Hijackthis Log File

Question

Does it look good?           Logfile of HijackThis v1.99.1 Scan saved at 12:19:50 AM, on 1/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32
vsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\BitTornado\btdownloadgui.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [AdaptecDirectCD] 'C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe' O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe' O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstaller/installer/components/MTSInstallers/MetaStream3.cab?url=http://samsung.com/Products/TV/LCDTV/web3d/LN_S3296D/page_lns3296d.html O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133833290875 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161549059828 O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) - O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) - O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) - O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) - O17 - HKLM\System\CCS\Services\Tcpip\..\{18AD92CA-3E3D-433E-92CF-0DC9424EE043}: NameServer = 85.255.113.133,85.255.112.94 O17 - HKLM\System\CCS\Services\Tcpip\..\{546C8A7C-26D6-4556-8DFE-3F81CC84EC86}: NameServer = 85.255.113.133,85.255.112.94 O17 - HKLM\System\CCS\Services\Tcpip\..\{6FB2D54C-6798-48A0-BB22-5F8FBA4E4073}: NameServer = 85.255.113.133,85.255.112.94 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing) O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing) O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

RKinner · Answer

No, you have the Ukrainian DNS hijack (the O17 entries) often associates with a hidden Wareout infection and some older versions of Java which should be removed. Run HJT, scan only and check these then Fix Checked.

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{18AD92CA-3E3D-433E-92CF-0DC9424EE043}: NameServer = 85.255.113.133,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{546C8A7C-26D6-4556-8DFE-3F81CC84EC86}: NameServer = 85.255.113.133,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FB2D54C-6798-48A0-BB22-5F8FBA4E4073}: NameServer = 85.255.113.133,85.255.112.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.94

Then reboot. Make a new scan. Do they come back?

Check for Hidden ADS Streams:
Run Hijackthis, OK the warning, then select "Open the Misc Tools Section", then
select Open ADS Spy. Uncheck the box in front of Quick Scan, then press Scan.
When it finishes any ADS streams it find will be in the window above Scan. If
it finds anything, press the Save Log button and save it somewhere. It will
open the log in Notepad. Edit, Select All to highlight the complete text of the
log then Edit, Copy then move to a reply to this post and Edit, Paste.

Check for High CPU Usage:
When it is running slow: Close all active programs then rightclick on the clock
and select Task Manager then select Processes. Click once or twice on the CPU
column heading until you get the bigger numbers at the top in that column. What
are the top three processes and what % do they each take. What does it say for
CPU usage at the bottom of the window?

Blacklight Rootkit Detector:
Download Blacklight trial from here: http://www.f-secure.com/blacklight/
Hit "I accept." It will take you to the download page. Download blbeta.exe and
save it to the Desktop. Once saved... double click blbeta.exe (you may not be
able to see the .exe) to install the program. Click Accept Agreement and click
Scan This app may trigger a warning from your antivirus. Let the driver load.
Wait for it to finish. If it displays any items...don't do anything with them
yet. Just hit exit (close) It will drop a log on Desktop that starts with
fsbl....big number
Please post contents of log in your next reply.

Ron

Dark Strike · Answer

Hijackthis Ads Spy Scan

C:\Documents and Settings\Kyle Wooten\Favorites\Animal Crossing Community.URL : favicon (1150 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Apple.URL : favicon (7782 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Bungie Studio's.url : favicon (2238 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Crapville.URL : favicon (824 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Dark Strike1 Stat's.URL : favicon (2238 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Dell Community Forum.URL : favicon (3638 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Dell Online Contests.url : favicon (3638 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\GameRenders.url : favicon (3638 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Halo 3, 3 Weeks of it!.url : favicon (1150 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Haloplanet.URL : favicon (16958 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\ImageShack® - Hosting.URL : favicon (1406 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Ipod Cases.URL : favicon (894 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Ipod Scratch Removal.URL : favicon (894 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Ipod Updates.URL : favicon (7782 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\LimeWire Pro.url : favicon (1406 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Microsoft\SamarkandsWorld (Powered by Invision Power Board).url : favicon (1406 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\MySpace Ehs_Golfer.url : favicon (1406 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\MySpace.url : favicon (1406 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Newegg.url : favicon (1406 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Pure Pwnage.url : favicon (3638 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Red vs Blue.URL : favicon (894 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Shareodie.URL : favicon (1406 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\VideoPimp.URL : favicon (1406 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Windows XP Tweaks.URL : favicon (1150 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Xbox 360 Forum's.url : favicon (1150 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Xbox 360 Skin.url : favicon (1150 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Xbox Website.URL : favicon (894 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Yahoo! Music.URL : favicon (318 bytes)
C:\Documents and Settings\Kyle Wooten\Favorites\Yahoo!.url : favicon (6598 bytes)
C:\WINDOWS\system32 : {DA6227CB-326B-4B4D-9A81-04B81F1538DD} (12 bytes)
C:\WINDOWS\system32 : {DA6227CB-326B-4B4D-9A81-04B81F1538DD} (12 bytes)

Rootkit Scan (1 Item Found)

01/07/07 13:47:44 [Info]: BlackLight Engine 1.0.55 initialized
01/07/07 13:47:44 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/07/07 13:47:44 [Note]: 7019 4
01/07/07 13:47:44 [Note]: 7005 0
01/07/07 13:47:49 [Note]: 7006 0
01/07/07 13:47:49 [Note]: 7011 1736
01/07/07 13:47:49 [Note]: 7026 0
01/07/07 13:47:50 [Note]: 7026 0
01/07/07 13:47:53 [Note]: FSRAW library version 1.7.1021
01/07/07 13:52:37 [Info]: Hidden file: c:\WINDOWS\system32\kddro.exe
01/07/07 13:52:37 [Note]: 7002 32
01/07/07 13:52:37 [Note]: 7003 1
01/07/07 13:52:37 [Note]: 10002 1
01/07/07 13:54:55 [Note]: 7007 0

Message Edited by Dark Strike on 01-07-200712:57 PM

RKinner · Answer

I think Blacklight has an option to rename a bad file tho I can't tell you exactly how to do that. If you can figure it out then tell it to rename or delete this file:

c:\WINDOWS\system32\kddro.exe
Then reboot and run it again.

Otherwise:

Download the killbox:

http://www.bleepingcomputer.com/files/killbox.php

Unzip it to your desktop but don't run it.

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login.

Run killbox. Where it says Full Path of File to Delete you need to type or copy (Highlight
and Ctrl + c)
and Paste (move to the killbox and place the cursor in the box and Ctrl + V):

c:\WINDOWS\system32\kddro.exe

Then check the Delete on Reboot box
then the red button.
It will say: File Will Be Removed On Reboot, Do you want to reboot Now.

Say Yes.

After it reboots verify with Blacklight that the file is no longer running. Make a new HJT log and post it as a reply.

Ron

Dark Strike · Answer

I ran Killbox in safemode and it said 'File kddro.exe could not be deleted.'

RKinner · Answer

You can try Blacklight's Rename. Run the Blacklight scan again and then highlight the file and press Rename and reboot. See if it is still there when you come back up. I found this tutorial on using it:

http://www.bleepingcomputer.com/tutorials/tutorial124.html

If you've already tried it then you can try booting into Safe Mode and this time select Command Prompt then once you get to the black screen type:

cd \windows\system32

attrib -r -a -h -s kddro.exe

del /f kddro.exe

mkdir kddro.exe

(Then Ctrl + Alt + Delete and select Shutdown and reboot into regular mode.)

You can also try the Wareout removal tools as described here:

http://forums.majorgeeks.com/showthread.php?t=95472

IF that doesn't work we can try ice sword. This one is a pain to use since it is not available in zip format but is in rar so we have to download a second program to unpack it. To make matters worse there is no Help file or tutorial on it that I know of. The original program was written in China.

Get the Ice Sword program from:

http://majorgeeks.com/Icesword_d5199.html

IE will probably block the download and tell you it did so in a line at the top. Click on the line and it will let you tell it to download the file. Save it to your desktop.

You won't be able to unzip it yet.

We need to get 7-zip for that.

http://www.7-zip.org/

Click on the Download link just below where it says:
Download 7-Zip 4.42 (2006-05-14) for Windows:

or just click on this link.

http://prdownloads.sourceforge.net/sevenzip/7z442.exe?download

IE will probably block the download and tell you it did so in a line at the top. Click on the line and it will let you tell it to download the file. Save it to your desktop.

Run the 7z442.exe file, Install, then put it on your desktop by Browse then point to the desktop. It should create a folder called 7-zip. Open the folder and run 7ZFM.exe. Then when 7-zip opens, doubleclick on the Computer in the bottom pane. Then doubleclick on C: then on Documents a.(Documents and Settings is the full name but you won't see all of it unless you increase the column width) then on your loginname then on Desktop. You should now see the Icesword1.18.rar Click once on it then on the big minus at the top (Extract) . It will want to know where to put it. Put it on the desktop.

Now close 7-zip, boot into Safe Mode and open the icesword1.18 folder on your desktop. You will find another folder inside. Open it too. Now doubleclick on IceSword.exe. (you may not see the .exe) It should open with a blank pane and a column of icons on the left.

Click on the first icon in the left column of icons and look in the right pane. Look for any lines in red. These are hidden files. Sometimes these are good guys from zone alarm or an antivirus but often they are evildoers. Write down their names and tell me. Repeat for each Icon in the left panel except the last couple which talk about logs. If you find our hidden friend rightclick on it and see if there is an option to delete or stop the process or service.

Click on the left section that says Files and navigate to C:\Windows\System32. See if you can find our friend and rightclick on him and Delete him.

Ron

Message Edited by RKinner on 01-08-200701:47 PM

Virus & Spyware

Was this post helpful?