HJT logfile - can see anything ?

By mercjoe · 16 replies
Apr 21, 2008
  1. Hey guys,

    This is my old presario which I use for surfing the net. I dont care much about it
    till things start getting annoying. Windows explorer seems to be doing some weird stuff.
    A folder will open on startup (think its "Documents and settings/myuser")
    Also a little process window "updating ....something" appears and goes in less than a second on startup. I think this last one started after a Firefox updating failed sometime ago.

    Now I also found 2 iexplore.exe processes running at the same time.Gee.

    Below's my HiijackThis logfile, hope anyone can help me.

  2. mercjoe

    mercjoe TS Rookie Topic Starter Posts: 20

    Oops, didnt know that. Ill post the logfile when I reach 5 posts =)
  3. mercjoe

    mercjoe TS Rookie Topic Starter Posts: 20

    The logfile :

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 01:05, on 21/04/2008
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Archivos de programa\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
    C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
    C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phonemedia.it/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.phonemedia.it
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    R3 - URLSearchHook: (no name) - {00000000-15D9-4736-AB29-131578A45F2B} - (no file)
    R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: Shell=explorer.exe "
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Archivos de programa\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: AutorunsDisabled
    O4 - Startup: Hacer.txt
    O4 - Global Startup: AutorunsDisabled
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.phonemedia.it
    O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
    O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
    O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Archivos de programa\Archivos comunes\SolidWorks Shared\Service\SolidWorksLicensing.exe
    O24 - Desktop Component 0: (no name) - (no file)

    End of file - 3657 bytes
  4. simonjester

    simonjester TS Rookie

    oooh, a Compaq. I'm so sorry =(

    Posted too soon without refreshing; updating after reading your post...

    Looks like a spambot... AdAware and SpyBot are usually good options. I'll let the experts here handle the log.
  5. kritius

    kritius TS Guru Posts: 2,084

    I need you to follow all the steps HERE and then post back with the three requested logs as attachments
    • AVG antispyware
    • ComboFix
    • Hijackthis (step 15)

    Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.
  6. mercjoe

    mercjoe TS Rookie Topic Starter Posts: 20

    All steps

    Ok Kritius, I will do all the steps.
    Is there a freeware AVG version ? I just found a Trial one so far.

    Thanks for answering.

  7. kritius

    kritius TS Guru Posts: 2,084

    Thats the one you want, after the thirty day trial period you just get the limited version.
  8. mercjoe

    mercjoe TS Rookie Topic Starter Posts: 20

    Finally the Logs

    Hey guys,

    So here are my Combofix, AVG AntiSpyware and HJT log files.

    PAVARK threw no rootkits found =)

    When first run AVG it didnt generate any report, on the second scan it did, but of course nothing was detected then. Anyhow, the following entries are listed in quarantine from the first scan :

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{8E718888-423F-11D2-876E-00A0C9082467} (&Rradio) Low

    C:\WINNT\system32\msdxm.ocx (&Rradio) Low

    C:\WINNT\Downloaded Program Files\sdmtb.cab (Adware MyTool) Medium

    HKU\S-1-5-21-2052111302-1060284298-842925246-1000\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Adware.Generic) Medium

    C:\NewDownloads\Adobe Illustrator CS KeyGen SSG.exe (Trojan.Agent.cj) High
    C:\dev\index.html (Downloader.Psyme.fl) High

    The last one seems odd..., thats a file I did myself....

    Anyone can tell how clean my old warrior now is ?
    Thanks in advance for your help.

  9. mercjoe

    mercjoe TS Rookie Topic Starter Posts: 20

    Any feedback guys ? thanks
  10. kritius

    kritius TS Guru Posts: 2,084

    Ill look through the logs later on, in work now.
  11. mercjoe

    mercjoe TS Rookie Topic Starter Posts: 20

    Thanks Kritius

  12. kritius

    kritius TS Guru Posts: 2,084

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    R3 - URLSearchHook: (no name) - {00000000-15D9-4736-AB29-131578A45F2B} - (no file)
    R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
    O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
    O24 - Desktop Component 0: (no name) - (no file)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    I don't see an anitivirus program installed.

    Today's internet is simply suicide without an up to date antivirus.
    Not much point in you and I cleaning up the system if you refuse to protect yourself.
    However -- if you don't understand or cannot install an antivirus -- please let me know.

    Please download ONE of the following antivirus programs and install it.
    Once installed, Update it, run full system scan with it and allow it to fix up what it wants.
    Reboot if it fixed anything.

    You should get a firewall as well, either,

    I think that the lack of antivirus or firewall, BitTorrent software and the extreme amounts of porn on this computer is where the infection came in.
  13. mercjoe

    mercjoe TS Rookie Topic Starter Posts: 20

    Thanks so much Kritius.
    About getting an antivirus and firewall I have my doubts, I'll open a new thred to discuss it if none is already there.
  14. kritius

    kritius TS Guru Posts: 2,084

    What doubts do you have? You at least need an antivirus, that goes without question.

    Post a fresh log and ill see how its looking.
  15. mercjoe

    mercjoe TS Rookie Topic Starter Posts: 20

  16. kritius

    kritius TS Guru Posts: 2,084

    Boot into safe mode,

    open HijackThis and fix these two,

    O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
    O24 - Desktop Component 0: (no name) - (no file)
  17. mercjoe

    mercjoe TS Rookie Topic Starter Posts: 20

    I will do K.

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...