|
Internet Problem - Hijack this log
|
|
AfterDawn Addict
|
17. August 2008 @ 01:31 |
Link to this message
|
|
Hang in there, twentytwo, I?m going over your logs now. I just see one item I overlooked but I?m confused about some random name files that you have. I can?t find any info on them?
How is your computer acting?? Any problems??
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Advertisement
|
 |
|
|
|
twentytwo
Newbie
|
17. August 2008 @ 04:14 |
Link to this message
|
|
Seems pretty fine to me, what programs are you confused about?
|
AfterDawn Addict
|
17. August 2008 @ 04:55 |
Link to this message
|
Hi twentytwo,
Well, first I am confussed about your ESET Nod32 did you un-install it?
I just assumed that you had since it showed up as (file missing) in your last HJT Log.
If you?re not running an Antivirus, I can recommend a very good, free one? let me know.
Also, I had you delete some files and a Line in HJT using ComboFix but most of them still show up.. Strange.
Use HJT to delete these lines again, and we?ll see what happens.
O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
Now use your windows explorer and search for the following files to see if they remain?
They may be hidden so please use the search hidden files option..
uygljsms.exe
awejpi9iao.exe
xljefnq.sys
zeqgrq.sys
Let me know if you find any of them and where they are located..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
twentytwo
Newbie
|
17. August 2008 @ 06:39 |
Link to this message
|
|
yeah, i deleted nod32 to run combo fix because i couldn't figure out how to disable it, process would still be on after stopping it.
Yes, I need a free anti-virus.
As for the first one, it was a program I randomly renamed because I had two, deleted.
Found the second one too, Deleted.
No results on the last 2.
|
|
twentytwo
Newbie
|
17. August 2008 @ 06:44 |
Link to this message
|
newest hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:43 AM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared...,23/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5314 bytes
|
AfterDawn Addict
|
17. August 2008 @ 07:13 |
Link to this message
|
Did you use HJT to delete these lines and are they returning??
O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
Glad to know what those other files were : )
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
17. August 2008 @ 07:47 |
Link to this message
|
twentytwo, I recommend Avira Antivir as your Antivirus. It is better than most of the Paid AV?s. Most people won?t use it because of the Nag screens after it updates, trying to get you to buy it, but there is a way around that?. ; )
Download Avira Antivir -> HERE
In order to disable the Nag screens in Avira Antivir you must use the Safe Mode in an Administrator account.
1. Boot into Safe Mode (tap F8 repeatedly after you restart the computer)
2. Log in using the Administrator account
3. Go to C:\Program Files\(Avira)\AntiVir PersonalEdition Classic\avnotify.exe
4. Right-click avnotify.exe-> properties-> security tab
5. Under the Group or user names: you will see all of the users. Start with the first user and click, highlight?.
6. Check the Deny Read and Execute box the Read box will automatically check.
7. Now perform step 6 for all of the other users-> apply-> yes/ok-> close all open windows
8. Reboot the computer into Normal Mode (start-> shutdown-> restart)
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 17. August 2008 @ 09:57
|
|
twentytwo
Newbie
|
18. August 2008 @ 04:19 |
Link to this message
|
Originally posted by 2oldGeek:
Did you use HJT to delete these lines and are they returning??
O2 - BHO: (no name) - {63F507E2-0C11-4D37-ABD7-E1A9CF111D5E} - C:\WINDOWS\system32\comrep.dll (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
Glad to know what those other files were : )
yes, I tried deleting this things a few times.
|
AfterDawn Addict
|
18. August 2008 @ 04:31 |
Link to this message
|
I?ve seen stranger things happen 
Since the file is missing in both of these start up?s, they can do no harm. Just annoying trash and I like a clean kitchen. Lol
Unless you have any problems, I would say you?re clean. Anything?
Let me know and I?ll give you some final stuff to do?.. Did you get an AV?
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
twentytwo
Newbie
|
18. August 2008 @ 04:36 |
Link to this message
|
|
yeah, got avira running a scan right now. It found something but I quarantined it. Seems smooth and good atm.
|
AfterDawn Addict
|
18. August 2008 @ 05:33 |
Link to this message
|
Congratulations twentyone, your CLEAN 
Things to do:
Install a firewall ? see below.
Get XP SP3 -> HERE
Update your IE6 to IE7 (safer) or use Firefox (even safer yet)
Update your Java ? see below.
Hhere are a few other things you must do once you are completely clean:
1. Time for some housekeeping
Please download the OTMoveIt2 by OldTimer
? Save it to your desktop.
? Run the tool by clicking on the icon.
? Click the Cleanup button.
? The tools that we used as well as this one will be removed from your system.
2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
3. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them.
Please follow these steps to remove older version Java components and update:
? Download the latest version of Java Runtime Environment (JRE) 6 Update 7 and save it to your desktop.
? Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications..
? Click the Download button to the right.
? Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
? The page will refresh.
? Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
? Close any programs you may have running - especially your web browser.
? Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
? Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
? Click the Remove or Change/Remove button.
? Repeat as many times as necessary to remove each Java versions.
? Reboot your computer once all Java components are removed.
? Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
4. Now Set a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
? Go to Start > Programs > Accessories > System Tools and click "System Restore".
? Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
? Then go to Start > Run and type: Cleanmgr
? Click "OK"
Select the drive you want to clean usually C:
Click OK
When it completes the scan:
? Click the "More Options" Tab.
? Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
5. Defragment your Hard Drive
1.Open My Computer.
2.Right-click the local disk volume that you want to defragment, and then click Properties.
3.On the Tools tab, click Defragment Now.
4.Click Defragment.
And here are some tips to reduce the potential for spyware infection in the future:
Use a Firewall.
It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are Comodo Free and Online Armor Personal Firewall
I have recently changed my firewall to Comodo, love it and highly recommend it..
Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.
I strongly recommend installing the following applications:
To protect your machine, I highly recommend BOClean. It?s FREE and it works. I use it and never get one of these infections.
In order to prevent the installation of Trojans and Malware on your machine:
Download and install: Comodo BOClean
Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 59000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode.
? Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
? MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
See Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
And also see TonyKlein's good advice
So how did I get infected in the first place?
Enjoy your clean computer. Any questions?
The oldgeek knows how to get the bugs out?. Oops, missed one..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
twentytwo
Newbie
|
18. August 2008 @ 17:09 |
Link to this message
|
|
thanks a ton for your help ^^
|
AfterDawn Addict
|
18. August 2008 @ 17:28 |
Link to this message
|
You're very welcome, twentytwo.
It has been a pleasure. I hope you can keep your nose clean.. 
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Advertisement
|
|
|
Senior Member
|
18. August 2008 @ 23:36 |
Link to this message
|
|
I said nothing.
This message has been edited since posting. Last time this message was edited on 24. August 2008 @ 06:58
|
