Results 1 to 8 of 8

Thread: Please check my Hijack log

  1. #1
    Regular Member BOWTYE8's Avatar
    Join Date
    Nov 2000
    Location
    SW Florida
    Posts
    323

    Please check my Hijack log

    Issuse just started this past week. IE keeps getting pop up windows. Every time I open. I do have pop up blooker on.
    Then IE was getting slower. Well checked processes and its constantly running 95%. Most the items listed had some process %'s Nothing else running usual displays 95 idle oricess.

    Somtime I get low process but the my I tried to log in my wofe and proces take off. or if she logs in first then I log in... they go up.
    Did Avast scan- Found rootkit 32. I moved to chest.
    Also did reg cure. It seems to fix some items each time. did not pay attention. Just fixed.
    I did load msconfig and turn off most items except a few.

    Here is my hijack log

    Logfile of HijackThis v1.99.1
    Scan saved at 7:35:44 AM, on 11/16/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ARS SOFTWARE\ARS VPN Client\cvpnd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
    D:\Installs\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2f1f5e58-ac82-41c8-bd77-5262ae6665f0} - C:\WINDOWS\system32\dabavibo.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [tumufazisi] Rundll32.exe "C:\WINDOWS\system32\jineniwi.dll",s
    O4 - HKLM\..\Run: [CPM5f064184] Rundll32.exe "c:\windows\system32\tejemodo.dll",a
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb...LStreaming.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\kigoyiju.dll c:\windows\system32\tejemodo.dll
    O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tejemodo.dll
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\ARS SOFTWARE\ARS VPN Client\cvpnd.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    Thanks in advance
    Dennis
    Main rig-AMD AM3 Phenom II 965,Asus M478T-E, 4gb DDR3 1600 ram, Intel Series 320 SSD 120gig, Velociraptor 300 gig, WD Blk 1tb deep storage, Sata Cd & DVD drives
    HomeServer-AMD 4600x2, Soltek 939 mb 2 gig Ram, 74 Gig Raptor, 500 gig WD Green storage

  2. #2
    Elite Member TonyT's Avatar
    Join Date
    Jan 2000
    Location
    Fairfax, VA
    Posts
    10,338
    Use HjT to Fix the following:

    O2 - BHO: (no name) - {2f1f5e58-ac82-41c8-bd77-5262ae6665f0} - C:\WINDOWS\system32\dabavibo.dll
    O4 - HKLM\..\Run: [tumufazisi] Rundll32.exe "C:\WINDOWS\system32\jineniwi.dll",s
    O4 - HKLM\..\Run: [CPM5f064184] Rundll32.exe "c:\windows\system32\tejemodo.dll",a
    O20 - AppInit_DLLs: C:\WINDOWS\system32\kigoyiju.dll c:\windows\system32\tejemodo.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tejemodo.dll

    Next:

    Go here and download ComboFix, save it to Desktop, reboot into Safe Mode & run the tool. Let it do it's stuff, then come back here & post the combofix report.
    http://www.bleepingcomputer.com/comb...o-use-combofix
    No one has any right to force data on you
    and command you to believe it or else.
    If it is not true for you, it isn't true.

    LRH

  3. #3
    Regular Member BOWTYE8's Avatar
    Join Date
    Nov 2000
    Location
    SW Florida
    Posts
    323
    Did the hijack repairs.
    Having trouble with combo fix.
    Started safe mode and it loaded and seemed to backup and save reg. The just displayed preparing to run for about 15mins now. Never displaying the rcovery consel install etc.....

    Working from a laptop. IE on mian rig is not well.
    Main rig-AMD AM3 Phenom II 965,Asus M478T-E, 4gb DDR3 1600 ram, Intel Series 320 SSD 120gig, Velociraptor 300 gig, WD Blk 1tb deep storage, Sata Cd & DVD drives
    HomeServer-AMD 4600x2, Soltek 939 mb 2 gig Ram, 74 Gig Raptor, 500 gig WD Green storage

  4. #4
    Ohh Hell yeah.. Sava700's Avatar
    Join Date
    Feb 2002
    Location
    Somewhere
    Posts
    24,052
    it just looks like good ole fashioned spyware/malware.

    Run a superantispyware.com for starters... even a Avast boot scan would prob pick up stuff stuck in memory.

  5. #5

  6. #6
    Ohh Hell yeah.. Sava700's Avatar
    Join Date
    Feb 2002
    Location
    Somewhere
    Posts
    24,052
    These are my steps..haven't failed me yet and I do it several times a day on student machines

    First is to run through your add/remove programs list and trash anything that looks like junk (just helps to clean the comp up) I remove all toolbars I find as I've seen some of the vundo variants attach to them for some reason. You can always install them again later so don't worry about it.

    2nd thing is to TURN OFF System Restore!!!

    3rd go to Start,Run, and type in msconfig and uncheck anything that looks funny from the Startup Tab including IM's for the time being as you will want to restart the computer fast and keep the variants from starting as well.

    Load CCleaner (no need to install this, its portable!) and select everything to clean! - http://www.majorgeeks.com/CCleaner_Portable_d5735.html
    Load/update Avast Home - http://www.avast.com
    Load/update superantispyware - http://www.superantispyware.com
    Load/update Malwarebytes - MalwareBytes
    Load/update spybot Search & Destroy 1.6 - spybot
    Download - msautoruns ms Autoruns

    Boot into safemode and set Avast for a bootscan upon restart- preselect it to delete anything it finds etc but don't reboot the computer.

    Run ccleaner to remove all junk and crap from your temp files etc.. you will still need to set hidden files/folders to show up in the folder options and browse to your Local folder within your user account and select all files in Temp and temp internet files folder and delete EVERYTHING!

    Next run superantispyware full scan..if it finds major things mostly whats found in memory it will require reboot..thats fine reboot and then let avast run its scan and boot into windows normally.

    Run MalwareBytes and remove whatever it finds.

    Next run msautoruns and again check for anything odd usually not showing a publisher or a looks like this "jaleiwa.exe" etc you get the idea. Just right click on them and delete thats it. Close auto runs and then run spybot to finish up that last ditch scan clean up using it.

    Run ccleaner once more then reboot and see where you stand after this point. Keep in mind this may take at least 4hours to complete but it should remove everything if you've done it right!

    Good Luck!

  7. #7
    Elite Member TonyT's Avatar
    Join Date
    Jan 2000
    Location
    Fairfax, VA
    Posts
    10,338
    Quote Originally Posted by BOWTYE8 View Post
    Did the hijack repairs.
    Having trouble with combo fix.
    Started safe mode and it loaded and seemed to backup and save reg. The just displayed preparing to run for about 15mins now. Never displaying the rcovery consel install etc.....

    Working from a laptop. IE on mian rig is not well.
    1. boot i n Safe Mode (press F8 during boot)
    2. don't install recovery console (cause you need a net connection and you are in Safe Mode WITHOUT networking)
    3. run the program.
    4. when it reboots the comp press F8 to boot in safe mode again.

    That rootkit you had likely dropped other rootkits, it's not likely the antivirus detected the initial rootkit.
    No one has any right to force data on you
    and command you to believe it or else.
    If it is not true for you, it isn't true.

    LRH

  8. #8
    Regular Member BOWTYE8's Avatar
    Join Date
    Nov 2000
    Location
    SW Florida
    Posts
    323
    Guys thanks for the info. I am back up and running.

    You know I have taken my system for granted. I help others with PC cleanups etc.... I have been pretty good till this.
    The superantispyware did a good job found about 45 items. Most were cookie items but a few that had more impact.

    I have done everything listed but the malwarebytes. I will work on that tonight.

    Thanks again
    Main rig-AMD AM3 Phenom II 965,Asus M478T-E, 4gb DDR3 1600 ram, Intel Series 320 SSD 120gig, Velociraptor 300 gig, WD Blk 1tb deep storage, Sata Cd & DVD drives
    HomeServer-AMD 4600x2, Soltek 939 mb 2 gig Ram, 74 Gig Raptor, 500 gig WD Green storage

Similar Threads

  1. I have no clue...router breeched?
    By cig19335 in forum Wireless Networks & Routers
    Replies: 2
    Last Post: 10-29-08, 09:31 AM
  2. Replies: 15
    Last Post: 08-23-08, 01:27 PM
  3. Hijack Log
    By Jaman in forum Network Security
    Replies: 1
    Last Post: 01-09-08, 02:31 PM
  4. Hijack This Log - Please Look
    By Qui-Gon John in forum Network Security
    Replies: 19
    Last Post: 12-30-07, 04:06 PM
  5. Hijack This Log
    By Qui-Gon John in forum Network Security
    Replies: 5
    Last Post: 05-17-07, 07:46 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •