Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

HIJACK THIS - THRILLASTILLA

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HIJACK THIS - THRILLASTILLA

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:10 PM, on 1/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ThreatFire] "C:\Program Files\ThreatFire\TFTray.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [IntelliMouse Explorer V2.3] C:\WINDOWS\netpefr32.exe
O4 - HKCU\..\Run: [Legacy VGA Drivers V1.0] C:\WINDOWS\certproc32.exe
O4 - HKUS\S-1-5-21-2052111302-1326574676-725345543-1004\..\Run: [IntelliMouse Explorer V2.3] C:\WINDOWS\netpefr32.exe (User '?')
O4 - HKUS\S-1-5-21-2052111302-1326574676-725345543-1004\..\Run: [Legacy VGA Drivers V1.0] C:\WINDOWS\certproc32.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9138672531
O22 - SharedTaskScheduler: arsenicism - {075a465d-0af2-4b79-8db3-2fda0fd8d74c} - (no file)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5279 bytes
thrillastilla
Active Member

Posts: 14
Joined: January 21st, 2008, 2:04 pm
Register to Remove

Re: HIJACK THIS - THRILLASTILLA

Sorry for the delay in a reply. If you still require help can you post a new HijackThis log please. Its been a few days since you've posted and something in it may have changed since then.

Thanks.

'KotaGuy

Posts: 12472
Joined: April 7th, 2005, 7:06 pm

Re: HIJACK THIS - THRILLASTILLA

Here's the new info as of Jan 26, 2008...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:20 PM, on 1/26/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E59910D-7F5C-4FC2-833B-4098F3775FCE} - C:\WINDOWS\System32\ssqpm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ThreatFire] "C:\Program Files\ThreatFire\TFTray.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [IntelliMouse Explorer V2.3] C:\WINDOWS\netpefr32.exe
O4 - HKCU\..\Run: [Legacy VGA Drivers V1.0] C:\WINDOWS\certproc32.exe
O4 - HKUS\S-1-5-21-2052111302-1326574676-725345543-1004\..\Run: [IntelliMouse Explorer V2.3] C:\WINDOWS\netpefr32.exe (User '?')
O4 - HKUS\S-1-5-21-2052111302-1326574676-725345543-1004\..\Run: [Legacy VGA Drivers V1.0] C:\WINDOWS\certproc32.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9138672531
O20 - Winlogon Notify: wvutrpq - wvutrpq.dll (file missing)
O22 - SharedTaskScheduler: arsenicism - {075a465d-0af2-4b79-8db3-2fda0fd8d74c} - (no file)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6068 bytes
thrillastilla
Active Member

Posts: 14
Joined: January 21st, 2008, 2:04 pm

Re: HIJACK THIS - THRILLASTILLA

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

'KotaGuy

Posts: 12472
Joined: April 7th, 2005, 7:06 pm

Re: HIJACK THIS - THRILLASTILLA

When opening "COMBOFIX", I get an error message saying:
Combofix/nircmd.com is not a valid win32 application.
thrillastilla
Active Member

Posts: 14
Joined: January 21st, 2008, 2:04 pm

Re: HIJACK THIS - THRILLASTILLA

Try running it again with the new copy.

Thanks.

'KotaGuy

Posts: 12472
Joined: April 7th, 2005, 7:06 pm

Re: HIJACK THIS - THRILLASTILLA

Ok, I have two computers.. One has XP service pack 2, and the one with the virus has XP service pack 1..

Oddly enough, Combo fix works on XP service pack 2, but can't get it to work on Xp service pack 1. I don't know if that's actually the problem, but I have seen that some software doesn't work on Service pack 1. I've tried to update service pack 1 to service pack 2, but keep getting an "Access is denied" error. Is there any other software I can try besides ComboFix?
thrillastilla
Active Member

Posts: 14
Joined: January 21st, 2008, 2:04 pm

Re: HIJACK THIS - THRILLASTILLA

The fact that SP1 is installed shouldn't have any bearing on being able to run ComboFix. But since you are having issues with it we'll try something else.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

'KotaGuy

Posts: 12472
Joined: April 7th, 2005, 7:06 pm

Re: HIJACK THIS - THRILLASTILLA

OK, that seemed to work fine, here's two text files that occured. One before I selected "remove selected", and one afterwards before the computer was made to shutdown... file 1118 is before the removal, and 1619 is after the removal..
You do not have the required permissions to view the files attached to this post.
thrillastilla
Active Member

Posts: 14
Joined: January 21st, 2008, 2:04 pm

Re: HIJACK THIS - THRILLASTILLA

Looks good. Can you post a new HijackThis log please.

'KotaGuy

Posts: 12472
Joined: April 7th, 2005, 7:06 pm

Re: HIJACK THIS - THRILLASTILLA

ok, here's a new hijack this log text as of february 04, 2008...
You do not have the required permissions to view the files attached to this post.
thrillastilla
Active Member

Posts: 14
Joined: January 21st, 2008, 2:04 pm

Re: HIJACK THIS - THRILLASTILLA

Couple questions for you...

1. Did you knowingly install the ASK Toolbar?

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

2. It seems you may have the Sony XPM DRM Rootkit installed on your System. Please read through these and let me know what you would like to do about it...

http://vil.nai.com/vil/content/v_136855.htm
http://blogs.technet.com/markrussinovic ... ponds.aspx
http://www.bleepingcomputer.com/startup ... 13347.html
http://www.bleepingcomputer.com/forums/topic34904.html

'KotaGuy

Posts: 12472
Joined: April 7th, 2005, 7:06 pm

Re: HIJACK THIS - THRILLASTILLA

Yes, I did knowingly install the ask bar through webroot spyware software.. But, if any of those two are going to cause damage, rather than helping in any form, then yes, we can remove them...
thrillastilla
Active Member

Posts: 14
Joined: January 21st, 2008, 2:04 pm

Re: HIJACK THIS - THRILLASTILLA

OK... if you installed the ASK Toolbar intentionally thats fine... was just wondering.

As for the Sony RootKit...

1. Click on the Start button.
2. Click on the Run option.
3. In the Open: field type cmd /k sc delete $sys$aries and press the OK button.
5. Delete C:\Windows\system32\$sys$filesystem\aries.sys (Replace %WinDir% with the directory that Windows is installed on your computer)
The RootKit should now be taken care of.

Run HijackThis and click the Misc Tools button. Then the Uninstall Manager button. Then the Save List button. Save that list to your Desktop. Copy/paste the contents of the list in your next reply.

Thanks.

'KotaGuy

Posts: 12472
Joined: April 7th, 2005, 7:06 pm

Re: HIJACK THIS - THRILLASTILLA

The cmd failed me, and I didn't see "aries.sys" in the place you told me to look... I did a search for that file, and there were no results to display..
thrillastilla
Active Member

Posts: 14
Joined: January 21st, 2008, 2:04 pm
Register to Remove

Next

• Similar Topics
Replies
Views
Last post