Log For A Friend

murtu52

By murtu52,
in Malware Removal

 Share Followers 0

Recommended Posts

murtu52

murtu52

Posted
Posted

My friend has recently been attacked with many malware programs and viruses. I asked him to run A squared, which he was attempting to, and I also told him to run HijackThis, just to see whats on his computer. I am not yet perfect in my log analyzation, and his computer is in a really bad condition, so here you go, experts:

Logfile of HijackThis v1.99.1

Scan saved at 9:16:24 AM, on 3/20/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\system32\HPConfig.exe

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\secsrvrc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\HPQ\One-Touch\OneTouch.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\system32\qpourky.exe

C:\WINDOWS\System32\winupdt.exe

C:\WINDOWS\System32\RUNDLL32.exe

C:\windows\system32\wjisdua.exe

C:\windows\system32\calc.exe

C:\WINDOWS\System32\ipvoice.exe

C:\Program Files\AutoUpdate\AutoUpdate.exe

C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe

C:\PROGRA~1\VBouncer\VirtualBouncer.exe

C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\sysmonnt.exe

C:\WINDOWS\System32\inp40u.exe

C:\Program Files\AdDestroyer\AdDestroyer.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wintask.exe

C:\Program Files\Common Files\WinTools\WToolsA.exe

C:\Program Files\Common Files\WinTools\WSup.exe

C:\Program Files\Toolbar\TBPS.exe

C:\PROGRA~1\Toolbar\PIB.exe

c:\PROGRA~1\Toolbar\radio.exe

c:\PROGRA~1\Toolbar\WSG.exe

C:\Program Files\Common Files\WinTools\WToolsS.exe

C:\PROGRA~1\Toolbar\TBPSSvc.exe

C:\WINDOWS\SysCheckBop32.exe

C:\WINDOWS\sys012444125951.exe

C:\Documents and Settings\Sebastian Park\Application Data\othb.exe

C:\WINDOWS\system32\r?ndll.exe

C:\WINDOWS\system\rbpwdv.exe

C:\PROGRA~1\COMMON~1\rkik\rkikm.exe

C:\PROGRA~1\COMMON~1\rkik\rkika.exe

C:\Program Files\BullsEye Network\bin\bargains.exe

C:\Program Files\CashBack\bin\cashback.exe

C:\WINDOWS\System32\conime.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\Media Pass\MediaPass.exe

C:\Program Files\Media Pass\MediaPassK.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Sebastian Park\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll

O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\rtneg.dll

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll

O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O2 - BHO: (no name) - {F80E7B3F-E0D7-B92C-F82D-CEC9D7B66996} - C:\WINDOWS\System32\gaqajsdf.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [secsrvrc] C:\WINDOWS\System32\secsrvrc.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [myLinker] C:\PROGRA~1\myLinker\myLinker.exe /B

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe

O4 - HKLM\..\Run: [wjisdua] c:\windows\system32\wjisdua.exe

O4 - HKLM\..\Run: [surfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe

O4 - HKLM\..\Run: [vznqldbr] C:\Program Files\vznqldbr\vznqldbr.exe

O4 - HKLM\..\Run: [tq8i38l] ipvoice.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [bMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitezvo32.exe

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

O4 - HKLM\..\Run: [systemCheck] C:\WINDOWS\SysCheckBop32

O4 - HKLM\..\Run: [sys012444125951] C:\WINDOWS\sys012444125951.exe

O4 - HKLM\..\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe

O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe

O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot

O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot

O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess

O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt

O4 - HKCU\..\Run: [surfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe

O4 - HKCU\..\Run: [c9rsRUJtV] inp40u.exe

O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Sebastian Park\Application Data\othb.exe

O4 - HKCU\..\Run: [Mgri] C:\WINDOWS\System32\r?ondll.exe

O4 - HKCU\..\Run: [rkik] C:\PROGRA~1\COMMON~1\rkik\rkikm.exe

O4 - HKCU\..\RunOnce: [enBrowser] C:\WINDOWS\mbop1-1.exe

O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

O4 - Global Startup: Microsoft Broadband Networking.lnk = %SystemRoot%\Installer\{2C84BB95-1DB9-4AC4-8750-F979BBCDD859}\_18be6784.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll

O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com

O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://dizzo.contents.mylinker.co.kr/module/MyLinker.cab

O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1057_XP.cab

O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cab

O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/touch.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {D8F001C6-43B1-4CFD-9DAF-C8BEAE0E2B6D} (Touch Control) - http://touch.imbc.com/ocx/Online.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A6236EF6-D4D7-4A9E-8418-E5826BCE9031}: NameServer = 205.188.146.145

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

O20 - Winlogon Notify: secsrvrc - C:\WINDOWS\SYSTEM32\secsrvrc.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe

O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe

O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Link to post
Share on other sites
Dragon

Dragon

Posted
Posted

To clean some of it out already, please download Spybot: Search and Destroy from http://www.safer-networking.org/index.php?page=download . Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

I'd Also Recommend you Download AdAware, Another good Antispyware Program From http://www.lavasoftusa.com/support/download/ . Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan. Do a scan on AdAware and Remove Everything it suggests.

After This, Reboot and Post a Fresh HijackThis log

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Followers 0
Go to topic listing