TechSpot

My hijack this log

By panthanpress
Jun 18, 2009
  1. Here is my Hijack this log, if someone could tell me what to fix. I suspect the "myway" thing is what's hijacking me, but I wanted to be sure.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please follow the steps here: Run Malwarebytes first, then Superantispyware, then rescan with HijackThis. Attach logs from all three programs.

    Instructions here: http://www.techspot.com/vb/topic58138.html

    A HijackThis log alone is not sufficient for malware cleaning.
     
  3. panthanpress

    panthanpress TS Rookie Topic Starter

    my three logs

    Here are the three logs. Thanks for any help, Bobbye.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    So how come you already knew you had MyWebSearch on the system? Mbam and SAS seemed to have cleaned it out, along with a few other things. That's good.

    I guess you would be a music fan! ♫♪♫ You have a lot of 'stuff' running that's going to slow you down at some point. Processes that are on the Startup menu and start on boot, run in the background, which you may or may not use that session:
    Examples:
    Real Player updater
    Java updates
    QuickTime updater
    Napster
    iTunes
    iPod
    Adobe Reader
    Music Match
    All legitimate programs, none needed to start on boot!
    But that's another story!

    I see you are running Teatimer.
    I suggest you disable it because it can interfere with the changes you'll make on your system.
    When everything is done and your log is clean again, you can enable it again.
    If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    How to disable TeaTimer during HijackThis Cleanup
    Then, download ResetTeaTimer.bat.
    Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

    After all of the fixes are complete it is very important that you enable TeaTimer again.

    Once TeaTimer is disabled, please run this:
    Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
    Then rescan with HijackThis and include new log.

    Have you noticed a difference in the system since you ran Mbam and SAS?
     
  5. panthanpress

    panthanpress TS Rookie Topic Starter

    My wife is the music fan. I'll get some of those programs off the startup menu. Here are the new logs. By the way, this problem began on Monday and my first thought was to do a system restore. But I found that I didn't have any system restore points available before Monday. Did whatever I picked up somehow erase them? I've restored before to earlier points.
     

    Attached Files:

  6. panthanpress

    panthanpress TS Rookie Topic Starter

    Still hijacked on google searches

    I'm still getting hijacked when I click on google searches.
     
  7. panthanpress

    panthanpress TS Rookie Topic Starter

    Did anyone get a chance to look at the two logs I posted in #5? I'm wondering what my next steps are.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry, I didn't get to finish this last night.

    Your ISP is AT&T, is that right?

    Malware can get in the System Restore points, but that would have shown up probably in SAS. I will take you through a troubleshooting for that later.

    Credits to kritius:
    Please disable this service while we're cleaning:
    Start> Run> services.msc> right click on RoxLiveShare> Properties> change Startup type to Disable> Stop the Service.

    Take the following off of Startup:
    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK processes for both Napster and Roxio> Apply> OK> Reboot> NOTE: Ignore the nag message that comes up and close it after checking 'don't show this message again.' Stay in Selective Startup.
    O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe

    You have a Linksys router:
    C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
    But the Active X Object file is either not loading or missing:
    This is what you have:
    [/b]O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}[/b]
    This is what it should be:
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
    (Personal System Administrator Control)

    I suggest you reconfigure the router.

    I note you are using Yahoo DSL, but there are still AOL dial-up files being loaded. They should be removed.

    Please disable TeaTimer as previously requested, then do a full system scan with McAfee (update before the scan) Save the log and attach it to next reply.

    Listing of HP entries usually found on Startup: NONE need to start on boot and can be started manually as needed:
    http://www.sysinfo.org/startuplist.php?letter=H&filter=&count=50&offset=150
    (there are 2 pgs. of entries!)

    HP\Digital Imaging
    Smart Web Printing
    hpswp_printenhancer.dll
    Smart Web Printing\hpswp_BHO.dll
    HP Boot Optimizer\HPBootOp.exe" /run
    HP Software Update\HPWuSchd2.exe
    Taskbar Utility] hpztsb08.exe
    Digital Imaging\bin\hpqSRMon.exe>> Related to HP digital imaging products. Unsure as to what it does.
    Digital Imaging\bin\hpqtra08.exe>> hp digital imaging monitor>> can be started manually

    C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\YS561401.CAB
    [0] Archive type: CAB (Microsoft)
    --> F345_spcplui.dll.>>>>
    harrythompson.com >> ringtones, wallpapers, games, and java apps in your Sprint Nextel or Boost Mobile Iden phone.

    This, like 3D cursors, wallpaper for desktop and backgrounds can be a source for malware. Considering removing it.

    DAEMON Tools Virtual Drive Manager could not be opened for the scan. This is configured to be the very first driver to load when system starts; may cause instability.Consider removing.

    I am not seeing the source of the redirect. I was hoping SDFix would be enough.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Screen shots:
    http://www.geekstogo.com/forum/Otscanit-log-sent-here-other-post-t192642.html

    Rescan with HJT when through and attach new log and Combofix report.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    moderator- please delete. Duplicate post.
     
  10. panthanpress

    panthanpress TS Rookie Topic Starter

     
  11. panthanpress

    panthanpress TS Rookie Topic Starter

    I can't figure out how to attach the log of my McAffe scan. But it found and quarantined 19 skynet trojans in my temp directory and it asked me if I wanted to clean windows\sysem32\SKYNETkyvbxuom.dll I said yes, but I can't really tell if it did anything. I'm moving on to Combofix now.
     
