PDA

View Full Version : Please check my Hijack log


BOWTYE8
11-16-08, 06:47 AM
Issuse just started this past week. IE keeps getting pop up windows. Every time I open. I do have pop up blooker on.
Then IE was getting slower. Well checked processes and its constantly running 95%. Most the items listed had some process %'s Nothing else running usual displays 95 idle oricess.

Somtime I get low process but the my I tried to log in my wofe and proces take off. or if she logs in first then I log in... they go up.
Did Avast scan- Found rootkit 32. I moved to chest.
Also did reg cure. It seems to fix some items each time. did not pay attention. Just fixed.
I did load msconfig and turn off most items except a few.

Here is my hijack log

Logfile of HijackThis v1.99.1
Scan saved at 7:35:44 AM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ARS SOFTWARE\ARS VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
D:\Installs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2f1f5e58-ac82-41c8-bd77-5262ae6665f0} - C:\WINDOWS\system32\dabavibo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [tumufazisi] Rundll32.exe "C:\WINDOWS\system32\jineniwi.dll",s
O4 - HKLM\..\Run: [CPM5f064184] Rundll32.exe "c:\windows\system32\tejemodo.dll",a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us//html/activexplayer/SMALStreaming.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\kigoyiju.dll c:\windows\system32\tejemodo.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tejemodo.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\ARS SOFTWARE\ARS VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Thanks in advance
Dennis
TonyT
11-16-08, 07:19 AM
Use HjT to Fix the following:

O2 - BHO: (no name) - {2f1f5e58-ac82-41c8-bd77-5262ae6665f0} - C:\WINDOWS\system32\dabavibo.dll
O4 - HKLM\..\Run: [tumufazisi] Rundll32.exe "C:\WINDOWS\system32\jineniwi.dll",s
O4 - HKLM\..\Run: [CPM5f064184] Rundll32.exe "c:\windows\system32\tejemodo.dll",a
O20 - AppInit_DLLs: C:\WINDOWS\system32\kigoyiju.dll c:\windows\system32\tejemodo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tejemodo.dll

Next:

Go here and download ComboFix, save it to Desktop, reboot into Safe Mode & run the tool. Let it do it's stuff, then come back here & post the combofix report.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
BOWTYE8
11-16-08, 08:03 AM
Did the hijack repairs.
Having trouble with combo fix.
Started safe mode and it loaded and seemed to backup and save reg. The just displayed preparing to run for about 15mins now. Never displaying the rcovery consel install etc.....

Working from a laptop. IE on mian rig is not well.
Sava700
11-16-08, 10:48 AM
it just looks like good ole fashioned spyware/malware.

Run a superantispyware.com for starters... even a Avast boot scan would prob pick up stuff stuck in memory.
mnosteele52
11-16-08, 01:05 PM
Try following my Malware Removal Guide (http://www.drtweak.com/index.php?topic=176.0).

:)
Sava700
11-16-08, 06:31 PM
These are my steps..haven't failed me yet and I do it several times a day on student machines ;)

First is to run through your add/remove programs list and trash anything that looks like junk (just helps to clean the comp up) I remove all toolbars I find as I've seen some of the vundo variants attach to them for some reason. You can always install them again later so don't worry about it.

2nd thing is to TURN OFF System Restore!!!

3rd go to Start,Run, and type in msconfig and uncheck anything that looks funny from the Startup Tab including IM's for the time being as you will want to restart the computer fast and keep the variants from starting as well.

Load CCleaner (no need to install this, its portable!) and select everything to clean! - http://www.majorgeeks.com/CCleaner_Portable_d5735.html
Load/update Avast Home - http://www.avast.com
Load/update superantispyware - http://www.superantispyware.com
Load/update Malwarebytes - MalwareBytes (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Load/update spybot Search & Destroy 1.6 - spybot (http://www.majorgeeks.com/download.php?det=2471)
Download - msautoruns ms Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)

Boot into safemode and set Avast for a bootscan upon restart- preselect it to delete anything it finds etc but don't reboot the computer.

Run ccleaner to remove all junk and crap from your temp files etc.. you will still need to set hidden files/folders to show up in the folder options and browse to your Local folder within your user account and select all files in Temp and temp internet files folder and delete EVERYTHING!

Next run superantispyware full scan..if it finds major things mostly whats found in memory it will require reboot..thats fine reboot and then let avast run its scan and boot into windows normally.

Run MalwareBytes and remove whatever it finds.

Next run msautoruns and again check for anything odd usually not showing a publisher or a looks like this "jaleiwa.exe" etc you get the idea. Just right click on them and delete thats it. Close auto runs and then run spybot to finish up that last ditch scan clean up using it.

Run ccleaner once more then reboot and see where you stand after this point. Keep in mind this may take at least 4hours to complete but it should remove everything if you've done it right!

Good Luck!
TonyT
11-16-08, 06:49 PM
Did the hijack repairs.
Having trouble with combo fix.
Started safe mode and it loaded and seemed to backup and save reg. The just displayed preparing to run for about 15mins now. Never displaying the rcovery consel install etc.....

Working from a laptop. IE on mian rig is not well.

1. boot i n Safe Mode (press F8 during boot)
2. don't install recovery console (cause you need a net connection and you are in Safe Mode WITHOUT networking)
3. run the program.
4. when it reboots the comp press F8 to boot in safe mode again.

That rootkit you had likely dropped other rootkits, it's not likely the antivirus detected the initial rootkit.
BOWTYE8
11-17-08, 04:47 PM
Guys thanks for the info. I am back up and running.

You know I have taken my system for granted. I help others with PC cleanups etc.... I have been pretty good till this.
The superantispyware did a good job found about 45 items. Most were cookie items but a few that had more impact.

I have done everything listed but the malwarebytes. I will work on that tonight.

Thanks again :thumb: