My first post here, Hijack This post

[XracerX05]

I've been reading for some time on here about getting rid of malware, spyware, virus's... I got something a week or so ago, that disabled my task manager. I read a post on here that gave a command to put in (((Run: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f ))). The command seems to have worked, it brought back the task manager, even after restarts, the AVG scan didn't turn anything up, nor did the trend micro scan online. I think the problem may be fixed, but just want to be sure that there isn't anything lurking around or running and able to obtain passwords, logins, etc... I got that Hijack this program, and ran a log. If I may post here. If anyone can look through all this greek for me and maybe tell me if it looks like any spyware, malware, critters are running. Would be much apprieciated.

Here goes....
View attachment 36794

 

[Bobbye]

I didn't check everything in the log- but enough to tell you that: AVG is out of date. v7 is no longer being supported. The current version is v8. Please update ASAP.
1.

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

2 You have malware:.
.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Please refer to the cleaning process which will include running Malwarebytes, SuperAntispyware and rescanning with HijackThis:
See https://www.techspot.com/vb/post645589-1.html

We'll be glad to help after you have run the programs an attached all three logs.

 

[XracerX05]

Thank you very much, I ran the Malwarebytes, it picked up a bunch of stuff. Java is current, and checked, Superspyware is running now and detected 2 so far in the scan. It's getting late, I will let these finish out, and post the logs tommorow. Looks like I might be getting rid of this stuff finally. Thanks again.

 

[Bobbye]

A reminder> it's the antivirus program AVG that needs to be updated. Please attach all three logs when you finish running the programs and we'll check them.

 

[XracerX05]

I've got the free version of AVG 7.5, I looked on their website, I've gotta figure out which 8.0 to d-load. Thats next on the agenda.. But here are those log files... Let me know whatcha think. Thanks very much.

 

[Bobbye]

I hate to nag, but you have got to get the AV updated: Download this from here:
AVG Anti-Virus Free Edition 8.0: http://free.avg.com/download?prd=afe

NOTE: Download the setup and SAVE to the desktop. Don't run yet.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
)This is the About:blank Homepage Hijacker).
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
(Dell printer software - reports back on printer and cartridge useage. You do not need this running! )
O4 - HKLM\..\Policies\Explorer\Run: [kl0HLhzaPL] C:\Documents and Settings\All Users\Application Data\gzqfcjex\abslurcx.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
(Left over from an online scan)
O21 - SSODL: ChkHlp - {191AC1A7-66E5-1C75-D7C9-014D8DAD4EF2} - C:\Program Files\xsbbbfg\ChkHlp.dll (file missing)

Please include removal of any processes for the AV you do not want to keep.
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> tyoe in 'msconfig' without quotes> enter> Selective Startup> Startup tab> UNCHECK everything except the processes for the AV program, I don't see a touchpad process, but if you have a laptop, the touchpad will need to be on Startup> Apply> OK>

Reboot. You will get a nag message that you can ignore and close after checking 'don't show this message again'. Stay in Selective Startup.

Now go offline> File> Work Offline. Run the AVG program from the desktop to install.
Go back online and run update for AVG, then run an initial scan.

Have SuperAntispyware remove it's findings. Run HijackThis again and post the log. We will remove any 'left-over entries ad well as uninstall the AV you don't want.

 

[XracerX05]

I just d-loaded the avg 8.0, I'm going to install it as per your instructions. But one thing, the about:blank homepage thing.. That's what I prefer to use as my homepage and have always had it set as such, since I don't like having to wait for or cancel a loading homepage as soon as I open my internet explorer. I didn't know if that would make a difference or not, maybe making it appear like the hijacker was on there? I just keep my homepages set to about:blank. I will go through the rest and report back to you. Thanks very much for your over the top help here

 

[Bobbye]

That was my mistake- my apology. The entry for for malware would have shown up as:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
Clearly your shows as:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Telling me that you set the blank page confirms it. Sometimes it's not easy to distinguish. Let me know if you have any problems with the rest. Please excuse my 'over diligence'.

 

[XracerX05]

Well, finally got done installing AVG8 and running these programs again.. Everything looks ok to me. Here are the logs, lets see what you think. Thanks alot for all the help.

 

[Bobbye]

Okay, we have a mystery!
What have you done between running SuperAntispyware in Post #5 on 10/21/08 and the same program on 10/23/08 in Post #9? Did you download anything? Install any new program or Applications, with exception of AVG v8 on the site I left?

