Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Hijackthis Log Help!

  • Please log in to reply
1 reply to this topic

#1 Sprocket Rocket

Sprocket Rocket

  • Members
  • 1 posts
  • Local time:09:18 PM

Posted 02 May 2007 - 02:09 PM

I'm getting random pop-ups. Ran Ad-Aware, Spybot S&D...Ran VundoFix and Virtumundo Be Gone. Problem still exists.

When I run Spybot S&D some of the spyware they find are Trackosaurus, KeyLogger and FakeWGA as well as other stuff. I remove them but they always return.

Internet Explorer pop-ups come out of nowhere; even when computer is on but not in use. I did a search on one of the pop-ups and I was able to link it to WinFix but I still can't get rid of it.

Anyways, heres my HiJackThis Log...Help if you can!


PS - I forgot to add that when I am browsing with Internet Explorer, the status bar says "Loading Pictures from [url="http://ppc.burnsearch.com/xxxxxxxxx/xxx....""]http://ppc.burnsearch.com/xxxxxxxxx/xxx...."[/url] even though I have never visited that site.

Logfile of HijackThis v1.99.1
Scan saved at 1:51:18 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\JohnDoe\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {989696b3-2049-47a8-870a-073bb44da4de} - C:\WINDOWS\system32\mscnit.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [otin] C:\WINDOWS\otin.exe
O4 - HKLM\..\Run: [wFnQ37j] logavi32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\mgar.exe] C:\WINDOWS\mgar.exe
O4 - HKLM\..\Run: [unvop] C:\WINDOWS\System32\unvop.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ho44RXHnO] loagr1.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tmi: C:\Program Files\Internet Explorer\PLUGINS\NPTmiPlay.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {40D230B5-7444-441A-9852-F71FB050FA8E} (MozillaPluginHostCtrl Class) - http://www.t-mobilepictures.com/photos/tmi/tmiplugin_ie.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab
O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin8USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster.com/DRM/Client/FileOpen.CAB
O20 - AppInit_DLLs:
O20 - Winlogon Notify: mscnit - C:\WINDOWS\SYSTEM32\mscnit.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Edited by Sprocket Rocket, 02 May 2007 - 04:59 PM.

BC AdBot (Login to Remove)


#2 Aaflac


    Doin' Dis 'n Dat...

  • Malware Response Team
  • 2,307 posts
  • Gender:Not Telling
  • Location:USA
  • Local time:09:18 PM

Posted 06 May 2007 - 09:31 PM

First, make sure HijackThis is run from its own folder. This will ensure we have back ups made and they are kept securely. Backups allow the restoring of fixed entries when necessary.

On the Desktop, right click an empty area, select New > Folder, and name the folder Hijack This. Place the HijackThis.exe file in it, and then run the program.

Scan with HijackThis
Check box for:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {989696b3-2049-47a8-870a-073bb44da4de} - C:\WINDOWS\system32\mscnit.dll

O4 - HKLM\..\Run: [otin] C:\WINDOWS\otin.exe
O4 - HKLM\..\Run: [wFnQ37j] logavi32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\mgar.exe] C:\WINDOWS\mgar.exe
O4 - HKLM\..\Run: [unvop] C:\WINDOWS\System32\unvop.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ho44RXHnO] loagr1.exe
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt

O20 - AppInit_DLLs:
O20 - Winlogon Notify: mscnit - C:\WINDOWS\SYSTEM32\mscnit.dll

Select: Fix checked

Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad
(Start > Run, type in: notepad):

C:\WINDOWS\System32\IExplorer.dll .dbt

Next, download Killbox:
Place it in a folder on the Desktop.
Extract Pocket KillBox from the zip file
Double-click on the red circle with white X to run it.

At the main screen of KillBox, select the option: Delete on Reboot
Open the Notepad file saved earlier and copy the files to the clipboard
(Highlight all (Ctrl+A) and Copy (Ctrl + C).

In KillBox, go to the File menu, and choose: Paste from Clipboard
Then select: All Files (button)
Now, press the button with a red circle and a white X (Delete File button)
KillBox will alert you the files will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message.

Also, if the computer does not restart automatically, please restart it manually.

Next, download SuperAntiSpyware Home Edition Free Version
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Save the report to post in your reply.

Download ComboFix (by sUBs):


Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

Last, download FindAWF:

Save the file to the Desktop
Double-click: FindAWF.exe

If a Security Alert shows, allow the program to run.

When done, a text file awf.txt is produced.

Please provide the following in your reply:
The SuperAntiSpyware log
The ComboFix log
The awf.text
A new HijackThis log

Old duck...

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users