Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijackthis log I have a redirecting virus that wont allow virus scanne


  • This topic is locked This topic is locked

#1
unknownscn

unknownscn

    Member

  • Member
  • PipPip
  • 18 posts
Here is a copy of the Hijackthis log file, I think it might be a redircet virus of some sort because when I try to surf and click on a lnk off of anyones search engine it takes me to random places, also my PCcillin does not work and will not update, started the same time the redirect issue started, please let me know if anyhitng below looks suspicious.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:28 AM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
E:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
E:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Sharp\Sharpdesk\SharpTray.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
E:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
E:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
E:\Program Files\Sharp\Sharpdesk\IndexTray.exe
E:\Program Files\Sharp\Sharpdesk\Indexer.exe
E:\Program Files\HP\HP UT\bin\hppusg.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\SHARP\Button Manager G\btnman.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
E:\WINDOWS\system32\ctfmon.exe
S:\SGILL\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TypeRegChecker] "E:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "E:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SharpTray] "E:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "E:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] E:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "E:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [IndexTray] "E:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "E:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [HPUsageTracking] E:\Program Files\HP\HP UT\bin\hppusg.exe "E:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Button Manager G.lnk = E:\Program Files\SHARP\Button Manager G\btnman.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup132.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SDI.local
O17 - HKLM\Software\..\Telephony: DomainName = SDI.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{76EE5619-A292-4BCA-B7CF-2D2A7CBA09AE}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SDI.local
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - E:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7920 bytes
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
HI there I will need a deeper look first to determine which tool will be best

We will now do a deep search of your processes and files

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.

When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#3
unknownscn

unknownscn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I tried to run this program exactly as your directions stated, both times I got blue screened. This rarely happens to this computer, is there anything else I can do.
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets go another route

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a OTListit log so we can continue cleaning the system.

  • 0

#5
unknownscn

unknownscn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I downloaded it with the adjusted name and ran this program, after the initial status bar that displays on the screen the bar goes away but the program does not start. I tried rebooting and several other tricks but it seems like it doesnt work on this system, I tried the same program on a good computer and it worked fine. By the way thanks for all your help so far if I have not mentioned it.
  • 0

#6
unknownscn

unknownscn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Any other programs I can try
  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets try this one next, it should run as it is just a scanner

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All Users
  • Check the Radio button for Rootkit check YES
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EventViewer Errors/Warnings (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#8
unknownscn

unknownscn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Looks like this one worked, thanks for the great advice

Attached Files


  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
It is hiding as I can see the AVZ driver but there was no gmer scan.

Run this fix and then boot into safe mode and try AVZ again using the same parameters as the previous post

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY -> AuHCcup1.ini -> %SystemRoot%\AuHCcup1.ini
NY -> AuHCcup1.dll -> %SystemRoot%\AuHCcup1.dll
[Files/Folders - Modified Within 30 Days]
NY -> tmvsthfud.bin -> %SystemRoot%\System32\drivers\etc\tmvsthfud.bin
NY -> tmvsthfss.bin -> %SystemRoot%\System32\drivers\etc\tmvsthfss.bin
NY -> m2dsulyv.dll -> %UserProfile%\Local Settings\Temp\m2dsulyv.dll
NY -> hd2ymkg8.dll -> %UserProfile%\Local Settings\Temp\hd2ymkg8.dll
NY -> hd2ymkg8.cmdline -> %UserProfile%\Local Settings\Temp\hd2ymkg8.cmdline
NY -> m2dsulyv.cmdline -> %UserProfile%\Local Settings\Temp\m2dsulyv.cmdline
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanit log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#10
unknownscn

unknownscn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here is the log after the fix.

Attached Files


  • 0

Advertisements


#11
unknownscn

unknownscn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
And the OT scanit log after the fix

Attached Files


  • 0

#12
unknownscn

unknownscn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Also after running AVZ4 in the infected file I found this in a configuration settings file, not sure if this helps, see below.


[InfectedFile]
Src=E:\Documents and Settings\msilverman\Local Settings\Temporary Internet Files\Content.IE5\IDK5H3YB\setup_243_3777_[1].exe
Infected=avz00001.dta
Virus=FraudTool.Win32.ProAntiSpyware.d
QDate=4/22/2009 4:15:25 PM
Size=106496
MD5=A53202C197DC3C05EFC882A7B3094099
FileDate=12/19/2008 5:02:08 PM
AVZVer=4.30
MainAVBase=4/22/2009 9:39:37 PM
  • 0

#13
unknownscn

unknownscn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
HERE ARE THE LOG FILE RESULTS FROM THE AVZ4 SCAN

Attached Files


  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK on completion of this one I would then like you to run Combofix again - if it fails in normal mode then go to safe mode and ignore any warnings when it runs. Are the re-directs in FF or IE or Both ? Could you also update me on your current situation

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY -> 2 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp
NY -> 13 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp
NY -> 1 E:\WINDOWS\Temp\*.tmp files -> E:\WINDOWS\Temp\*.tmp
[Custom Items]
:files
E:\Documents and Settings\msilverman\Local Settings\Temporary Internet Files\Content.IE5\IDK5H3YB\setup_243_3777_[1].exe
:end
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanit log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#15
unknownscn

unknownscn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
The redirecting is happening in both FF and IE, also the problem does not seem to have changed at all. I will run the scan on tuesday and post the report.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP