HJT log, looking for analyst....

F

FaR

New Member
thanks for looking..... I should apologize in advance, because I'm a novice when it comes to maintaining my Dell PC, but I'm willing to learn quickly if someone will get me started in the right direction.

Right now I can't open Malwarebytes', when I click nothing happens. I'm also having problems opening any other malware scanning programs, I can download but can't run the .exe.

I did manage to run HJT and here is the log,


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:57 AM, on 7/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Fred Ronfeldt\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\DOCUME~1\FREDRO~1\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\drwtsn32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us...=force&dtag=f0srf41&langid=1&systempopup=true
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware2\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MLB.TV NexDef Plug-in.lnk = C:\Documents and Settings\Fred Ronfeldt\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll (file missing)
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate1c9ae5114332550) (gupdate1c9ae5114332550) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8213 bytes

Thanks in advance!
 
You can try running combofix but since other programs won't run, I doubt it will run either. If you are familiar with taking your hard drive out and putting it in another system, then take yours out and put it in another system and do a virus scan on it using AVG free edition. It should find the offending files and delete them. Then put the drive back in your system and continue with the scans of malwarebytes and combofix. I've had great luck with this procedure in the past quite a few times.

Get combofix here.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post both logs back here of combofix and malwarebytes.
 
Last edited:
johnb35 said:
Post both logs back here of combofix and malwarebytes.
Click to expand...

I DL'd combofix but can't install, when I click Run nothing happens and I already have malwarebytes installed, been using for a while now, but when I click the program won't open.
Any other way to get these programs running?

Thanks.
:confused:
 
It's because you have an infection which is causing any malware program not to run. Can you scan the drive with AVG or does that not open as well? Your only option might be to put it in a different system and scan the drive with a virus program.
 
johnb35 said:
It's because you have an infection which is causing any malware program not to run. Can you scan the drive with AVG or does that not open as well? Your only option might be to put it in a different system and scan the drive with a virus program.
Click to expand...

avg is still runnable, but scans are finding nothing, I've ran the update and re-scanned and still nothing. I'm have no idea what I've picked up, any other suggestions? Are you suggesting I try running some software from something like a USB stick drive?
 
No, i mean actually taking the hard drive out of your system and put it in another system and scan your drive that way. That way an antivirus program or even malwarebytes should be able to run on that drive.
 
johnb35 said:
No, i mean actually taking the hard drive out of your system and put it in another system and scan your drive that way. That way an antivirus program or even malwarebytes should be able to run on that drive.
Click to expand...

Unfortunately I only have the one system.

I think I might have a web browser hijacker named Alureon VW. Anyone familiar with removing this type of problem, with only the one system? Again, unfortunately, I'm not able to run most anti-malware programs, some how I'm being blocked.
 
Thats the whole reason why you need to take it out and put it in someone else's system and run a scan on it. There is an active process that is stopping you from running anything. You can try booting to safe mode to see if you can run malwarebytes antimalware but i doubt even safe mode will work with this infection.
 
I think I just got lucky, after noticing something not usually found using ccleaner > tools > start up, HKLM: KenelFaultCheck. I did a little research on this, and decided the general consensus was not necessary at startup, I used HJT > Fix on it, restarted my POS Dell and voi-la malwarebytles' opens, I do an update, run a quick scan, find a bunch of trojans........... I probably just got lucky....... but I'll take it. :o

Any suggestion on preventing future infections? I do daily scans with AVG and will do daily's with malwarebytes' from now on, anything else I should be doing?


AVG results:

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/11/2009 9:33:56 PM
mbam-log-2009-07-11 (21-33-51).txt

Scan type: Quick Scan
Objects scanned: 120894
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\UACakmsinivmtywbbwyj.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\SYSTEM32\UACdtkkgmyrhipwajayo.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\SYSTEM32\UACfuotmpqqaimovnriv.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\SYSTEM32\UACkjobfjxgbqdcriuwm.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\SYSTEM32\UACvjvxhhapfgoavrayy.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\SYSTEM32\UACyraetadqdisnregwv.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\SYSTEM32\UACyxetidqoepxmymbav.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\SYSTEM32\DRIVERS\UACqbwucfqhrhqhmqfvk.sys (Trojan.TDSS) -> No action taken.
c:\documents and settings\alex ronfeldt\local settings\Temp\db.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\alex ronfeldt\local settings\Temp\rasvsnet.tmp (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\alex ronfeldt\local settings\Temp\tmpAA.tmp (Trojan.Piverb) -> No action taken.
C:\WINDOWS\SYSTEM32\uacinit.dll (Trojan.Agent) -> No action taken.
 
FaR said:
Any suggestion on preventing future infections? I do daily scans with AVG and will do daily's with malwarebytes' from now on, anything else I should be doing?


AVG results:
Click to expand...

Common sense can prevent most infections, don't go on sites you wouldn't normally go on, use a more secure browser such as Firefox and install add ons like WOT (Web Of Trust), upon entering a website an icon next to your address bar will indicate the trustworthiness of a site with green being good and red being bad, Ad Block Plus, which stops most pop up ads with the added function of blocking other adds.

Also it appears as though nothing is listed under the AVG results you tried to post. With Malwarebyte's i would like you to run another scan and upon completion make sure all of the detected objects are selected and click 'Remove Selected' then of course proceed with posting the log.
 
You must log in or register to reply here.
Back
Top