TechSpot

Loads of popups...please review my HyjackThis log

By adamthemute
Mar 7, 2008
  1. Hi!

    I'm having some issues with spyware (possibly a virus too). Something seems to be hanging around after spyware scans and deletions of spyware programs! I just dunno what to do now...

    Attached is my HyjackThis log (couple posts down). Any help would be greatly appreciated!

    Adam
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

    Next please follow these instructions. Your version of Hijackthis is out of date

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
     
  3. adamthemute

    adamthemute TS Rookie Topic Starter

    Alright, got the new version! Edited the first post.
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    just post the new log as an attachment in your next reply, the previous attachment is still showing the older version

    Edit* nevermind it is changed now
     
  5. adamthemute

    adamthemute TS Rookie Topic Starter

    Proper HyjackThis log:
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Some nasties on there.

    Start -> Control Panel -> Administrative Tools -> double click Services

    Stop the Indexing Helps (Indexingbox) - C:\WINDOWS\system\svchest.exe
    service from running by right-click it and choose Stop. Right click again and choose Properties. In the Properties dialog box that appears, choose Manual from the Startup Type drop-down list and choose Disabled.
    -------------------------------------------------------------------------------------------------------
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


    This will not remove all of the infections - I will wait for your reply before going further
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Do you know this IP

    142.161.2.155 142.161.130.155?
     
  8. adamthemute

    adamthemute TS Rookie Topic Starter

    No I don't!


    Here's the new Hyjack This log...
     
  9. adamthemute

    adamthemute TS Rookie Topic Starter

    ...and here's the SDFix report!

    Thanks!
     
  10. adamthemute

    adamthemute TS Rookie Topic Starter

    Oh...and about the Indexing Helps (Indexingbox)...

    It was already Stopped. I did change it from automatic to disabled though.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That worked great. Now we need to get the rest of it. Print this part out, or copy, paste it to notepad and save it on your desktop because you won't be able to see here from safemode.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O4 - HKLM\..\Run: [xydzyh] C:\WINDOWS\system32\xydzyh.exe
    O4 - HKLM\..\Run: [507d59cc] rundll32.exe "C:\WINDOWS\system32\aexeevhp.dll",b
    O4 - HKLM\..\Run: [BM534e6a50] Rundll32.exe "C:\WINDOWS\system32\rfmqvmtd.dll",s
    O4 - HKCU\..\Run: [Rsse] "C:\PROGRA~1\COMMON~1\DOBE~1\wuauboot.exe" -vt yazb
    O4 - HKCU\..\Run: [Zsy] C:\WINDOWS\system32\?icrosoft.NET\i?xplore.exe


    Select Fix Checked

    Close Hijackthis
    ------------------------------------------------------------------------------------------------------
    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.
    ---------------------------------------------------------------------------------------------------------
    The files that we are looking for will likely be at the very bottom of the of the folder, out of alphabetical order.
    To double check if they are good or bad, right-click them and click Properties. If it is a valid Microsoft file, it will say so.


    Use Windows Explorer to navigate to and delete the following files:

    Files:
    C:\WINDOWS\system32\xydzyh.exe <-This file only
    C:\WINDOWS\system32\aexeevhp.dll<-This file only
    C:\WINDOWS\system32\rfmqvmtd.dll<-This file only
    C:\PROGRAMFILES\COMMONFILES\DOBE~1\wuauboot.exe<-This file only

    Folders:
    C:\WINDOWS\system32\microsoft.NET <- This Folder Only (check the contents for iexplore.exe before deleting)

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
     
  12. adamthemute

    adamthemute TS Rookie Topic Starter

    and done!

    attached log below:
     
  13. adamthemute

    adamthemute TS Rookie Topic Starter

    I couldn't find: C:\PROGRAMFILES\COMMONFILES\DOBE~1\wuauboot.exe

    ...searched for it as well.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Did you try searching for just wuauboot.exe

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Perfect! Just to confirm the 017 entry. Do you live in Canada? I think it is fine, but better safe than sorry

    First of all I don't see a firewall installed, I would install one of these free ones:
    Zonealarm, Kerio or Comodo
    firewall programmes.

    -------------------------------------------------------------------------------------------------------
    You can uninstall SDFix
    --------------------------------------------------------------------------------------------------------
    The latest Java update just came out.
    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
    -------------------------------------------------------------------------------------------------------

    After Java is up to date.

    :Set correct settings for files:
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    :clear system restore points:

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
    -------------------------------------------------------------------------------------------------------
    I also recommend you download, install, update, and keep updated, immunize with Spybot S&D

    Spybot Search and Destroy
    • Download and install the latest version of Spybot - Search & Destroy (currently 1.5.2) (If you already have this version please open it, update, immunize, and Check for problems under search and destroy)
    • When you have downloaded the program, double click on the downloaded file to start the installation. Follow the default selections, agreeing to the user agreements, and pressing the Next button until you get to the Select Additional Tasks screen.
    • Press the Next button and then the Install button to start the installation process
    • Check Run Spybot S&D press Finish. Spybot - S&D will now start
    • The first screen asks if you want to backup your registry in order to be able to restore from it in the future. This can cause no harm, so it is a worthwhile task to do. You should click on the Create registry backup button
    • Click on the Search for updates button. If updates are available then select the Download all available updates button
    • When the updates are installed click on the Next button
    • You should now click on the Immunize this system button. When it finishes click on Next button
    • Then click on the button labeled Start using this program to begin using Spybot - Search & Destroy
    • For help with any problems please see this guide Spybot tutorial
    -------------------------------------------------------------------------------------------------------

    If you have any more problems please use this thread.

    The instructions in this thread are for the use of adamthemute only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...