TechSpot

Hijackthis log

By ag8796
Jul 25, 2008
  1. hello, recently had troubles with xp antivirus 2008? and joke.bluescreen.c viruses? i recently reoved them or so i thought. the only problem im having now is that i keep getting redirected when entering a search. here is my log

    hijackthis log
    im getting redirected/jump after a internet search. This was part of joke_bluescreen.c and antivirus 2008 virus. i do not have the blue screen or the antivirus 2008 trying to install in my computer anymore. But i do have this redirect/jump bug



    Hijacked internet
    i recently got the xp antivirus 2008 malware along with the joke_bluescreen.c. i cleaned it up but my internet seems to be hijacked. i keep getting redirected to sites i dont want to go to after i click on any of the search results. It seems to be random.

    here is my hijackthis report

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:41:43 PM, on 7/23/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\SiteAdvisor\6261\SAService.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
    O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O21 - SSODL: DbWin - {176E9D0A-08AE-BE8B-6452-08C42104380C} - C:\Program Files\sxchpsb\DbWin.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    --
    End of file - 6371 bytes
     
  2. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    I'll have to defer to one of the "removal experts' but would state that looking through your log I'm highly suspect of this entry:
    O21 - SSODL: DbWin - {176E9D0A-08AE-BE8B-6452-08C42104380C} - C:\Program Files\sxchpsb\DbWin.dll

    dbwin.dll is the name of a legit Windows debug file but using known filenames is common malware practice. Do your recognize the subdirectory sxchpsb? The O21 indicates it's a autorun method which may indicate that's how this thing (if indeed the problem source is getting started in the first place).

    Suggest you install/run Autoruns
    - The status in lower left corner of Autoruns is displayed in lower left and you'll see it immediately starts a scan. Hit Escape to stop it. Wait till status says Ready.
    - Click Options, click to set each of Verify Code Signatures and Hide Signed Microsoft Entries
    - Click File -> Refresh to restart the Scan
    - Wait till status indicates Ready again then File -> SaveAs and save the output as a text file. You can attach to your TechSpot Post by clicking AdvancedReply and clicking the paper clip icon
     
  3. ag8796

    ag8796 TS Rookie Topic Starter Posts: 38

    hello

    "Do your recognize the subdirectory sxchpsb?"

    absolutely not

    "I'll have to defer to one of the "removal experts' "
    So i should wait for conformation then?

    Thank you for your help and time. Is this virus dangerous? can i still buy online?
     
  4. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    sorry. forgot to supply the link.

    Autoruns (click here) is a freeware tool to reveal all the many, many things that get loaded/started in Windows.
    - I don't have any info on details on this virus. The only google hits on the directory name only turned up recent hijackthis logs.
    - Autoruns will give some more detail on this thing and offer a method to stop if from starting (but doesn't remove it)
     
  5. ag8796

    ag8796 TS Rookie Topic Starter Posts: 38

    autoruns.exe autorunsc.exe, which do i run?
     
  6. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    autoruns.exe (just fyi... autorunsc.exe is for use from a command line prompt)
     
  7. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Sorry LookinAround I am not stealing nor trying to jump over your help for the user
    ComboFix

    • Download ComboFix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt

    -----------------------------

    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
     
  8. ag8796

    ag8796 TS Rookie Topic Starter Posts: 38

    cool

    here is my log for autorun, hi Daniel. i will get on that right away
     
  9. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    xxdanielxx, no problem at all. Glad you noticed the thread

    ag8796, i'll turn you over to one of the malware experts on TechSpot.

    Good luck!
     
  10. ag8796

    ag8796 TS Rookie Topic Starter Posts: 38

    thank you lookin around

    ok here are my combofix and hijackthis updated logs. i am now running malwarebytes antimalware
     
  11. ag8796

    ag8796 TS Rookie Topic Starter Posts: 38

    Malwarebytes' Anti-Malware 1.23
    Database version: 993
    Windows 5.1.2600 Service Pack 2

    9:02:29 PM 7/25/2008
    mbam-log-7-25-2008 (21-02-29).txt

    Scan type: Quick Scan
    Objects scanned: 42265
    Time elapsed: 2 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    fyi i recently ran this program to remove a ton of infections due to xp antivirus 2008 and joke bluescreen.c. It seems all that is left is that darn redirect/jump virus. This virus used mamma.com to redirect me some of the time. i recently banned the site via explorer.
     
  12. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Ok I will Star checking your log
     
  13. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Did you update it and run a full scan in safe mode?
     
  14. ag8796

    ag8796 TS Rookie Topic Starter Posts: 38

    Hello

    "Did you update it and run a full scan in safe mode? "

    Antimalware? I did update it but did not run a full scan in safe mode, only quick scan normal windows

    you want me to run in safe mode, full scan?
     
  15. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    we need to run a full scan. As soon as I am done looking at the hijackthis log I will post back
     
  16. ag8796

    ag8796 TS Rookie Topic Starter Posts: 38

    As you know this may take a while. ill wait for ya precious feedback boss before i do the entire full scan.
     
  17. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
      • C:\Program Files\sxchpsb\DbWin.dll
    • Click on the Upload button
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
     
  18. ag8796

    ag8796 TS Rookie Topic Starter Posts: 38

    VirSCAN.org Scanned Report :
    Scanned time : 2008/07/25 21:25:59 (PDT)
    Scanner results: 3% Scanner(1/36) found malware!
    File Name : DbWin.dll
    File Size : 106496 byte
    File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
    MD5 : 945e9a74c777c714e7d69360bfa15b24
    SHA1 : 47e67b43a15a4a3079f30514556ffcf22aec1a10
    Online report : http://virscan.org/report/9cf84f2c79c873e41c2ff9794182743e.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 3.5.0.22 2008.07.25 2008-07-25 2.38 -
    AhnLab V3 2008.07.26.00 2008.07.26 2008-07-26 0.89 -
    AntiVir 7.8.1.12 7.0.5.175 2008-07-25 2.07 -
    Arcavir 1.0.5 200807251250 2008-07-25 1.18 -
    AVAST! 3.0.1 080725-1 2008-07-25 0.66 -
    AVG 7.5.51.442 270.5.6/1574 2008-07-25 1.49 -
    BitDefender 7.60825.1389944 7.20204 2008-07-26 2.56 -
    CA (VET) 9.0.0.143 31.6.5983 2008-07-26 0.70 -
    ClamAV 0.93.3 7829 2008-07-26 0.02 -
    Comodo 2.11 2.0.0.596 2008-07-25 0.46 -
    CP Secure 1.1.0.715 2008.07.26 2008-07-26 5.48 -
    Dr.Web 4.44.0.9170 2008.07.25 2008-07-25 3.04 -
    ewido 4.0.0.2 2008.07.25 2008-07-25 2.63 -
    F-Prot 4.4.4.56 20080725 2008-07-25 0.97 -
    F-Secure 5.51.6100 2008.07.25.06 2008-07-25 2.80 -
    Fortinet 2.81-3.11 9.356 2008-07-26 1.61 -
    ViRobot 20080725 2008.07.25 2008-07-25 0.40 -
    Ikarus T3.1.01.34 2008.07.25.71162 2008-07-25 3.08 -
    JiangMin 11.0.706 2008.07.25 2008-07-25 1.15 -
    Kaspersky 5.5.10 2008.07.26 2008-07-26 0.03 -
    KingSoft 2008.1.14.15 2008.7.25.18 2008-07-25 0.99 -
    McAfee 5.2.00 5347 2008-07-25 2.64 -
    Microsoft 1.3704 2008.07.26 2008-07-26 4.70 -
    mks_vir 2.01 2008.07.25 2008-07-25 2.53 -
    Norman 5.93.01 5.93.00 2008-07-25 4.58 -
    Panda 9.05.01 2008.07.24 2008-07-24 2.08 -
    Trend Micro 8.700-1004 5.434.08 2008-07-25 0.03 -
    Quick Heal 9.50 2008.07.25 2008-07-25 1.65 -
    Rising 20.0 20.54.50.00 2008-07-26 1.16 -
    Sophos 2.75.4 4.31 2008-07-26 1.94 Mal/EncPk-DG
    Sunbelt 3.1.1536.1 2166 2008-07-25 0.84 -
    Symantec 1.3.0.24 20080725.003 2008-07-25 0.05 -
    nProtect 2008-07-25.00 1702673 2008-07-25 3.11 -
    The Hacker 6.2.96 v00389 2008-07-24 0.40 -
    VBA32 3.12.8.1 20080725.0854 2008-07-25 1.11 -
    VirusBuster 4.5.11.10 10.82.22/596792 2008-07-25 0.83 -
     
  19. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

  20. ag8796

    ag8796 TS Rookie Topic Starter Posts: 38

    ok, not sure if youll be awake by the time i get back but i hope to God i see you tommorrow. Otherwise have a great weekend and thank you for your help and support and hope to see ya soon
     
  21. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Yes I am always here it will take time run MBAM the the scan
     
  22. ag8796

    ag8796 TS Rookie Topic Starter Posts: 38

    wow, 4 hours

    here is my full scan + safe mode, ill be back in the morning with results of the other software you advised me to run

    Malwarebytes' Anti-Malware 1.23
    Database version: 993
    Windows 5.1.2600 Service Pack 2

    1:48:18 AM 7/26/2008
    mbam-log-7-26-2008 (01-48-18).txt

    Scan type: Full Scan (C:\|F:\|)
    Objects scanned: 394690
    Time elapsed: 4 hour(s), 2 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  23. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    hey guys. I'm awake again.

    Looking at just a few posts back, am i correct it appears that C:\Program Files\sxchpsb\DbWin.dll is still suspicious code "of interest"?

    If so, and my not knowing what other rememdies you've tried so far for it it nor how close you are to removing it, So i ask xxxdanielxxx what's your opinion of
    1. disabling Dbwin.dll startup using Autoruns
    2. Seeing how the system runs when its disabled (and also see if it has any other parts that still startup and perhaps even regenerate one another)
    3. But if we disabling it at startup is sufficient, could then plan for its removal while is no longer running/is a threat
     
  24. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    If we disable it, it can just re enable it's self. If it has it in the code.

    Did you run the online scan
     
  25. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    xxdanielxx

    You're probably thinking of malware which re-generates itself. That can occur when malware tries to hide a parent process or service which is responsible for re-generating files and the startup of the malware that does all the trouble. If you find the parent itself and disable it there is nothing that can restart it. (The parent inserts itself such that is started by a Windows autorun method.)

    (e.g. That's one reason the vondu virus can be hard to remove. It can help to look through all the Autoruns to find the true parent which is started which then regenerates everything else that you might try to disable/remove)

    /****** Edit ******/

    Using Autoruns and enabling Digital Signature Verification and hiding Signed Microsoft entries can help reduce what you need look through in Autoruns output. But note just because it is not signed when the author is stated as Microsoft or Grisoft, for example who makes AVG, it doesn't mean it;s bogus or malware.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...