You are here:

Computer Security & Viruses/Higlieder Trojan....ugh!

Expert: Brian Benosky - 2/6/2008

Question
QUESTION: This thing sucks. Can't get rid of it. Here is my Hijack log:
__________________________________________________

aelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1180475753\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: M-Audio Transit Installer (MAudioTransitService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Transit\MAUSBTransitInst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7032 bytes
________________________________________________________

AND MY GMER LOG:

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-04 09:57:24
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

INT 0x01        \SystemRoot\system32\DRIVERS\ati2mtag.sys          B9C9E4F6
INT 0x03        \SystemRoot\system32\DRIVERS\ati2mtag.sys          B9C9E59C

Code          \??\C:\WINDOWS\system32\drivers\srosa.sys          ZwOpenProcess [0xB175A31C]
Code          \??\C:\WINDOWS\system32\drivers\srosa.sys          ZwQuerySystemInformation [0xB175FD0C]
Code          \??\C:\WINDOWS\system32\drivers\srosa.sys          ZwSetInformationFile [0xB175A41A]
Code          \??\C:\WINDOWS\system32\drivers\srosa.sys          NtOpenProcess
Code          \??\C:\WINDOWS\system32\drivers\srosa.sys          NtQuerySystemInformation
Code          \??\C:\WINDOWS\system32\drivers\srosa.sys          NtSetInformationFile

---- Kernel code sections - GMER 1.0.14 ----

PAGE          ntoskrnl.exe!ZwCreateKey + 40B          8056EBB4 7 Bytes JMP B175FF40 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!ZwQueryKey + 2F2          8056EEAB 7 Bytes JMP B175F8B8 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!IoCreateFile + EB          8056FB8E 7 Bytes JMP B175F5A2 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!NtOpenFile + 60          8056FBF3 7 Bytes JMP B175F4E2 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!NtOpenProcess          80572D06 5 Bytes JMP B175A320 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!ZwProtectVirtualMemory + 45B          80573510 7 Bytes JMP B175FB5E \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!ZwCreateSemaphore + 449          80573C88 7 Bytes JMP B175A546 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!NtSetInformationFile          80576E9C 5 Bytes JMP B175A41E \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!NtQuerySystemInformation          8057D786 5 Bytes JMP B175FD10 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!ZwAcceptConnectPort + 871          8057FB73 7 Bytes JMP B175F60E \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!RtlGenerate8dot3Name + 1835          80593AA7 7 Bytes JMP B175A760 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!ZwDeleteValueKey + 1685          80595131 7 Bytes JMP B175A960 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE          ntoskrnl.exe!NtQueryInformationAtom + 5D2          805D7392 7 Bytes JMP B175A3CE \??\C:\WINDOWS\system32\drivers\srosa.sys
?          C:\WINDOWS\system32\ntoskrnl.exe          The system cannot find the file specified.
.text          ntdll.dll!NtClose          7C90D586 5 Bytes JMP 72049770
.text          ntdll.dll!NtCreateFile          7C90D682 5 Bytes JMP 7204A570
.text          ntdll.dll!NtCreateKey          7C90D6D6 5 Bytes JMP 7204ADA0
.text          ntdll.dll!NtCreateProcess          7C90D754 5 Bytes JMP 7204AE30
.text          ntdll.dll!NtCreateProcessEx          7C90D769 5 Bytes JMP 7204AF60
.text          ntdll.dll!NtCreateSection          7C90D793 5 Bytes JMP 72049A40
.text          ntdll.dll!NtLoadDriver          7C90DB6E 5 Bytes JMP 7204A1E0
.text          ntdll.dll!NtSetValueKey          7C90E7BC 5 Bytes JMP 7204AD10
.text          ntdll.dll!NtWriteFile          7C90E9F3 5 Bytes JMP 7204A3D0

---- User code sections - GMER 1.0.14 ----

.text          C:\WINDOWS\Explorer.EXE[320] WS2_32.dll!connect          71AB406A 5 Bytes JMP 00C94C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text          C:\WINDOWS\system32\NOTEPAD.EXE[428] WS2_32.dll!connect          71AB406A 5 Bytes JMP 10004C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text          C:\DOCUME~1\SETHNE~1\LOCALS~1\Temp\Rar$EX00.609\gmer.exe[460] WS2_32.dll!connect          71AB406A 5 Bytes JMP 10004C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text          C:\WINDOWS\system32\ctfmon.exe[512] WS2_32.dll!connect          71AB406A 5 Bytes JMP 10004C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text          C:\Program Files\mcafee.com\personal firewall\MPfTray.exe[1004] WS2_32.dll!connect          71AB406A 5 Bytes JMP 03184C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text          C:\Program Files\Common Files\AOL\1180475753\ee\AOLSoftware.exe[1012] WS2_32.dll!connect          71AB406A 5 Bytes JMP 02BE4C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text          C:\Program Files\Common Files\AOL\1180475753\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe[1104] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10004C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text          C:\WINDOWS\system32\drivers\hldrrr.exe[1128] ws2_32.dll!connect          71AB406A 5 Bytes JMP 10004C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text          ...
.text          C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxParamW          7E42555F 5 Bytes JMP 42F0F2C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxIndirectParamW          7E432032 5 Bytes JMP 430A166F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxIndirectA          7E43A04A 5 Bytes JMP 430A15F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxParamA          7E43B10C 5 Bytes JMP 430A1634 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxExW          7E4505D8 5 Bytes JMP 430A157C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxExA          7E4505FC 5 Bytes JMP 430A15B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxIndirectParamA          7E456B50 5 Bytes JMP 430A16AA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxIndirectW          7E4662AB 5 Bytes JMP 42F31676 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[2636] WS2_32.dll!connect          71AB406A 5 Bytes JMP 01BF4C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text          C:\Program Files\AdwareAlert\AdwareAlert.exe[3272] WS2_32.dll!connect          71AB406A 5 Bytes JMP 01C84C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text          C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!DialogBoxParamW          7E42555F 5 Bytes JMP 42F0F2C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!DialogBoxIndirectParamW          7E432032 5 Bytes JMP 430A166F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!MessageBoxIndirectA          7E43A04A 5 Bytes JMP 430A15F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!DialogBoxParamA          7E43B10C 5 Bytes JMP 430A1634 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!MessageBoxExW          7E4505D8 5 Bytes JMP 430A157C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!MessageBoxExA          7E4505FC 5 Bytes JMP 430A15B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!DialogBoxIndirectParamA          7E456B50 5 Bytes JMP 430A16AA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!MessageBoxIndirectW          7E4662AB 5 Bytes JMP 42F31676 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text          C:\Program Files\Internet Explorer\iexplore.exe[3408] WS2_32.dll!connect          71AB406A 5 Bytes JMP 01BF4C00 C:\Program Files\mcafee.com\antivirus\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs          SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Ntfs \Ntfs          DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip          MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Ip          ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Tcp          MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Tcp          ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\Udp          MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Udp          ntoskrnl.exe
AttachedDevice \Driver\Tcpip \Device\RawIp          MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\RawIp          ntoskrnl.exe
AttachedDevice \FileSystem\Fastfat \Fat          SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Fastfat \Fat          DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)

---- Processes - GMER 1.0.14 ----

Process         C:\WINDOWS\system32\drivers\hldrrr.exe (*** hidden *** )          1128

---- EOF - GMER 1.0.14 ----

ANSWER: Hi Seth

Please start a new thread with another HJT log. Your log here is cut off, so most of the log is missing. Thanks.

Brian

---------- FOLLOW-UP ----------

QUESTION: Here is my complete Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:03 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1180475753\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\M-Audio\Transit\MAUSBTransitInst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Common Files\AOL\1180475753\ee\AOLSoftware.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\Common Files\AOL\1180475753\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1180475753\ee\SSCEvtHdlr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1180475753\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Seth Neuffer\Application Data\Simply Super Software\Trojan Remover\lkt6.exe
C:\DOCUME~1\SETHNE~1\LOCALS~1\Temp\Rar$EX00.953\gmer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1180475753\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [MPFEXE] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1180475753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1180475753\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [MolCp3Monitor] C:\Music Programs\MusicLab\MolCp III\monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-436374069-1715567821-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1180475753\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: M-Audio Transit Installer (MAudioTransitService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Transit\MAUSBTransitInst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7135 bytes

ANSWER: Hi Seth

It looks like GMER removed the rootkit, as I see no sign of it in your HJT log file. Are you still having symptoms of this trojan?

Brian

---------- FOLLOW-UP ----------

QUESTION: Yeah. when i ran the GMER scan it says "WARNING !!! GMER has found system modifictaion, which might have been caused by ROOTKIT activity..."
Even though I try to delete the higlieder trojan with my spyware or virus scanner it still pops up again. When I try to boot in safe mode I get a blue screen and have to shut it down.
Any ideas?

Answer
Hi Seth

OK, you definitely are still infected then! Please run the ESET online scanner here:
http://www.eset.com/onlinescan/

Next, you will need a tool to repair the SafeBoot Registry Key. You can use one of these programs.

1. The SafeBootKeyRepair tools of SuBs:

ComboFix not installed: Version 1 (288,070 bytes):
http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair.exe

ComboFix installed: Version 2: (61,694 bytes)
http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe

*or*

2. Download the SafeMode Repair.zip here:
http://www.hijackthis-forum.de/attachment.php?attachmentid=2272&d=1187631899
Unzip it to your desktop
Double-click it to run
Click ok > restart your system into Normal Mode.

Finally, download Spybot Search & Destroy from here:
http://www.safer-networking.org/en/spybotsd/index.html
Install, update the definitions, then do a complete scan.

After you finish, please let me know how the computer is running, and post me a fresh HJT log.

Brian

Questioner's Rating

Rating(1-10)	Knowledgeability = 10	Clarity of Response = 10	Politeness = 10
Comment	Thanks for helping me get rid of my trojan.

Add to this Answer
Ask a Question

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

Encyclopedia

Browse Answers:

Computer Security & Viruses/Higlieder Trojan....ugh!

Related Articles

Brian Benosky

Expertise

Experience