sy in disguise HJT logs [Archive] - Computer help and technical support at WBHelp.com

View Full Version : sy in disguise HJT logs

Rocker

03-25-2006, 12:41 AM

Bear, I'll post the before then the after logs...

before..
Logfile of HijackThis v1.99.1
Scan saved at 4:36:41 AM, on 3/25/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\kernels8.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\system32\dlh9jkdq2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\vxgame2.exe
C:\WINDOWS\system32\vxgame6.exe
C:\WINDOWS\explorer.exe
D:\Net Software\HiJackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\system32\IeHelperExVSS.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B600125E-BB4D-46E5-8388-0578F5BBA295}: NameServer = 203.147.0.3 203.147.0.2
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll
O21 - SSODL: pMvhOHMjEfA - {F4BFECFA-5E15-4650-69C6-5914C3F5F94F} - C:\WINDOWS\system32\lmjes.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[B]and after...down while this Window to your site was open...
Logfile of HijackThis v1.99.1
Scan saved at 12:40:39 PM, on 3/25/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\kernels8.exe
C:\DOCUME~1\david\LOCALS~1\Temp\2011a.exe
C:\WINDOWS\system32\dlh9jkdq2.exe
C:\WINDOWS\system32\dlh9jkdq6.exe
C:\WINDOWS\system32\dlh9jkdq7.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
D:\Net Software\HiJackThis\HijackThis.exe
D:\Net Software\HiJackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B600125E-BB4D-46E5-8388-0578F5BBA295}: NameServer = 203.147.0.3 203.147.0.2
O21 - SSODL: pMvhOHMjEfA - {F4BFECFA-5E15-4650-69C6-5914C3F5F94F} - C:\WINDOWS\system32\lmjes.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

How'd I do, Professor?

bear

03-25-2006, 06:49 AM

Well, after fixing it, it looks like you made it mad. ;)
I noted many instances of several programs, leading me to think it's spawning copies of it's own "version" of things. Worrisome.
Here's my findings (your firewall is not to blame, but the AV should have caught this).

C:\WINDOWS\system32\kernels8.exe
C:\DOCUME~1\david\LOCALS~1\Temp\2011a.exe
C:\WINDOWS\system32\dlh9jkdq2.exe
C:\WINDOWS\system32\dlh9jkdq6.exe
C:\WINDOWS\system32\dlh9jkdq7.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\system32\dlh9jkdq5.exe

Wow...all this is malicious. Before starting cleanup, each instance of this needs to be stopped from running by using CTRL-ALT-DEL, "end process". Don't reboot if asked.

D:\Net Software\HiJackThis\HijackThis.exe
D:\Net Software\HiJackThis\HijackThis.exe
This was not the only thing that was listed as running more than once. Has me worried that something is spawning it's own "version" of Windows here.

R3 - Default URLSearchHook is missing
Have HJT fix this

O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
Once all processes above have been stopped, have HJT fix these. They should not be running at startup and the files should be removed

O21 - SSODL: pMvhOHMjEfA - {F4BFECFA-5E15-4650-69C6-5914C3F5F94F} - C:\WINDOWS\system32\lmjes.dll
Suspicious. I believe this is part of the trojan above. See if you can get HJT to fix this, but it might require restarting in safe mode if it's it use. I'd suggest killing all the others first, and see if it can be removed then.

Rocker

03-25-2006, 10:53 PM

Bear,

Well, after fixing it, it looks like you made it mad.
LOL!! Not a fraction as mad as it made me!! But you know, after fighting with this thing all last night, I am still a little surprised that I missed seeing that obvious replication of that dlh9jkdq5 thing. This was later removed and listed by name by McAfee as a trojan. Oh, yeah, I forgot to mention, I went to the mall and bought some software, anti-spyware and AV and some misc. stuff (the ol' GBH again). I reasoned that since the free downloadable versions of the anti-spyware that I had used weren't able to get all the problems, maybe if I bought the whole pkg. on a disc I'd get a 'complete' version (the kind the ASW people want you to buy to remove all the things that the free versions won't). Anyway, in the package were some McAfee aplications, and for some reason I trust that company. So I ran their ASW program and it found that dlh-thing and removed it. The pop-up bubble is gone since the Windows reinstall.

I finally had enough last night, and reinstalled Windows. I've done this now about 10 times in the past few months, and it disturbs me that I'm getting used to it. I've re-installed AVG, and a firewall from ZoneLabs, reinstalled my Nero, and since the IE wasn't working again after the Windows reinstallation (like it was a few months ago,it can't see the dialer or find the server, whatever) I reinstalled Firefox. I remember what happened with Infopath, though, so I'm not giving up on the IE browser just yet.
Anyway, I ran HJT a second ago, and here's what the log looks like now...

Logfile of HijackThis v1.99.1
Scan saved at 10:38:19 AM, on 3/26/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Net Software\HiJackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D15294-0AB5-4917-AF85-577435DA4F1C}: NameServer = 203.147.0.3 203.147.0.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The last two #9 items and the #17 look suspicious, but I want to check with you first. Other than those, it looks clean, but I no longer believe anything I see.

Thanx, Bear. Hope Spring is getting closer for you.

bear

03-26-2006, 07:27 AM

The last two #9 items and the #17 look suspicious, but I want to check with you first. Other than those, it looks clean, but I no longer believe anything I see.
Normally, you'd be right on about those 2, but in your case, no worries here. The buttons are harmless. It's only when your home page is actually set to some local file and you didn't do it when you should be concerned.

The nameservers look like the ones from your ISP. Normally, you're right to suspect this as it's uncommon most of the time...but here just fine.
Clean log, and all it took was a complete reformat. :wallbash: