Skip to content


Reply
Stone Emissary
tech44
Posts: 11
Registered: ‎09-26-2011
Accepted Solution

Help with Hijack This log

I am posting for your advice.  The only problem with the system is page redirects when browsing. - Thanks

 

Logfile of HijackThis v1.99.1
Scan saved at 8:43:56 AM, on 1/31/2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.valeriewilsontravel.com/privatelogin/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\wspan\GoRes\IEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ...
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O15 - Trusted Zone: *.agentware.net
O15 - Trusted Zone: *.cibt.com
O15 - Trusted Zone: *.etraveladisories.com
O15 - Trusted Zone: *.getthere.com
O15 - Trusted Zone: *.onthesnow.com
O15 - Trusted Zone: *.pathlore.net
O15 - Trusted Zone: *.portpromotions.com
O15 - Trusted Zone: *.sabre.com
O15 - Trusted Zone: *.sabreconsolidator.com
O15 - Trusted Zone: *.softvoyage.com
O15 - Trusted Zone: *.theluggageclub.com
O15 - Trusted Zone: *.travelpn.com
O15 - Trusted Zone: *.travisa.com
O15 - Trusted Zone: *.vacationstudio.net
O15 - Trusted Zone: *.vaxvacationaccess.com
O15 - Trusted Zone: *.virtuallythere.com
O15 - Trusted Zone: *.vtitin.com
O15 - Trusted Zone: *.wcities.com
O15 - Trusted Zone: *.wctravel.com
O15 - Trusted Zone: *.wellwishers.com
O15 - Trusted Zone: *.whatsonwhen.com
O15 - Trusted Zone: *.worktopia.com
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSystemInformation.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?12182202801...
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24A8341-6996-482D-ACB8-DA6970CE3E27}: NameServer = 192.168.20.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

 

Please use plain text.
Stone Emissary
tech44
Posts: 11
Registered: ‎09-26-2011

Re: Help with Hijack This log

I have an updated version of Hijack This and had to repost the log as the updated version shows different results.

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:55:53 AM, on 1/31/2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.valeriewilsontravel.com/privatelogin/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\wspan\GoRes\IEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ...
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.agentware.net
O15 - Trusted Zone: *.cibt.com
O15 - Trusted Zone: *.etraveladisories.com
O15 - Trusted Zone: *.getthere.com
O15 - Trusted Zone: *.onthesnow.com
O15 - Trusted Zone: *.pathlore.net
O15 - Trusted Zone: *.portpromotions.com
O15 - Trusted Zone: *.sabre.com
O15 - Trusted Zone: *.sabreconsolidator.com
O15 - Trusted Zone: *.softvoyage.com
O15 - Trusted Zone: *.theluggageclub.com
O15 - Trusted Zone: *.travelpn.com
O15 - Trusted Zone: *.travisa.com
O15 - Trusted Zone: *.vacationstudio.net
O15 - Trusted Zone: *.vaxvacationaccess.com
O15 - Trusted Zone: *.virtuallythere.com
O15 - Trusted Zone: *.vtitin.com
O15 - Trusted Zone: *.wcities.com
O15 - Trusted Zone: *.wctravel.com
O15 - Trusted Zone: *.wellwishers.com
O15 - Trusted Zone: *.whatsonwhen.com
O15 - Trusted Zone: *.worktopia.com
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSystemInformation.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?12182202801...
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24A8341-6996-482D-ACB8-DA6970CE3E27}: NameServer = 192.168.20.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\SysWOW64\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\SysWOW64\browseui.dll
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 6729 bytes

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,944
Registered: ‎08-08-2011

Re: Help with Hijack This log

Welcome aboard! Posted Image

 

Download ComboFix from the any of the locations given in this website:

    • IMPORTANT !!! You need to Save ComboFix.exe to your Desktop
      • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here
      • Double click on ComboFix.exe & follow the prompts.
      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • If you already have the Recovery Console preinstalled, it will not ask for the following. If it does prompt, allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Posted Image

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      Posted Image

      Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

      When finished, it shall produce a log for you. Please copy & paste the contents of this log (also found at C:\ComboFix.txt) in your next reply at your topic.

      NEXT

      Download AVPTool from Here to your desktop  
         
      Run the programme you have just downloaded to your desktop (it will be randomly named )  
        
      First we will run a virus scan   
       
      Click the cog in the upper right

       

       Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

       

       

       

      Allow AVP to delete all infections found
      Once it has finished select report tab (last tab)
      Select Detected threats report from the left and press Save button
      Save it to your desktop and attach to your next post 

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
beiker
Posts: 10
Registered: ‎02-01-2012

Re: Help with Hijack This log

Aren' there supposed to be user friendly translations for this?

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,944
Registered: ‎08-08-2011

Re: Help with Hijack This log

I have made it simple as possible...

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,944
Registered: ‎08-08-2011

Re: Help with Hijack This log

Tick these enteires in hijack this and click fix checked...

 

O11 - Options group: [INTERNATIONAL] International
O15 - Trusted Zone: *.agentware.net
O15 - Trusted Zone: *.cibt.com
O15 - Trusted Zone: *.etraveladisories.com
O15 - Trusted Zone: *.getthere.com
O15 - Trusted Zone: *.onthesnow.com
O15 - Trusted Zone: *.pathlore.net
O15 - Trusted Zone: *.portpromotions.com
O15 - Trusted Zone: *.sabre.com
O15 - Trusted Zone: *.sabreconsolidator.com
O15 - Trusted Zone: *.softvoyage.com
O15 - Trusted Zone: *.theluggageclub.com
O15 - Trusted Zone: *.travelpn.com
O15 - Trusted Zone: *.travisa.com
O15 - Trusted Zone: *.vacationstudio.net
O15 - Trusted Zone: *.vaxvacationaccess.com
O15 - Trusted Zone: *.virtuallythere.com
O15 - Trusted Zone: *.vtitin.com
O15 - Trusted Zone: *.wcities.com
O15 - Trusted Zone: *.wctravel.com
O15 - Trusted Zone: *.wellwishers.com
O15 - Trusted Zone: *.whatsonwhen.com
O15 - Trusted Zone: *.worktopia.com
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com

 


—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
tech44
Posts: 11
Registered: ‎09-26-2011

Re: Help with Hijack This log

The combofix.exe ran for hours and hours and never completed, it just displayed the message it was running.

 

Kaspersky found several items.  I had K fix and reboot then rescanned with K and found more.  Attached are the Kaspersky logs.

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,944
Registered: ‎08-08-2011

Re: Help with Hijack This log

Please try running combofix in safe mode.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
tech44
Posts: 11
Registered: ‎09-26-2011

Re: Help with Hijack This log

Everything reported done in Safe Mode including the ComboFix attempt. - Thanks

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,944
Registered: ‎08-08-2011

Re: Help with Hijack This log

Download aswmbr.exe ( 1.8mb ) to your desktop. 

http://public.avast.com/~gmerek/aswMBR.htm
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan.

  • Click the [Scan] button to start scan

  • On completion of the scan click [Save log], save it to your desktop and post in your next reply.

     

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.