = arrowproxy.arrow.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.sbm.com;*.arrow.com;*.planetarrow.com;*.arrowecs.com;*.arrownacp.com;*.arrownac.com;*.supnet.com;*.micron.com;*.eaglegl.com;*.divsys.com;*.sun.com;planetarrow.com;*.arrowacs.com;*.arrowkeylink.com;*.pios.com;10.*;206.135.167.137;206.135.167.180;*.hp.com;*.compaq.com;*.ibm.com;*.arrowdevtools.com;*.eldec.com;*.craneaerospace.com;*.netapp.com;*.altera.com;*.analog.com;*.freescale;arrownac.com;*.emc.com;*.hitachi.com;*.beckman.com;192.168.14.244;ep.bitechnologies.com;199.243.76.209;105.128.2.0;erp.avagotech.com;enterprisehr.adphc.com;*.agilysys.com;*.keylink.com,*.oracle.com,192.168.63.*;<local>
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bginfo.lnk = C:\WINDOWS\Bginfo.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.planetarrow.com/na/index.html
O15 - Trusted Zone: http://egain.arrow.com
O15 - Trusted Zone: http://egain2.arrow.com
O15 - Trusted Zone: http://*.arrow.com
O15 - Trusted Zone: http://*.arrowecs.com
O15 - Trusted Zone: http://*.arrowkeylink.com
O15 - Trusted Zone: http://*.arrownac.com
O15 - Trusted Zone: http://*.arrownacp.com
O15 - Trusted Zone: *.arwnet.com
O15 - Trusted Zone: http://*.planetarrow.com
O15 - Trusted Zone: http://www.skillport.com
O15 - Trusted Zone: http://www.skillsoft.com
O15 - Trusted Zone: http://www.skillwsa.com
O15 - Trusted Zone: http://arrow.webex.com
O15 - Trusted Zone: http://egain.arrow.com (HKLM)
O15 - Trusted Zone: http://egain2.arrow.com (HKLM)
O15 - Trusted Zone: http://*.arrow.com (HKLM)
O15 - Trusted Zone: http://*.arrowecs.com (HKLM)
O15 - Trusted Zone: http://*.arrowkeylink.com (HKLM)
O15 - Trusted Zone: http://*.arrownac.com (HKLM)
O15 - Trusted Zone: http://*.arrownacp.com (HKLM)
O15 - Trusted Zone: *.arwnet.com (HKLM)
O15 - Trusted Zone: http://*.planetarrow.com (HKLM)
O15 - Trusted Zone: http://www.skillport.com (HKLM)
O15 - Trusted Zone: http://www.skillsoft.com (HKLM)
O15 - Trusted Zone: http://www.skillwsa.com (HKLM)
O15 - Trusted Zone: http://arrow.webex.com (HKLM)
O15 - Trusted IP range: http://192.168.63.*
O15 - Trusted IP range: http://192.168.63.* (HKLM)
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 6731318126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6731293305
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://td.planetarrow.com/Spider90.ocx
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://usmlrh68.arrow.com:8004/jinitiator/oajinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://usmliu14.arrow.com:7778/forms/ji ... /jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = arrownao.corp.arrow.com
O17 - HKLM\Software\..\Telephony: DomainName = arrownao.corp.arrow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = arrownao.corp.arrow.com
O20 - AppInit_DLLs: AMInit.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\BIN\db2sec.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OracleDev6iClientCache80 - Unknown owner - C:\Dev6i\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9242 bytes
prologic08
Active Member
 
Posts: 4
Joined: July 9th, 2008, 11:04 am
Advertisement
Register to Remove

Re: Hijack This log - multiple dll files w/random names

Unread postby prologic08 » July 24th, 2008, 8:41 am

OK, SDFix did not fix the problem.. Any suggestions on this?
prologic08
Active Member
 
Posts: 4
Joined: July 9th, 2008, 11:04 am

Re: Hijack This log - multiple dll files w/random names

Unread postby prologic08 » July 25th, 2008, 10:38 am

CLOSE. I have fixed the issue. Ran Combofix.
prologic08
Active Member
 
Posts: 4
Joined: July 9th, 2008, 11:04 am


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 23 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware