HJT logfile - can see anything ?

[mercjoe]

Hey guys,

This is my old presario which I use for surfing the net. I dont care much about it
till things start getting annoying. Windows explorer seems to be doing some weird stuff.
A folder will open on startup (think its "Documents and settings/myuser")
Also a little process window "updating ....something" appears and goes in less than a second on startup. I think this last one started after a Firefox updating failed sometime ago.

Now I also found 2 iexplore.exe processes running at the same time.Gee.

Below's my HiijackThis logfile, hope anyone can help me.

Thanks
Diego

 

[mercjoe]

Oops, didnt know that. Ill post the logfile when I reach 5 posts =)

 

[mercjoe]

The logfile :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:05, on 21/04/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINNT\system32\internat.exe
C:\Archivos de programa\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINNT\explorer.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phonemedia.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.phonemedia.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 201.216.206.145:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {00000000-15D9-4736-AB29-131578A45F2B} - (no file)
R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Archivos de programa\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Startup: Hacer.txt
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.phonemedia.it
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Archivos de programa\Archivos comunes\SolidWorks Shared\Service\SolidWorksLicensing.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 3657 bytes

 

[simonjester]

oooh, a Compaq. I'm so sorry =(

Posted too soon without refreshing; updating after reading your post...

Looks like a spambot... AdAware and SpyBot are usually good options. I'll let the experts here handle the log.

 

[kritius]

I need you to follow all the steps HERE and then post back with the three requested logs as attachments

• AVG antispyware
• ComboFix
• Hijackthis (step 15)

Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.

 

[mercjoe]

All steps

Ok Kritius, I will do all the steps.
Is there a freeware AVG version ? I just found a Trial one so far.

Thanks for answering.
D.

I need you to follow all the steps HERE and then post back with the three requested logs as attachments

• AVG antispyware
• ComboFix
• Hijackthis (step 15)

Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.

 

[kritius]

Thats the one you want, after the thirty day trial period you just get the limited version.

 

[mercjoe]

Finally the Logs

Hey guys,

So here are my Combofix, AVG AntiSpyware and HJT log files.

PAVARK threw no rootkits found =)

When first run AVG it didnt generate any report, on the second scan it did, but of course nothing was detected then. Anyhow, the following entries are listed in quarantine from the first scan :

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{8E718888-423F-11D2-876E-00A0C9082467} (&Rradio) Low

C:\WINNT\system32\msdxm.ocx (&Rradio) Low

C:\WINNT\Downloaded Program Files\sdmtb.cab (Adware MyTool) Medium

HKU\S-1-5-21-2052111302-1060284298-842925246-1000\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Adware.Generic) Medium

C:\NewDownloads\Adobe Illustrator CS KeyGen SSG.exe (Trojan.Agent.cj) High
C:\dev\index.html (Downloader.Psyme.fl) High

The last one seems odd..., thats a file I did myself....

Anyone can tell how clean my old warrior now is ?
Thanks in advance for your help.


Diego

 

[mercjoe]

Any feedback guys ? thanks

 

[kritius]

Ill look through the logs later on, in work now.

 

[mercjoe]

Thanks Kritius

Ill look through the logs later on, in work now.

 

[kritius]

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 201.216.206.145:80
R3 - URLSearchHook: (no name) - {00000000-15D9-4736-AB29-131578A45F2B} - (no file)
R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O24 - Desktop Component 0: (no name) - (no file)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

I don't see an anitivirus program installed.

Today's internet is simply suicide without an up to date antivirus.
Not much point in you and I cleaning up the system if you refuse to protect yourself.
However -- if you don't understand or cannot install an antivirus -- please let me know.

Please download ONE of the following antivirus programs and install it.

• Avast:
• AVG:
• AntiVir:

Once installed, Update it, run full system scan with it and allow it to fix up what it wants.
Reboot if it fixed anything.

You should get a firewall as well, either,

• Comodo
• Kerio
• Online Armor
• Zonealarm

I think that the lack of antivirus or firewall, BitTorrent software and the extreme amounts of porn on this computer is where the infection came in.

 

[mercjoe]

Thanks so much Kritius.
About getting an antivirus and firewall I have my doubts, I'll open a new thred to discuss it if none is already there.

 

[kritius]

What doubts do you have? You at least need an antivirus, that goes without question.

Post a fresh log and ill see how its looking.

 

[mercjoe]

Here's the log man.

And here my doubts:
https://www.techspot.com/vb/topic103937.html

I almost forgot..., some of the entries yout told me to fix just wont go away.

Thanks again
D.

 

[kritius]

Boot into safe mode,

open HijackThis and fix these two,

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O24 - Desktop Component 0: (no name) - (no file)

 

[mercjoe]

I will do K.

Boot into safe mode,

open HijackThis and fix these two,

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O24 - Desktop Component 0: (no name) - (no file)