My home PC hijackthis log

Status
Not open for further replies.
B

BrendanGrady

Solid State Member
Messages
6
Please help, I know this is like some kind of adware trojan and it is gettin on my nerves I had to get on tech forums through realplayer because ie and any explorer windows shut down quickly after opening them. I know alot of the things I should delete but I wanted to get a once over by someone who actually knows what they are talking about... Thanks so much!!

Brendan G



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:55:13 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\QiBHaXp6\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\a?sembly\?poolsv.exe
C:\DOCUME~1\BGIZZ~1\LOCALS~1\Temp\!update.exe
C:\DOCUME~1\BGIZZ~1\MYDOCU~1\DOBE~1\winword.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HiJackThis_v2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = btjunkie - the largest bittorrent search engine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {31c91626-5192-4874-87a0-db22390525b2} - C:\WINDOWS\system32\bpaxhie.dll
O2 - BHO: 0 - {4922AFB9-0E1C-48F5-03B5-C613A59828DB} - C:\Program Files\Internet Explorer\xukacoqyl992.dll
O2 - BHO: (no name) - {63309BC4-520F-6FFA-0217-5E00CCCF8BBB} - C:\WINDOWS\system32\ljudk.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\iifgdec.dll
O2 - BHO: (no name) - {A8BE4416-AE91-4D3A-A0B3-C80C1594A74E} - C:\Program Files\Outlook Express\texojap83122.dll
O2 - BHO: (no name) - {AC7101B7-A3B1-4E01-914A-EF7588DA3210} - C:\WINDOWS\system32\ddcaw.dll
O2 - BHO: (no name) - {E02A1EAC-0977-443D-A10A-982265EA4F4F} - C:\Program Files\Outlook Express\texojap4444.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Joystick 2 Mouse] C:\Program Files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe /NoConfigure
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Wusr] "C:\DOCUME~1\BGIZZ~1\MYDOCU~1\DOBE~1\winword.exe" -vt yazb
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: Win32 Classes -
O20 - Winlogon Notify: iifgdec - C:\WINDOWS\SYSTEM32\iifgdec.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QiBHaXp6\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\ceseqikik.html

--
End of file - 5001 bytes
 
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)

Never seen them Before
 
Sorry about that, accidentally moved your thread to the finished section :eek:


Hows it coming along?
 
Well... I don't know what the **** kind of **** storm I ran into hahaha but... It's better still working on it. I have removed like 1000 spyware things, fixed my registry... I'm down to fixing system start up just didnt know which things particularly from WinLogon if you could take a look at that I think everything else is good!.


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-29 unins000.exe (51.49.0.0)
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2008-01-28 SDFiles.dll (1.5.1.19)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-01-23 Includes\Revision.sbi
2008-01-23 Includes\Cookies.sbi
2007-12-26 Includes\Dialer.sbi
2008-01-23 Includes\HeavyDuty.sbi
2007-12-26 Includes\Hijackers.sbi
2007-10-04 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2008-01-16 Includes\Malware.sbi
2007-10-24 Includes\PUPS.sbi
2008-01-09 Includes\Security.sbi
2008-01-23 Includes\Spybots.sbi
2007-11-06 Includes\Tracks.uti
2008-01-16 Includes\Trojans.sbi
2008-01-23 Includes\DialerC.sbi
2008-01-23 Includes\HijackersC.sbi
2008-01-23 Includes\KeyloggersC.sbi
2008-01-23 Includes\MalwareC.sbi
2008-01-23 Includes\PUPSC.sbi
2008-01-23 Includes\SecurityC.sbi
2008-01-23 Includes\SpybotsC.sbi
2008-01-23 Includes\TrojansC.sbi
2007-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, ATICCC
command: "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
file: C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
size: 45056
MD5: 64C4C17BF6A40FF1CD21205E6FD415B8

Located: HK_LM:Run, Joystick 2 Mouse
command: C:\Program Files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe /NoConfigure
file: C:\Program Files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe
size: 176128
MD5: 4AEEB1A339F047D71F980514935708CF

Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS\system32\SysTray.Exe
size: 3072
MD5: 46E07FD3A40760FDA18CF6B4FC691742

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 185896
MD5: 89D583FC41D48328128A974C25AFAEB7

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-776561741-854245398-1060284298-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F

Located: Startup (common), VIA RAID TOOL.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\VIA\RAID\raid_tool.exe
file: C:\Program Files\VIA\RAID\raid_tool.exe
size: 565248
MD5: D97A9230712D24EA76884165D9E18CB3

Located: Startup (disabled), SiICfg (DISABLED)
command: C:\PROGRA~1\SILICO~1\SiICfg\SiICfg.exe
file: C:\PROGRA~1\SILICO~1\SiICfg\SiICfg.exe
size: 1351729
MD5: 5CF7CCDEE7D4D72409A888B05E504C5D

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, iifgdec
command: iifgdec.dll
file: iifgdec.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
 
I keep trying to delete and replace these files and they keep replicating themselves... It's definately a trojan it is all windows files... wuauclt, smss, winlogon, spoolsv, command, wdfmgr, wscntfy, wmiimprvse... A little help? I don't know what to do... all it really seems to be doing is killing my explorer.exe then it loads back up over and over i am just keeping this open through realplayer... internet explorer i cant do anything... every 15 seconds kills explorer, then it autoreloads.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:15:51 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\QiBHaXp6\command.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Hijack This\HiJackThis_v2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = btjunkie - the largest bittorrent search engine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53A84AA2-1693-478E-9A3D-E8DEA8036413} - C:\WINDOWS\system32\ddcaw.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\iifgdec.dll
O4 - Global Startup: VIA RAID TOOL.lnk.disabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

--
End of file - 2368 bytes
 
What I need you to do is go thru my guide ASAP

Reboot into safemode

Then scan your system again and remove the following if present

C:\WINDOWS\QiBHaXp6\command.exe

O2 - BHO: (no name) - {53A84AA2-1693-478E-9A3D-E8DEA8036413} - C:\WINDOWS\system32\ddcaw.dll

O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\iifgdec.dll

Once back in normal mode, scan again and post a new log here
 
Speaking of that, I can use my computer pretty much normally if I kill my explorer myself and use a secondary program as an explorer... so all these programs are somehow tied into my explorer.exe file.... That's the only way I'm using the computer right now...
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
K
Computer functioning very slow, log
Replies
3
Views
3K
carnageX
carnageX
Back
Top Bottom