  12. panthanpress

    panthanpress TS Rookie Topic Starter

    new Combofix and Hijack logs

    Combofix wouldn't let me name it Combo-Fix(.exe) so I just named it Combo-Fix. It wanted me to connect to the internet during its run, so I did, even though I had all of my McAfee stuff disabled. Here are the logs.
     
  13. panthanpress

    panthanpress TS Rookie Topic Starter

    I can say that I don't seem to be redirected from google searches any more.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Combofix deleted some of those SkyNet entries also. Mske sure all the files are gone:
    Right lick on start> Explore> Windows> System32> do a right click on each of the following if found> Delete:
    SKYNETubtaojoy.sys>> in Drivers section, system 32
    egjlm.bak2
    egjlm.tmp
    SKYNETdlbuamrh.dll
    SKYNETixaudbut.dat
    SKYNETkyvbxuom.dll
    c:\windows\system32\SKYNETnlktagrp.dat
    When through, empty the Recycle Bin.

    Update Adobe: to most current version:
    Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version : http://www.techspot.com/downloads/345-adobe-reader.html
    OR
    Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

    You also need to take this entry off of Startup: reader_sl.exe
    First, it doesn't need to start on boot and second, you have it on Global Startup meaning that it starts up no matter which accounts signs on.
    Take off startup: O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\

    The RoxShare is still loading in the Services: It's the 5th Service from the bottom in the HJ log.
    O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
    O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
    O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
    O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
    O23 - Service: RoxUpnpServer - Sonic Solu
    tions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
    O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

    The Linksys 'link' was just a copy of the full entry. I didn't try the site. Sorry. Please check here and see if there is a Firmware update for your router: http://www.dslreports.com/faq/8756

    I'd like to get a clean antivirus scan from you. You can try scanning again with McAfee. To save the scan: How do I save the scan results to a log file?* Click the File menu and select Save report to file. Suggest save to your desktop, name it Test log. If you cannot do this, do the following:

    Please run the Esset online scanner and attach the log:
    http://www.eset.com/onlinescan/cac4.php?page=faq

    You might want to follow this:
    It sound like you have almost gotten it all, but make sure with the AV scan. Attach AV scan and new HJThis log. If clean, I'll have you remove the cleaning tools and old restore points.

    Edit: I see this in the Trusted Zone:
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Please take BOTh out. You sure don't want the internet in the Trusted Zone and you don't need McAfee therei. This zone has lower security and allows entries with less security constraints.
     
  15. panthanpress

    panthanpress TS Rookie Topic Starter

    scan and hijackthis

    Here are my latest scan and hijackthis logs.
     
  16. panthanpress

    panthanpress TS Rookie Topic Starter

    You also mentioned:
    Edit: I see this in the Trusted Zone:
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Please take BOTh out. You sure don't want the internet in the Trusted Zone and you don't need McAfee therei. This zone has lower security and allows entries with less security constraints.


    How do I take these out of the Trusted Zone?
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm going to fire my spell checker! It's not doing a very good job. Sorry.

    To change zones:
    Control Panel> Internet Options> Security tab> Trusted Zone> Sites> highlight and delete the sites from there.

    Keep this feature in mind. If you ever get a site to don't want to get again, follow the above through 'Security tab'> then Restricted Zone> Sites> type the Domain here and add. An example would be doubleclick.com or .net.You would type .doubleclick.net, doubleclick.com or *.doubleclick.com.
     
  18. panthanpress

    panthanpress TS Rookie Topic Starter

    So, how do my scans in #15 look?
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Eset picked up malware
    Either McAfee missed it or it's new. Either way, all the files have to be found and removed:

    It appears that you downloaded software for marine (fish) screen savers. And it appears it is part of file sharing. Open My Documents (Jeff)) locate marinefree.exe and delete. Look on Add/Remove programs and uninstall if there.

    Please run full system scan with McAfee. Save log and attach to next post.

    Please download ComboFix HERE: This will be similar to but more in depth than SDFix.
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      [*]Please disable all security programs, such as antiviruses, antispywares, and firewalls. This includes the McAfee firewall. You should also disable TeaTimer which was requested in Post #4. These running processes can affect the scan and it's outcome. It can also give you an error message. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    If McAfee or any other Domain is listed still listed in the Trusted Zone, remove them per my instructions on Post #17.

    Rescan with HijackThis and include new log:
    I need the following attachments on your next reply:
    McAfee scan log
    Combofix report
    HijackThis log
     
  20. panthanpress

    panthanpress TS Rookie Topic Starter

    latest logs

    McAfee (which hides logs in a hidden folder, by the way) and combofix and hijackthis logs attached. Combofix said McAfee was running, but McAfee was telling me with big red X's and warnings that it wa disaabled.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We are spinning wheels here! As long as the file sharing is going on in the background, the infections continue. Eset cleaned up one batch, McAfee finds another- or more. I'm not sure which!

    McAfee is showing the DSN Changer> that is a direct effect of the file sharing and requires the router being reset. But the Roxio Shared programs are loading and running. You're getting hijacked because another user is sharing files and picking up malware!

    So, please uninstall the P2P programs or I will withdraw from this thread. We continue to play the roulette- one programs finds the malware and removes it. File sharing brings more malware back. Another program is run and finds it and removes it. File sharing-and on and on!

    Delete the quarantined files in McAfee AV
    Run CCleaner and delete temp files and tmp files.
    Empty the Recycle Bin

    Uninstall Roxio Shared and we'll start all over.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...