Hijack Log - - Any suggestions

Printable View

June 16th, 2004, 05:04 PM
hurstc

Hijack Log - - Any suggestions

to this ruccuring nightmare . . . . . . no matter how many times i delete this filesdkvc32.dll it keeps returning and changing IE start and search pages, and adds an additional search engine page to all searches and not to mention the popups now. Thanks so very much !

Logfile of HijackThis v1.97.7
Scan saved at 3:56:00 PM, on 06/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sony\VAIO_MX\SonyMxTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Sony\VAIO_MX\Delegate.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\ieod.exe
C:\Program Files\Sony\VAIO_MX\SND\MxSndLib.exe
C:\Program Files\Sony\VAIO_MX\LCD\MxLcdLib.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chase\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ayral.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayral.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayral.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ayral.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ayral.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ayral.dll/sp.html#96676
O2 - BHO: (no name) - {A3EAB818-EDEC-7056-647B-0BF69AC43FE5} - C:\WINDOWS\sdkvc32.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O4 - Global Startup: Giga Pocket Initialize.lnk = C:\Program Files\Sony\Giga Pocket\initovl.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = C:\Program Files\Sony\Giga Pocket\usbsircs.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
June 16th, 2004, 05:24 PM
P3-450

Hi and Welcome to Vdr:)

First please download, update and run both Adaware and Spybot S&D, both found in my sig.

Then reboot

Now you need to put HijackThis.exe in a permanent folder of it own and not on the desktop. This is so that backups can be made.

Once that is done run a HJT scan and post the log here.
June 16th, 2004, 05:53 PM
hurstc

Here is the new log . . . . I hope this helps . . .Thanks again

Logfile of HijackThis v1.97.7
Scan saved at 4:51:35 PM, on 06/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sony\VAIO_MX\SonyMxTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Sony\VAIO_MX\Delegate.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\ieod.exe
C:\Program Files\Sony\VAIO_MX\SND\MxSndLib.exe
C:\Program Files\Sony\VAIO_MX\LCD\MxLcdLib.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\Documents and Settings\Chase\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ayral.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayral.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayral.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ayral.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ayral.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ayral.dll/sp.html#96676
O2 - BHO: (no name) - {A3EAB818-EDEC-7056-647B-0BF69AC43FE5} - C:\WINDOWS\sdkvc32.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O4 - Global Startup: Giga Pocket Initialize.lnk = C:\Program Files\Sony\Giga Pocket\initovl.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = C:\Program Files\Sony\Giga Pocket\usbsircs.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
June 16th, 2004, 06:14 PM
P3-450

You still have HijackThis.exe on your desktop, as i said above you need to create it a permanent folder for HijackThis.

Once youve done that run a scan then tick and fix the below entries (close any open browsers before doing this).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ayral.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayral.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayral.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ayral.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ayral.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ayral.dll/sp.html#96676
O2 - BHO: (no name) - {A3EAB818-EDEC-7056-647B-0BF69AC43FE5} - C:\WINDOWS\sdkvc32.dll

Then reboot and run another HJT scan and post the new one here.
June 16th, 2004, 08:12 PM
hurstc

Placed HJT in a seperate folder, ran & fixed, rebooted, here is the current log. Again I cannot thank you enough for helping me. It looks like JTrianta is having a similar problem.

Logfile of HijackThis v1.97.7
Scan saved at 7:06:48 PM, on 06/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sony\VAIO_MX\SonyMxTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Sony\VAIO_MX\Delegate.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\ieod.exe
C:\Program Files\Sony\VAIO_MX\SND\MxSndLib.exe
C:\Program Files\Sony\VAIO_MX\LCD\MxLcdLib.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Documents and Settings\Chase\Desktop\Hi Jack This\HijackThis.exe
C:\Program Files\Sony\Giga Pocket\gps.exe

O2 - BHO: (no name) - {A3EAB818-EDEC-7056-647B-0BF69AC43FE5} - C:\WINDOWS\sdkvc32.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O4 - Global Startup: Giga Pocket Initialize.lnk = C:\Program Files\Sony\Giga Pocket\initovl.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = C:\Program Files\Sony\Giga Pocket\usbsircs.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
June 17th, 2004, 01:32 PM
P3-450

Go into task manager and end task on this process:

ieod.exe

Navigate to and delete this

C:\Windows\ieod.exe

Now follow the instuctions here and navigate to and delete this:

C:\WINDOWS\sdkvc32.dll

Whilst in safe mode run hijackthis scan then tick and fix the below:

O2 - BHO: (no name) - {A3EAB818-EDEC-7056-647B-0BF69AC43FE5} - C:\WINDOWS\sdkvc32.dll

Boot up normally and run another HJT scan and post it here.