Anything dodgy here?

I was advised to install HijackThis and post my log file here. I just got my PC back from repair and was having some hassle with a browser hijack (amongst other things). I deleted a trojan and some spyware so I might have even nipped it in the bud but if there's anything here that looks suspicious I'd appreciate a heads up.

Not sure what's relevant so it's here in full (sorry!!)

Thrip

Edit From Admin Major Attitude:
Logfile removed as we have looked at it and posted what we think. Again, we removed it only so our forums and search engines do not get clogged with all these filenames, nothing personal of course

 

first of all be sure the read the sticky in the the spyware forum regarding the rules for posting HJT logs. Also, be sure to close your unneeded processes before running hijack this to avoid having a long log which can take up space.

 

My bad.

Most of what the sticky suggested I'd already done. Going through the list of definitions the only ones I can't be sure about are:

O2 - BHO: (no name) - {3AA26B29-C612-0CB7-8152-625505AF2F48} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [IE 3.0 RegSvr schannel.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\schannel.dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

The other mystery BHO is a leftover from Norton before I uninstalled it. The one above isn't in the huge list on that guy's website.
T

 

Did you just patch your system, this looks like a patch file (BOLD)... Shut down your computer--with operating system files showing, start in safe mode and run Adaware, SpyBot, then post a HJT log without all you IE's open, and if you just patched this will be gone.

If you want to delete something, these can go::but there's a good chance this won't fix whatever is wrong::
O2 - BHO: (no name) - {3AA26B29-C612-0CB7-8152-625505AF2F48} - (no file)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

What are your problems anyway? Sites your directed to, trojans discovered?

 

Still there. Going by that link it serves a purpose so I don't see the sense in stopping it doing its job. In another thread related to something else I was advised to access my dump file so I'm going to need to keep this running.

T

 

Fresh install of XP so a fair amount of patching done. Not sure how to shut down with operating files showing. Not even sure how to start in safe mode, though I could probably figure that one out.

Losing the second one has I think as it relates to the trojan I found (Purityscan E).

I started here:

http://forums.majorgeeks.com/showthread.php?t=38051

Initially I put the site in my restricted list but after the steps below it seems to have stopped trying to hijack my browser.

When I got frustrated with Norton as I couldn't figure what was trying to get access permsissions I uninstalled and put on AVG which spotted the Purityscan trojan instantly. Killing that wasn't too tricky. Ad aware and Spybot and Registry Mechanic hopefully nipped in the bud any other potential problems too.

Blocking the mediaticket file in Hijack This seemed to sort things out a bit too. The next issue to crop up was blue screens relating to 'pfn_list_corrupt'. However it gets weird and complicated from this point, as if it isn't enough already. In no particular order I installed crap cleaner too and ran that which sadly killed the dumps relating to the pfn issue. AVG then spotted the trojan in a restore point so I deleted all my restore points. When I rebooted it did a MASSIVE file check and must have truncated hundreds of files. Seemed to work ok for a while and then did a blue screen that apparantly related to AVG. Not quite sure what to do now, just a case of waiting to see what crops up next.

T

 

O.K. Peeked at your last thread... Did you try this:::
http://www.purityscan.com/uninstall.html

Run HJT, delete these:::
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [MSN Update] dllcon.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe

what is this?????
O4 - HKCU\..\RunServices: [MSN Messenger] hfhljfc.exe

Also, what is your BLUE SCREEN ERROR????--write it down when you reboot.

Then it sounds like you need to go through some basics:::::

Something to read before going on::::::::::::::::::
http://forums.majorgeeks.com/announcement.php?f=35

Do these free online scans and post what it picked up, plus delete those that are found--Be sure and put a check in the box by AUTO CLEAN before you do the scan:::
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Second Step is to make sure you have all the SpywarePrograms below Downloaded (Make sure you download them all to your ProgramFiles NOT Temporary) and UPDATE THEM!!

Download Microsofts Critial Updates and Patches:
http://v4.windowsupdate.microsoft.com/en/default.asp

Disable System Restore:
http://www.pchell.com/virus/systemrestore.shtml

Boot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406/

Then do this:
Showing hidden files; follow step by step:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Kill with Task Manager then do a Search and Delete this::
C:\WINNT\system32\wuamgrd.exe

Try running AdAware in safe mode --- Make sure you've already gotten the latest UPDATES (Open, then press the Check for Updates button) and apply the following settings:
This is where you get Adaware --- http://www.majorgeeks.com/download506.html
This is a link on how to run it --- http://www.lavahelp.com/howto/fullscan/index.html --- Or You can use the instructions here:
Click on Start -- custom scanning options -- Customize.
Check the following settings:
Scan within archives
Scan active processes
Scan registry
Deep scan registry
Scan my IE Favorites for banned URL
Scan my host-file
Click on Tweak:
Select -- Scanning Engine
Check "Unload recognized processes during scanning"
Check "Include additional Adaware settings in LogFile"
Select -- Cleaning Engine
Check "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"
Then click "proceed" to save your settings.
Click on Next then Scan. Everything AdAware finds is safe to delete.

Run SpyBot Search and Destroy --- Make sure you have already gotten the latest UPDATES (Open, then Search for Updates button)
This is where you get SpyBot --- http://www.majorgeeks.com/download2471.html

Run A2--Make sure when you downloaded it you checked for updates:::
http://www.download.com/3000-2239-10262215.html?part=6251182&subj=dlpage&tag=button

Empty your Temporary Internet Files and history in Internet Options. And clean out your
%Userprofile%\Local Settings\Temp
folder. You can also use Crapcleaner and run this after all else to help you clear out some stuff:
This is where you get ccleaner --- http://www.majorgeeks.com/download4191.html

Enable System Restore

Reboot Normally

LASTLY -- RUN HJT AND POST LOG --- Don't put HJT in Temporary, put it in Programs

 

Purityscan dealt with, though I think I dealt with that already.

Those 3 things you advise to delete are Microsoft related, aren't they important? Surely they are safe to leave alone anyway.

I have no idea what hfhljfc.exe is but it relates to a Microsoft item so I assume it's ok.

The blue screen errors I have are in this thread:
http://forums.majorgeeks.com/showthread.php?t=38085

Pretty sure I've done just about everything to tackle Spy/Ad ware.

System crashed while doing one of the free scans I'll go back to that latrer.

Windows up to date with patches. Only SP1 installed though, no option to install 1a or 2 when I go to MSs upgrade/install pages. ???

System restore disabled and reenabled. Caused a mass of files to be truncated on start up. Well I assume it did as it happened right after. Maybe this is normal after disabling system restore. ???

System files now visible. Is it normal that I shouldn't be able to open the system volume information folder?

Kill what? Isn't this an essential file?

Tried safe mode and ran the apps you recommend. Found a few things so hopefully that has done the job. !

T

 

This is a worm::
C:\WINNT\system32\wuamgrd.exe
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.MU&VSect=T
You can always WindowsExplorer these items or Search and right click and check properties to see what they are related to.

Also check out hfhljfc.exe at::::
http://www.kaspersky.com/remoteviruschk.html

Also run this online scan also::::
http://www.windowsecurity.com/trojanscan/

 

should have checked for a reply b4 I posted this!



wuamguard is a worm! sdbot.mu to be exact. One of those virus scanners just picked it up. I followed their instructions for deleting registry keys etc and it doesn't appear in taskmanagaer anymore so I think that's dealt with. Makes you wonder about the other mystery files. I'll retest and run the other scanner tomorrow - after a whole night of this I badly need some sleep.


T

 

That's fine... don't forget to do everything in the previous posts over again including online scans, showing Hidden OperatingSystem files, adaware run, a2 run, and make sure you've deleted those items I recommended... then we can go from there.

 

Every bloody time. I just spent half an hour writing a reply and I get told an invalid thread and then I can't backtrack. Sod it.


In a nutshell:

Those virus scans turned up some, the trojan none.
Some included a sasser file. WTF, I should be patched for that. According to MS Update page I have all updates. Very odd. Something fishy here as I only have SP1 not 1a or 2 and it seems happy with that too.

Had to use Hijack This to fix these:

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [MSN Messenger] hfhljfc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Couldn't find anything on hfhljfc.exe at that link. Not showing up with a search either. The other suspect lines I thought might be MS related are gone now though so no need to do anything there.

The sticky now says don't post log files so I'd better not do a new one.

Almost done i think. Now to reboot....

T

 

Attached is latest HjT log as text file. (Was run in safe mode so should be free of most non essential stuff, probably not enough for some people but best I can do).

T

 

Because thelastmessenger said earlier to boot in safe mode and post a log. Once I was satisfied I had done everything else I was advised to do that's exactly what I did. Ok?

Thanks for letting me know there are no obvious problems that was exactly what I posted it here to find out.

 

At the end of my post it says to Reboot Normally and Post log... it is a lot to read through though.

How is everything running?

 

Yeh I caught up after I'd posted that. I'm not quite sure where I got the idea from to do it that way. Bit of an information overload the last couple of days. Good thing people on these forums are tolerant of the lesser mortals, well most of them. I think I confused the idea to disable running processes with booting in safe mode. ?. Dunno.

Anyway new HJT coming up, I will try to remove as much crap as possible but I have no doubt it will contain stuff that some people would expect it not to. They'll just have to lump it, I did my best.

As for the current situation I'm still getting blue screen dumps but as far as I can tell I have purged my new system of all malicious items.

T

 

That didn't take too long.

Also considerably shorter than the first time so I think I dealt with the bulk of the unwanted stuff.

T

 

Your log looks fine.. are you having anymore redirection problems or are they gone?

I don't think you told us your Blue Screen error# etc. When did this happen, what were you deleting? What does it say in your event viewer?
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/snap_event_viewer.mspx

Have you turned your system restore back on? Did you do all the Microsoft Updates?

 

The browser hijacker hasn't cropped up since last night so I guess I finally nailed that one.

System restore is back on.
I don't need to do any Microsoft updates according to Microsoft's update facilities, I have them all I guess.

You don't want me to post the results of the dump files in full do you? I gave the gist of them here:

http://forums.majorgeeks.com/showthread.php?t=38085

Other than the AVG related ones (which I think I have solved with a reinstall of AVG) they seem to relate to NTFS. Could be a hardware problem maybe? I don't think the dumps were directly as a result of deleting anything, I don't know what was causing them exactly.

I looked at the event log but I don't know what any of it means. I did notice that in the process of putting my machine together the store got a hell of a lot of error messages. !

T

 

It looks like Adrynalyne was working on your problem.... stick with that thread and see where it gets you.

 

Guess I caught someone on a bad day then. I didn't really take a lot of notice of them to be honest, you get used to people brandishing handbags at you when you are used to using forums.

Adrenalyne is assisting with the bluscreen dumps, some advice with the event log would be handy though. The period the store was working on my PC has quite a lot of error messages, should I be concerned about that? I've posted them below, (I've edited out repeated entries as much as possible) anything scream out at anybody as being particularly suspect?


These were all after I got it home:

Warning 25/07/2004 19:46:09 Userenv None 1517 SYSTEM NEWPC
Warning 25/07/2004 19:46:09 Userenv None 1524 j NEWPC
Error 25/07/2004 19:33:36 VSS None 8193 N/A NEWPC
Information 25/07/2004 17:49:42 LoadPerf None 1000 N/A NEWPC
Information 25/07/2004 17:49:42 LoadPerf None 1001 N/A NEWPC
Information 25/07/2004 17:22:21 Winlogon None 1001 N/A NEWPC
Error 25/07/2004 16:49:06 EventSystem (50) 4609 N/A NEWPC
Warning 25/07/2004 05:12:19 Userenv None 1524 Administrator NEWPC
Information 25/07/2004 03:24:12 MsiInstaller None 11707 N/A NEWPC
Information 25/07/2004 02:36:40 Winlogon None 1002 N/A NEWPC
Error 25/07/2004 00:09:10 Application Error (100) 1000 N/A NEWPC
Information 24/07/2004 20:17:02 Winlogon None 1001 N/A NEWPC
Error 24/07/2004 03:45:56 Application Error None 1000 N/A NEWPC
Error 23/07/2004 22:54:29 True Vector Engine None 1 N/A NEWPC
Error 23/07/2004 19:21:51 Application Error None 1001 N/A HOME-06XC89A9D8
Error 23/07/2004 19:21:45 Application Hang None 1001 N/A HOME-06XC89A9D8
Error 23/07/2004 19:21:41 Application Hang (101) 1002 N/A HOME-06XC89A9D8
Error 23/07/2004 19:21:19 Application Error (100) 1000 N/A HOME-06XC89A9D8
Error 23/07/2004 18:43:02 Application Error None 1000 N/A HOME-06XC89A9D8

These were while it was at the store:

Warning 19/07/2004 14:54:14 WinMgmt None 62 N/A HOME-06XC89A9D8
Warning 19/07/2004 14:52:33 ASP.NET 1.1.4322.0 Setup 1020 N/A HOME-06XC89A9D8
Error 19/07/2004 14:52:25 System.EnterpriseServices None 0 N/A HOME-06XC89A9D8
Error 19/07/2004 14:52:25 COM+ (98) 4691 N/A HOME-06XC89A9D8
Error 19/07/2004 14:07:15 MSDTC SVC 4440 N/A HOME-06XC89A9D8
Warning 19/07/2004 14:07:14 MSDTC SVC 4152 N/A HOME-06XC89A9D8
Error 19/07/2004 11:21:02 ntbackup None 8001 N/A HOME-06XC89A9D8
Error 19/07/2004 10:26:32 VSS None 8193 N/A HOME-06XC89A9D8
Information 19/07/2004 10:26:29 Winlogon None 1001 N/A HOME-06XC89A9D8
Error 19/07/2004 09:50:10 LiveUpdate None 61 j HOME-06XC89A9D8
Error 17/07/2004 17:28:47 Application Error None 1000 N/A HOME-06XC89A9D8
Information 17/07/2004 15:11:11 DrWatson None 4097 N/A HOME-06XC89A9D8
Information 17/07/2004 14:59:37 MsiInstaller None 11724 N/A HOME-06XC89A9D8
Error 17/07/2004 11:38:17 Windows Product Activation None 1012 N/A HOME-06XC89A9D8
Error 17/07/2004 09:54:57 MsiInstaller None 11704 N/A HOME-06XC89A9D8
Error 17/07/2004 09:36:21 EventSystem (50) 4609 N/A HOME-06XC89A9D8

T

 

You should be directing this stuff to your other post... it's not good to have two different people telling you to do various things... I'm sure Adrenalyne will take care of you..