Need analasys please

Status
Not open for further replies.
C

canooten

In Runtime
Messages
276
Have a machine on my work network that is giving a constant RunDll popup that reads -

Error Loading C:/Documents and Settings/xxxxx/local settings/application data/owudiwoniqivu.dll

Specified module could not be found

It was suggested I post a HJT log here - if anything is strange, keep in mind this is on a machine with a limited user account so the log could not be written as "default". I had to manually save to the desktop.

===================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:45 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Century\TinyTERM\tt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sheila Boggs] C:\Documents and Settings\Sheila Boggs\Sheila Boggs.exe /i
O4 - HKCU\..\Run: [Arijidonok] rundll32.exe "C:\Documents and Settings\Sheila Boggs\Local Settings\Application Data\ilidip.dll",e
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [Fhozemidaribiyix] rundll32.exe "C:\Documents and Settings\Sheila Boggs\Local Settings\Application Data\owudiwoniqivu.dll",e
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBF9CB3F-ADA7-4A88-A162-97BF3AFD59BB}: NameServer = 205.152.37.23,205.152.144.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{BBF9CB3F-ADA7-4A88-A162-97BF3AFD59BB}: NameServer = 205.152.37.23,205.152.144.23
O17 - HKLM\System\CS2\Services\Tcpip\..\{BBF9CB3F-ADA7-4A88-A162-97BF3AFD59BB}: NameServer = 205.152.37.23,205.152.144.23
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 5388 bytes
 
Remove, if something in here is legit then dont move it. The one I'm not sure about is the first one.

O4 - HKCU\..\Run: [Sheila Boggs] C:\Documents and Settings\Sheila Boggs\Sheila Boggs.exe /i

O4 - HKCU\..\Run: [Arijidonok] rundll32.exe "C:\Documents and Settings\Sheila Boggs\Local Settings\Application Data\ilidip.dll",e

O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe

O4 - HKCU\..\Run: [Fhozemidaribiyix] rundll32.exe "C:\Documents and Settings\Sheila Boggs\Local Settings\Application Data\owudiwoniqivu.dll",e

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

I assume these IP addresses are legit?

O17 - HKLM\System\CCS\Services\Tcpip\..\{BBF9CB3F-ADA7-4A88-A162-97BF3AFD59BB}: NameServer = 205.152.37.23,205.152.144.23
 
DNS server addresses are correct.

I assume to remove these I will need to change the user account to admin or does HJT allow object removal by limited user accounts?
 
will do....didn't know if the same processes would load on different accounts.

I'll do this and rescan when removed.
 
Sorry for the delay....wanted to give the machine user a day to work on it and see how it was behaving. The entry removals you suggested seemed to work to me....definitely removed the DLL popup and seem (to me anyway, but I don't use this particular machine) to help it in terms of performance as well.

I haven't heard anything different from the user, but will check with them today to find out for sure.

Thanks for your help....saved me some time for sure.
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
H
HP laptop review, HP 17-by3063st
Replies
1
Views
3K
tehnokraat
T
Back
Top Bottom