The first SuperAntispyware shows 1 Tracking Cookie and:

Trojan.DNSChanger-Codec
HKU\S-1-5-21-2763906872-4140205457-4100419129-1007\Software\uninstall

The second SuperAntispyware shows multiple Tracking Cookies and:

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
WildTangent

And running HijackThis in Post #5 and same in Post #9?
First HijackThis:

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE>> this is C-Dilla License Management software. Used for any program that uses C-dilla Protection, example: 3D Studio Max 4.x. It loads as a service automatically but is not needed unless you run said program. Can be started and stopped manually

O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe>> this is Related to Dell computers. Note: Located in \%WINDIR%\System32\ Please verify location:
Right click on Start> Explore> Windows> system32

Second HijackThis:

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: dlcf_device - - C:\WINDOWS\system32\Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE

The first MBAM log found and removed multiple malware entries. The second log shows you're clean, but it appears you have picked up Zlob, AdYieldManager andWildTangent, But the mbam log isn't catching it.

You can have SuperAntispyware remove all of the findings, but then we need to figure out where to go next.

 

[XracerX05]

Hmm, I did run a Microsoft Windows update to service pack 3, but I thought that was after I posted all those logs. Possibly that my girlfriend got on here for something between then though. I remember that the Wildtangent stuff is something that came with this computer I think when I bought it, but I did not install it, or I took it out a long long time ago. I believe that C-dilla runs because of Auto-Cad. I'm going to run thorough scans of all programs including AV. Then let ya know if something else turns up. Thanks

 

[Bobbye]

The mystery continues:

I remember that the Wildtangent stuff is something that came with this computer I think when I bought it, but I did not install it, or I took it out a long long time ago

Refer to my comments about when Wild Tangent appeared- and which logs didn't show it! You need to find out what was done if there is another user. We need to curb any outside functions until the system is clean and stable.

By the way, DO NOT use the System Restore feature! We will drop the old restore points when through. They can have the malware and because they are protected files, the cleaning programs don't remove from there.

 

[XracerX05]

Ran complete AVG scan, Super spyware, and Malwarebytes. Also HIjack this again.. Avg removed 6 tracking cookies. Not sure how the wildtangent thing is coming about, she knows nothing of it. I know I haven't done anything with it either. I don't see it in the add/remove programs, nor in any of the program list-- start menu. Here are the logs.. Again, thanks a bunch for the help

 

[XracerX05]

oh, and system restore is turned off too...

 

[Bobbye]

Okay, the logs look good to me. You might want to remove this- it's left over from a time when you ran the Trend Micro Housecall- sticks on the system unless you beat it over the ehad and send it packing!
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

Have SuperAntispyware reomve the Cookies. You might want to raise the Cookies control as follows:
Internet options (through Tools in IE or Control Panel> Privacy tab> Advanced button> CHECK 'override automatic Cookie settings'> CHECK Allow first party Cookies'> CHECK 'Block third party Cookies;> CHECK 'allow per session Cookies'> Apply> OK.

Be sure to UNCHECK the System Restore turn off and set a new, clean restore point.

It's a mystery when WildTangent can from and even more, where it went! Weird. IF you running well and don't have the problems, I'll turn you loose. You id a good job. It was my pleasure to help you.

Let us know if you need more help.

 

[XracerX05]

Sounds good, thank you very much for your help. Just for my info. what is the difference between 1st party and 3rd party cookies? Is 1st party the page you are trying to directly open, and 3rd the ones that bombard you while trying to load? Just trying to understand what I'm changing and how things will be affected before I do it. Thanks again

 

[Bobbye]

First party Cookies are for the site itself. Third party are for ads, partners and all the other junk!

Example: If you're on this site, Cookie for techspot.com is first party. A Cookie from waytoomany.com/ads/ would be third party. These include such as doubleclick.com, tribalfusion.com, etc.
(Example only)

You can watch as the are loading in the lower left corner of the screen, right above Start. You may see them go by, but if they are blkocked, they won't get on your system.

 

[XracerX05]

Ok, I got it now... I set the cookies as such. Thanks alot, that should cure some of that. I think that clears everything up for now. Thanks for all the help.. Tim

 

[Bobbye]

Okay, let remove the cleaning programs:

*OTCleanit! by Oldtimer*
* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

That should finish you up. You did a good job. It was a pleasure working with you. Let us know if you need more help.