Can someone analyze this Hijack This log plese

epsilon3
epsilon3 used Ask the Experts™
on
I ran Malwarebytes and it cleanup a lot of stuff but the hijacker is still in the background someplace.  Any help would be greatly appriciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:12 PM, on 7/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Peachtree Online Backup\AgentService.exe
C:\Program Files\Chronos Process Integration\Chronos eStockCard Services\eStockCardAlertService.exe
C:\Program Files\Chronos Process Integration\Chronos eStockCard Services\eStockCardSchedulerService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pogoplug\dokanmnt.exe
C:\Program Files\IntelliTrack\License Service\LicenseService.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Pogoplug\ppfs.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Invenology\WMSmart\WMSmartServices.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100517214855.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Brenav] rundll32.exe "C:\WINDOWS\ebotidal.dll",Startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ppfs.exe] C:\Program Files\Pogoplug\ppfs.exe -s
O4 - HKCU\..\Run: [{3F487BEA-9710-C633-14E7-43C892C20EF8}] "C:\Documents and Settings\Michael Ehrenreich\Application Data\Iqxy\ivesm.exe"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4866/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0061391277175305) (0061391277175305mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\006139~1.EXE (file missing)
O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files\Peachtree Online Backup\AgentService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DokanCEMounter - Cloud Engines - C:\Program Files\Pogoplug\dokanmnt.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IntelliTrack License Service (ITLicenseSvc) - Unknown owner - C:\Program Files\IntelliTrack\License Service\LicenseService.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMSmart Agent - Invenology - C:\Program Files\Invenology\WMSmart\WMSmartServices.exe

--
End of file - 10894 bytes
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Goto http://hijackthis.de and click analyse. Only nasty entry coming up is

O4 - HKCU\..\Run: [ppfs.exe] C:\Program Files\Pogoplug\ppfs.exe -s

Although there are some other unknown entries
Manually going through the list I can only see one thing that pops out:

O4 - HKCU\..\Run: [{3F487BEA-9710-C633-14E7-43C892C20EF8}] "C:\Documents and Settings\Michael Ehrenreich\Application Data\Iqxy\ivesm.exe"

Not sure why there is an exe from your app data with such a spurious looking name starting up. This usually points to trouble.

Take a look in your startup items:
Start > Run > msconfig > startup tab

Have a look through the list and see if it's set to startup with Windows. If it is untick the box, apply and ok. It will ask for a restart.
Once you have restarted your PC the file won't be running which means the .exe won't be locked and can be deleted.

Browse to it's location:
Start > Run:
C:\Documents and Settings\Michael Ehrenreich\Application Data
find the: Iqxy folder which contans: ivesm.exe and delete it (use shift+delete to permanantly delete it).

Give Malwarebytes another scan and hopefully you should be ok :)

I've found that Malwarebytes does a great job at getting rid of infections but can take 2-3, or on some occations even 4 FULL scans - not quick scans (also make sure it's fully updated).

Hope this helps!
Top Expert 2007
Commented:
Fix these entries in Hijackthis.
O4 - HKLM\..\Run: [Brenav] rundll32.exe "C:\WINDOWS\ebotidal.dll",Startup
O4 - HKCU\..\Run: [{3F487BEA-9710-C633-14E7-43C892C20EF8}] "C:\Documents and Settings\Michael Ehrenreich\Application Data\Iqxy\ivesm.exe"
O23 - Service: McAfee Application Installer Cleanup (0061391277175305) (0061391277175305mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\006139~1.EXE (file missing)

C:\WINDOWS\ebotidal.dll <-- this file needs to go if still present
C:\Documents and Settings\Michael Ehrenreich\Application Data\Iqxy <-- this folder also needs to go, it's hidden so you would need to show hidden files and folders first.


Hijackthis log shows that the system is running in diagnostic mode, so all disabled startup entries(bad or good) are not scanned so they are not showing in hijackthis log.
Plus a lot of nasties can also hide from the hijackthis scan.

Use a tool like MalwareBytes(as already suggested) and or ComboFix and show us the logfile.
Malwarebytes, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php

ComboFix:(Attach the log)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

HijackThis - some Tips & Tricks
http://www.experts-exchange.com/A_2963.html
Commented:
If running Malwarebytes(in Normal mode) doesn't resolve it, try Hitman Pro 3 a Second Opinion Malware Scanner>
http://www.surfright.nl/en/downloads/

If the results are good but you still believe you have a 'hijacker' try running Combofix.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.
Also it may be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine, then try this key combination to reach a Run box>
Windows Logo+R: Run dialog box

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  
ComboFix should be run in normal mode.

Commented:
Oops, didn't refresh :/
Top Expert 2007

Commented:
C:\Program Files\Pogoplug <-- this program may have been purposely installed by the user. Use for sharing files online etc.

Author

Commented:
OK guys, thanks for all your responsed.  Here is a little extra info and what the outcome was.  As part of the hijacker, a DNS trojan was also involved that disabled internet access.which prevented internet access.  Malwarebyates did discover and eliminate the DNS trojan.  Since we were now able to get to the internet, we contacted McAfee technical support for their assistance.  2 hours later, the hijacker was removed.

McAfee explained that the culprit was such a new entity that no one has written any virus definition files to be updated as of yet.

So there ya go.  I am going to share the solution with everyone who responded.  Again, thats to everyone.
Top Expert 2007

Commented:

>>>"McAfee explained that the culprit was such a new entity that no one has written any virus definition files to be updated as of yet."<<<

yeah right, :)... that's their good excuse...

Which means that their heuristic detection method is not that good.
Sophisticated antivirus not only uses a signature-based (virus definitions) but also heuristic or behavioral method.
This method is use for catching unknown viruses/nasties, viruses that have not yet been identified with signatures, and yet to be added to the virus database.
With heuristics scanning, the AV examines the characteristic of a file, its size and how a file behaves i.e., looks like a virus, behaves like a virus etc.


Glad to know the issue is resolved.

Thank you for using Experts-Exchange!

Commented:
Thanks for the feedback, glad you've resolved it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial