Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can You Check This Log?


  • This topic is locked This topic is locked
6 replies to this topic

#1 Cyclomega

Cyclomega

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 16 May 2007 - 04:57 PM

Well, basically, I don't know the type of infection, but I think it's like a constantly re-infecting type of Ad-Ware, because whenever I think I deleted every single thing related to the problem, I get a pop-up on IE again, and the problem re-occurs.

Logfile of HijackThis v1.99.1
Scan saved at 5:53:07 PM, on 16/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
H:\Program Files\Winamp 2\Winampa.exe
e:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
H:\Downloads\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\tmp22.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7b056cc6-cd10-4faa-8793-cba6f86726f1} - C:\WINDOWS\system32\h32tub.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [WinampAgent] "h:\Program Files\Winamp 2\Winampa.exe"
O4 - HKLM\..\Run: [ui] rundll32.exe "C:\WINDOWS\efdeby.dll",realset
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: h32tub - C:\WINDOWS\SYSTEM32\h32tub.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - e:\Program Files\Kerio\Personal Firewall\persfw.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 May 2007 - 05:14 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

From your log it appears that you are missing one important program: an antivirus. This is somewhat suicidal in today's digital world. Without one you are at a high-risk of reinfection; while I can try to sort your problem out, if you have no protection, the infections will keep resurfacing.
Here are some great free antivirus programs:
Antivir, Avast!, AVG, Bitdefender Free
Install one of these, then run a full scan, letting it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

Edited by rookie147, 16 May 2007 - 05:14 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Cyclomega

Cyclomega
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 16 May 2007 - 05:23 PM

Thanks for the reply, Charles.

Edit: I just noticed your edit, and I do have an anti-virus, it's just I don't keep it running in the background.


VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 6:14:26 PM 16/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\h32tub.dll
C:\WINDOWS\system32\tmp10.tmp.dll
C:\WINDOWS\system32\tmp1A.tmp.dll
C:\WINDOWS\system32\tmp29.tmp.dll
C:\WINDOWS\system32\tmp7.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\h32tub.dll
C:\WINDOWS\system32\h32tub.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp29.tmp.dll
C:\WINDOWS\system32\tmp29.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp7.tmp.dll
C:\WINDOWS\system32\tmp7.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

---

Logfile of HijackThis v1.99.1
Scan saved at 6:18:55 PM, on 16/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
H:\Program Files\Winamp 2\Winampa.exe
e:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
H:\Downloads\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\tmp22.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7b056cc6-cd10-4faa-8793-cba6f86726f1} - C:\WINDOWS\system32\h32tub.dll (file missing)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [WinampAgent] "h:\Program Files\Winamp 2\Winampa.exe"
O4 - HKLM\..\Run: [ui] rundll32.exe "C:\WINDOWS\efdeby.dll",realset
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - e:\Program Files\Kerio\Personal Firewall\persfw.exe

Edited by Cyclomega, 16 May 2007 - 05:32 PM.


#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 May 2007 - 06:32 PM

Hello again,
Having your antivirus disabled renders it pretty much useless, you're not going to get any protection from it if it is not running. This will leave you wide open to reinfection in the future; the malware will have nothing stopping it from installing.
Please re-enable it before we continue, or we're just wasting our time.

You're using an outdated version of Java (the latest one is Java Runtime Environment (JRE) 6u1), and these can be exploited by malware, so you need to update it as soon as possible. Please update and remove the older versions from your computer. Do the following:
Go to Start | Control Panel | Add/Remove Programs
Search in the list for all previous installed versions of Java (J2SE Runtime Environment ...)
Select it and click Remove.
Then download and install the newest version from here:
Java Runtime Environment (JRE) 6u1

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Please include the ComboFix log, along with a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Cyclomega

Cyclomega
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 16 May 2007 - 07:20 PM

Here you go...

"Administrator" - 2007-05-16 20:13:19 Service Pack 2
ComboFix 07-05.17.V - Running from: "H:\Downloads\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\RunOnce3.tm_
C:\WINDOWS\system32\RunOnce3.t__
C:\WINDOWS\system32\tmp22.tmp.dll
C:\WINDOWS\system32\tmp2F.tmp.dll


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 ))))))))))))))))))))))))))))))))))


2007-05-16 18:14 <DIR> d-------- C:\VundoFix Backups
2007-05-16 17:31 106,638 --a------ C:\WINDOWS\pmkjhf.dll
2007-05-16 17:31 106,638 --a------ C:\WINDOWS\efdeby.dll
2007-05-06 11:09 <DIR> d-------- C:\Program Files\Winamp
2007-04-29 19:55 <DIR> d-------- C:\Program Files\Microsoft Works
2007-04-29 19:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-06 01:00:45 1,168 ----a-w C:\WINDOWS\mozver.dat
2007-04-06 00:54:31 0 ----a-w C:\WINDOWS\nsreg.dat
2007-04-06 00:25:56 -------- d-----w C:\Program Files\Hewlett-Packard
2007-04-05 23:35:16 106,539 ----a-w C:\WINDOWS\nnkjgh.dll
2007-04-05 19:04:31 -------- d-----w C:\Program Files\QuickTime
2007-04-05 18:56:32 106,539 ----a-w C:\WINDOWS\urspqr.dll
2007-04-05 17:47:54 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-03 17:10:22 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-03-16 15:27:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7b056cc6-cd10-4faa-8793-cba6f86726f1}=C:\WINDOWS\system32\h32tub.dll []


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 07:38 C:\WINDOWS\system32\P17.dll]
"WinampAgent"="h:\Program Files\Winamp 2\Winampa.exe" [2002-04-26 13:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=dword:00000001


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*newlycreated* -PROCEXP90

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY37E3J2VM7A.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-16 20:13:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-16 20:13:55
C:\ComboFix-quarantined-files.txt ... 2007-05-16 20:13


--- E O F ---

---

Logfile of HijackThis v1.99.1
Scan saved at 8:15:45 PM, on 16/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Winamp 2\Winampa.exe
e:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
E:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\regedit.exe
H:\Downloads\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7b056cc6-cd10-4faa-8793-cba6f86726f1} - C:\WINDOWS\system32\h32tub.dll (file missing)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [WinampAgent] "h:\Program Files\Winamp 2\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - e:\Program Files\Kerio\Personal Firewall\persfw.exe

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 17 May 2007 - 04:23 AM

I still don't see your antivirus running ...

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 24 May 2007 - 05:12 PM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users