Member Avatar for brain_26

Hey Almighty Tech Gurus,

I need a quick assistance on this hijackthis log. I have ran spy ware software and fixed most of all the problems. I am having issues with not being able to change my background picture because it is grayed out under the display properties. Any feed back would be most appreciative.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:04 AM, on 9/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\TEMP\uhv3.tmp
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Temp\.tt18.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [lphcnnrj0ejbg] C:\WINDOWS\system32\lphcnnrj0ejbg.exe
O4 - HKLM\..\Run: [inrhcjnrj0ejbg] C:\WINDOWS\Temp\.tt18.tmp.exe /CR=34015803198DE9F11EE8495C41DD2D888A3E388180F5FC3A126131607EB248002D468DC11AEE63D7BDDDAEA16DB8C9F1D6BE4B4657A84445477B691CBB10A81947FC82F5C7BF6FC7910570DB67FD8B70AE9B7E
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184561289109
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O20 - Winlogon Notify: xocngc - C:\WINDOWS\SYSTEM32\xocngc.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 7268 bytes

  • 2 Contributors
  • 3 Replies
  • 116 Views
  • 19 Hours Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 3 Replies

Member Avatar for crunchie

Hi and welcome to the Daniweb forums :).

==========

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt.

    Please post the SDFix log within CODE Tags.

=========

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

Member Avatar for brain_26

Ok so everything worked. Good vudu :)

Here are both of my logs:

[b]SDFix: Version 1.225 [/b]
Run by Administrator on Sun 09/14/2008 at 07:08 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Temp\SDFix

[b]Checking Services [/b]:

Rootkit Found :
C:\WINDOWS\system32\drivers\QVA51.sys - Rootkit Pandex/Cutwail - Protect.sys

[b]Name [/b]: 
QVA51

[b]Path [/b]:
System32\Drivers\Qva51.sys 

QVA51 - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Service QVA51 - Deleted

[b]Checking Files [/b]: 

Trojan Files Found:

C:\WINDOWS\system32\XOCNGC.dll - Deleted
C:\WINDOWS\system32\XOCNGC32.dll - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt10.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt11.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt12.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt13.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt14.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt16.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt17.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt19.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt1C.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt1D.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt20.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt33.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt36.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt59.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt15.tmp.vbs - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt16.tmp.vbs - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt33.tmp.vbs - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt7.tmp.vbs - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt8.tmp.vbs - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.tt9.tmp.vbs - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttA.tmp.vbs - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttB.tmp.vbs - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttC.tmp.vbs - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttD.tmp.vbs - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\.ttE.tmp.vbs - Deleted
C:\WINDOWS\system32\drivers\QVA51.sys - Deleted





Removing Temp Files

[b]ADS Check [/b]:
 


                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-09-14 07:14:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\YOP\\yop.exe"="C:\\Program Files\\Yahoo!\\YOP\\yop.exe:*:Enabled:AT&T Yahoo! Online Protection"
"C:\\Program Files\\Yahoo!\\Antivirus\\cafix.exe"="C:\\Program Files\\Yahoo!\\Antivirus\\cafix.exe:*:Enabled:cafix"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b]Remaining Files [/b]:


File Backups: - C:\Temp\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Thu 22 Nov 2007     6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sun 15 Jul 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 17 Jul 2007             8 A..H. --- "C:\Documents and Settings\Administrator\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Tue 17 Jul 2007             8 A..H. --- "C:\Documents and Settings\Administrator\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Tue 17 Jul 2007             8 A..H. --- "C:\Documents and Settings\Administrator\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Tue 17 Jul 2007             8 A..H. --- "C:\Documents and Settings\Administrator\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon 13 Aug 2007             8 A..H. --- "C:\Documents and Settings\Administrator\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Sun 15 Jul 2007             8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

[b]Finished![/b]

Malwarebytes' Anti-Malware 1.28
Database version: 1147
Windows 5.1.2600 Service Pack 3

9/14/2008 8:05:32 AM
mbam-log-2008-09-14 (08-05-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 83813
Time elapsed: 33 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)[/TEX]

Hi and welcome to the Daniweb forums :).

==========

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt.

    Please post the SDFix log within CODE Tags.

=========

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

Member Avatar for crunchie

Post new HJT log.

..............

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.