Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Spyware and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post.

- BleepingComputer Management

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

 
Reply to this topicStart new topic
> HJT Log - Andrew
Andrew
post Dec 22 2004, 05:30 PM
Post #1


New Member
*

Group: Members
Posts: 1
Joined: 22-December 04
Member No.: 7,675
Here is the logfile for my friend's laptop that appears to be very infected with malicious spyware. The following symptoms also occur:

-unable to shutdown, must use a hard reset to turn off the computer
-adaware, run in safe-mode, reveals over 250 new 'infections' almost daily
-unable to access the internet even in firefox
-porn added to the favorites list
-http://here4search.com/enter.htm?id=9 is a site (amongst many) that explorer re-directs to upon opening it
-sites requiring login reject the cookies sent

-------log file------------

Logfile of HijackThis v1.98.2
Scan saved at 7:26:02 PM, on 12/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\PHOENIX
TECHNOLOGIES\BAYSWAP\BAYSWAP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON
SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON
SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH
JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\NRMAE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON
SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM32\XPSP2FW.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR
4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\P9LMVSR89C4.EXE
C:\PROGRAM FILES\LINKSYS\WPC11 CONFIG
UTILITY\WPC11CFG.EXE
C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\TIBS3.EXE
C:\WINDOWS\SYSTEM\KCYSY1JN7BDWGYTHD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WR66OUPJFJY9.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\DESKTOP\HIJACK.EXE

R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://win-eto.com/hp.htm?id=9
R3 - URLSearchHook: (no name) -
_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) -
{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} -
C:\WINDOWS\SYSTEM\PW86UY~1.DLL
O4 - HKLM\..\Run: [ScanRegistry]
C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth]
C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [CPQInet]
c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BaySwap] C:\Program Files\Phoenix
Technologies\BaySwap\BaySwap.exe
O4 - HKLM\..\Run: [BaySwap2] C:\Program Files\Phoenix
Technologies\BaySwap\TbUpdate.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program
Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program
Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [OEMCLEANUP]
C:\WINDOWS\OPTIONS\oemreset.exe /o
O4 - HKLM\..\Run: [Adaptec DirectCD]
C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task]
"C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [3gFDymNu] C:\WINDOWS\NRMAE.EXE
O4 - HKLM\..\Run: [¢‰¸ï04Ã4}¤Áœ5]C:\Program
Files\ISTsvc\istsvc.exe] C:\WINDOWS\NRMAE.EXE
O4 - HKLM\..\Run: [XPSP2 Firewall]
C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKLM\..\Run: [CreateCD]
C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [Control handler]
C:\WINDOWS\SYSTEM\KCYSY1JN7BDWGYTHD.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program
Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile]
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV]
C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager]
C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program
Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [romahere3]
C:\WINDOWS\SYSTEM\WR66OUPJFJY9.EXE
O4 - HKCU\..\Run: [Windows Update Client ]
C:\WINDOWS\system32\wuclient.exe
O4 - Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Instant Wireless Configuration
Utility.lnk = C:\Program Files\Linksys\WPC11 Config
Utility\WPC11Cfg.exe
O4 - Startup: Controller.LNK = C:\Program
Files\WinFax\WFXCTL32.EXE
O8 - Extra context menu item: E&xport to Microsoft
Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for
.com/servlet/DocServer?docid=48178238-b6c1-1004-8146-ceac2796def6&REALMOID=06-3d0e36c8-671b-0089-0000-3c2b00003c2b&tier=1:
C:\Program
Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/200411...meInstaller.exe

--------------------------------------------------

Any help would be greatly appreciated!

Thanks
Go to the top of the page
 
+Quote Post
Grinler
post Dec 23 2004, 04:18 PM
Post #2


Bleep Bleep!
******

Group: Admin
Posts: 29,367
Joined: 24-January 04
From: USA
Member No.: 3
You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log


--------------------
Lawrence
Go to the top of the page
 
+Quote Post
« Next Oldest · HijackThis Logs and Malware Removal · Next Newest »
 

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 21st November 2008 - 10:51 PM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Malware Removal Guides

© 2003-2008 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2008  IPS, Inc.