Hijackthis log

Status
Not open for further replies.

ag8796

Posts: 38   +0
hello, recently had troubles with xp antivirus 2008? and joke.bluescreen.c viruses? i recently reoved them or so i thought. the only problem im having now is that i keep getting redirected when entering a search. here is my log

hijackthis log
im getting redirected/jump after a internet search. This was part of joke_bluescreen.c and antivirus 2008 virus. i do not have the blue screen or the antivirus 2008 trying to install in my computer anymore. But i do have this redirect/jump bug



Hijacked internet
i recently got the xp antivirus 2008 malware along with the joke_bluescreen.c. i cleaned it up but my internet seems to be hijacked. i keep getting redirected to sites i dont want to go to after i click on any of the search results. It seems to be random.

here is my hijackthis report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:43 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O21 - SSODL: DbWin - {176E9D0A-08AE-BE8B-6452-08C42104380C} - C:\Program Files\sxchpsb\DbWin.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6371 bytes
 
I'll have to defer to one of the "removal experts' but would state that looking through your log I'm highly suspect of this entry:
O21 - SSODL: DbWin - {176E9D0A-08AE-BE8B-6452-08C42104380C} - C:\Program Files\sxchpsb\DbWin.dll

dbwin.dll is the name of a legit Windows debug file but using known filenames is common malware practice. Do your recognize the subdirectory sxchpsb? The O21 indicates it's a autorun method which may indicate that's how this thing (if indeed the problem source is getting started in the first place).

Suggest you install/run Autoruns
- The status in lower left corner of Autoruns is displayed in lower left and you'll see it immediately starts a scan. Hit Escape to stop it. Wait till status says Ready.
- Click Options, click to set each of Verify Code Signatures and Hide Signed Microsoft Entries
- Click File -> Refresh to restart the Scan
- Wait till status indicates Ready again then File -> SaveAs and save the output as a text file. You can attach to your TechSpot Post by clicking AdvancedReply and clicking the paper clip icon
 
hello

"Do your recognize the subdirectory sxchpsb?"

absolutely not

"I'll have to defer to one of the "removal experts' "
So i should wait for conformation then?

Thank you for your help and time. Is this virus dangerous? can i still buy online?
 
sorry. forgot to supply the link.

Autoruns (click here is a freeware tool to reveal all the many, many things that get loaded/started in Windows.
- I don't have any info on details on this virus. The only google hits on the directory name only turned up recent hijackthis logs.
- Autoruns will give some more detail on this thing and offer a method to stop if from starting (but doesn't remove it)
 
Sorry LookinAround I am not stealing nor trying to jump over your help for the user
ComboFix

  • Download ComboFix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

-----------------------------

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
 
xxdanielxx, no problem at all. Glad you noticed the thread

ag8796, i'll turn you over to one of the malware experts on TechSpot.

Good luck!
 
thank you lookin around

ok here are my combofix and hijackthis updated logs. i am now running malwarebytes antimalware
 
Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 5.1.2600 Service Pack 2

9:02:29 PM 7/25/2008
mbam-log-7-25-2008 (21-02-29).txt

Scan type: Quick Scan
Objects scanned: 42265
Time elapsed: 2 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

fyi i recently ran this program to remove a ton of infections due to xp antivirus 2008 and joke bluescreen.c. It seems all that is left is that darn redirect/jump virus. This virus used mamma.com to redirect me some of the time. i recently banned the site via explorer.
 
Hello

"Did you update it and run a full scan in safe mode? "

Antimalware? I did update it but did not run a full scan in safe mode, only quick scan normal windows

you want me to run in safe mode, full scan?
 
As you know this may take a while. ill wait for ya precious feedback boss before i do the entire full scan.
 
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\Program Files\sxchpsb\DbWin.dll
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
 
VirSCAN.org Scanned Report :
Scanned time : 2008/07/25 21:25:59 (PDT)
Scanner results: 3% Scanner(1/36) found malware!
File Name : DbWin.dll
File Size : 106496 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 945e9a74c777c714e7d69360bfa15b24
SHA1 : 47e67b43a15a4a3079f30514556ffcf22aec1a10
Online report : http://virscan.org/report/9cf84f2c79c873e41c2ff9794182743e.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.07.25 2008-07-25 2.38 -
AhnLab V3 2008.07.26.00 2008.07.26 2008-07-26 0.89 -
AntiVir 7.8.1.12 7.0.5.175 2008-07-25 2.07 -
Arcavir 1.0.5 200807251250 2008-07-25 1.18 -
AVAST! 3.0.1 080725-1 2008-07-25 0.66 -
AVG 7.5.51.442 270.5.6/1574 2008-07-25 1.49 -
BitDefender 7.60825.1389944 7.20204 2008-07-26 2.56 -
CA (VET) 9.0.0.143 31.6.5983 2008-07-26 0.70 -
ClamAV 0.93.3 7829 2008-07-26 0.02 -
Comodo 2.11 2.0.0.596 2008-07-25 0.46 -
CP Secure 1.1.0.715 2008.07.26 2008-07-26 5.48 -
Dr.Web 4.44.0.9170 2008.07.25 2008-07-25 3.04 -
ewido 4.0.0.2 2008.07.25 2008-07-25 2.63 -
F-Prot 4.4.4.56 20080725 2008-07-25 0.97 -
F-Secure 5.51.6100 2008.07.25.06 2008-07-25 2.80 -
Fortinet 2.81-3.11 9.356 2008-07-26 1.61 -
ViRobot 20080725 2008.07.25 2008-07-25 0.40 -
Ikarus T3.1.01.34 2008.07.25.71162 2008-07-25 3.08 -
JiangMin 11.0.706 2008.07.25 2008-07-25 1.15 -
Kaspersky 5.5.10 2008.07.26 2008-07-26 0.03 -
KingSoft 2008.1.14.15 2008.7.25.18 2008-07-25 0.99 -
McAfee 5.2.00 5347 2008-07-25 2.64 -
Microsoft 1.3704 2008.07.26 2008-07-26 4.70 -
mks_vir 2.01 2008.07.25 2008-07-25 2.53 -
Norman 5.93.01 5.93.00 2008-07-25 4.58 -
Panda 9.05.01 2008.07.24 2008-07-24 2.08 -
Trend Micro 8.700-1004 5.434.08 2008-07-25 0.03 -
Quick Heal 9.50 2008.07.25 2008-07-25 1.65 -
Rising 20.0 20.54.50.00 2008-07-26 1.16 -
Sophos 2.75.4 4.31 2008-07-26 1.94 Mal/EncPk-DG
Sunbelt 3.1.1536.1 2166 2008-07-25 0.84 -
Symantec 1.3.0.24 20080725.003 2008-07-25 0.05 -
nProtect 2008-07-25.00 1702673 2008-07-25 3.11 -
The Hacker 6.2.96 v00389 2008-07-24 0.40 -
VBA32 3.12.8.1 20080725.0854 2008-07-25 1.11 -
VirusBuster 4.5.11.10 10.82.22/596792 2008-07-25 0.83 -
 
ok, not sure if youll be awake by the time i get back but i hope to God i see you tommorrow. Otherwise have a great weekend and thank you for your help and support and hope to see ya soon
 
wow, 4 hours

here is my full scan + safe mode, ill be back in the morning with results of the other software you advised me to run

Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 5.1.2600 Service Pack 2

1:48:18 AM 7/26/2008
mbam-log-7-26-2008 (01-48-18).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 394690
Time elapsed: 4 hour(s), 2 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
hey guys. I'm awake again.

Looking at just a few posts back, am i correct it appears that C:\Program Files\sxchpsb\DbWin.dll is still suspicious code "of interest"?

If so, and my not knowing what other rememdies you've tried so far for it it nor how close you are to removing it, So i ask xxxdanielxxx what's your opinion of
1. disabling Dbwin.dll startup using Autoruns
2. Seeing how the system runs when its disabled (and also see if it has any other parts that still startup and perhaps even regenerate one another)
3. But if we disabling it at startup is sufficient, could then plan for its removal while is no longer running/is a threat
 
If we disable it, it can just re enable it's self. If it has it in the code.

Did you run the online scan
 
xxdanielxx

You're probably thinking of malware which re-generates itself. That can occur when malware tries to hide a parent process or service which is responsible for re-generating files and the startup of the malware that does all the trouble. If you find the parent itself and disable it there is nothing that can restart it. (The parent inserts itself such that is started by a Windows autorun method.)

(e.g. That's one reason the vondu virus can be hard to remove. It can help to look through all the Autoruns to find the true parent which is started which then regenerates everything else that you might try to disable/remove)

/****** Edit ******/

Using Autoruns and enabling Digital Signature Verification and hiding Signed Microsoft entries can help reduce what you need look through in Autoruns output. But note just because it is not signed when the author is stated as Microsoft or Grisoft, for example who makes AVG, it doesn't mean it;s bogus or malware.
 
Status
Not open for further replies.
Back