Exploit.exe and Child.DLL need help analyzing Hijaak This

Forums: Internet
Email this Topic • Print this Page

I have read the faq, run stinger, run coolwwwsearch.smartkiller removal tool , then cwshredder, ran mcafee virus went into safemode and ran spybot s&d first then adaware. I emptied the recycle bin reset web options and cleared out all the temp files and I ran a system defrag. I keep coming up with the exploit.exe even though I have deleted it from my registry. the c:\windows\system32\child.dll is coming up in my mcafee program as a virus although I cannot delete the file nor can I find it in my windows directory and I have show hidden files on. the computer is acting very slow and has locked up on many occasions. I was hoping maybe this is something Hijaak This can fix but I obviously wanted experts to take a look at the log and tell me what needs to be checked. thanks so much for your help in advance.

Logfile of HijackThis v1.97.7
Scan saved at 3:05:46 PM, on 6/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\sfpsvr.exe
C:\documents and settings\walt\local settings\temp\F0i5LNgA.exe
C:\documents and settings\walt\local settings\temp\DUTVQEs.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\LfywBC.exe
C:\WINDOWS\System32\TttKDJtq.exe
C:\Documents and Settings\Walt\My Documents\Download\HijackThis.exe

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [rokjpnjcxih] C:\WINDOWS\System32\xxphqfsw.exe
O4 - HKLM\..\Run: [F0i5LNgA] C:\documents and settings\walt\local settings\temp\F0i5LNgA.exe
O4 - HKLM\..\Run: [DUTVQEs] C:\documents and settings\walt\local settings\temp\DUTVQEs.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [2WW7JDS2B@MB82] C:\WINDOWS\System32\Nzkx1Wc1.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Mentor (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37682.5669328704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Topic Stats
Top Replies
Link to this Topic

Type: Discussion • Score: 1 • Views: 2,997 • Replies: 3

No top replies

Re: Exploit.exe and Child.DLL need help analyzing Hijaak Th

tulip_mrk wrote:

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

Find out what this is, it looks fishy.

Quote:

C:\WINDOWS\system32\sfpsvr.exe

Looks bad.

Backup, kill process and delete.

Quote:

C:\documents and settings\walt\local settings\temp\F0i5LNgA.exe
C:\documents and settings\walt\local settings\temp\DUTVQEs.exe

Kill and delete.

Quote:

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

Investigate.

Quote:

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

Investigate

Quote:

C:\WINDOWS\System32\LfywBC.exe
C:\WINDOWS\System32\TttKDJtq.exe

Kill and delete, but it looks like it changes names at each reboot so you will need to post a fresh log.

Quote:

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe

Fix

Quote:

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

Fix

Quote:

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

Fix

Quote:

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

I'd fix

Quote:

O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [rokjpnjcxih] C:\WINDOWS\System32\xxphqfsw.exe
O4 - HKLM\..\Run: [F0i5LNgA] C:\documents and settings\walt\local settings\temp\F0i5LNgA.exe
O4 - HKLM\..\Run: [DUTVQEs] C:\documents and settings\walt\local settings\temp\DUTVQEs.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [2WW7JDS2B@MB82] C:\WINDOWS\System32\Nzkx1Wc1.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

fix

Quote:

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

fix

Quote:

O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

fix

we'll probably need a new log

0 Replies

exploit removal and new hijaak log
Thank you for your assistance Craven,

I have fixed what you suggested to fix and here is my new Hijaak This Log: I really appreciate your help in reviewing this log. Thanks so much.

Logfile of HijackThis v1.97.7
Scan saved at 6:53:10 PM, on 7/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Mentor\Mentor for Windows XP Home Edition\xptray.exe
C:\WINDOWS\System32\Drt6.exe
C:\WINDOWS\System32\Tgte5m2U.exe
C:\Documents and Settings\Walt\My Documents\Download\HijackThis.exe

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [2WW7JDS2B@MB82] C:\WINDOWS\System32\Atv0h.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: Mentor winXP Tray Icon.lnk = C:\Program Files\Mentor\Mentor for Windows XP Home Edition\xptray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Mentor (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37682.5669328704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0 Replies

I have to do some work and can't audit your log right now. Please let me know if the problems continue (if they are gone, there's no sense in spending time poring over the log).

0 Replies

Exploit.exe and Child.DLL need help analyzing Hijaak This

Related Topics

Quick Links

My Account

able2know