Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Hijackthis Log


  • This topic is locked This topic is locked
5 replies to this topic

#1 PhilLearn

PhilLearn

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 14 September 2007 - 11:19 PM

Okay guys, sorry about the last log.
I posted the wrong one.

Now this is our desktop log.
3 consecutive times had been formatted but same malware infected it.
I can't download some freeware because my internet has been disabled for unknown reason in my desktop.

Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:16 AM, on 9/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\urkeggdeipx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Jan-Bryan\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Windows Service Agent] urkeggdeipx.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\upauebot.dll",forkonce
O4 - HKLM\..\RunServices: [Microsoft Windows Update] dkejvwh.exe
O4 - HKLM\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Windows Service Agent] urkeggdeipx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe
O4 - HKUS\S-1-5-21-515967899-1580436667-1060284298-1003\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - HKUS\S-1-5-21-515967899-1580436667-1060284298-1003\..\Run: [Windows Service Agent] urkeggdeipx.exe (User '?')
O4 - HKUS\S-1-5-21-515967899-1580436667-1060284298-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-515967899-1580436667-1060284298-1003\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

--
End of file - 3829 bytes

Posted Image


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:35 AM

Posted 15 September 2007 - 04:55 PM

Hello PhilLearn,

Before we start, you need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world. :thumbsup:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

Post a fresh Hijackthis log after you run a complete virus scan.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 PhilLearn

PhilLearn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 September 2007 - 06:06 AM

Hello SifuMike.

I have done what you have told me to do so. I've download the avast! and do a complete scan.

This is the fresh Hijacklog after the scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:17 PM, on 9/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jan-Bryan\Desktop\HiJackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-515967899-1580436667-1060284298-1003\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - HKUS\S-1-5-21-515967899-1580436667-1060284298-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 2109 bytes

I do have a Mcafee in my system and I can't uninstall it but I disable it after I install the avast.

Posted Image


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:35 AM

Posted 16 September 2007 - 12:35 PM

Hello PhilLearn,

Looking at your log, is see these items missing :thumbsup:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\upauebot.dll",forkonce
O4 - HKLM\..\RunServices: [Microsoft Windows Update] dkejvwh.exe
O4 - HKLM\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe
O4 - HKCU\..\Run: [Windows Service Agent] urkeggdeipx.exe
O4 - HKCU\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe
O4 - HKUS\S-1-5-21-515967899-1580436667-1060284298-1003\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - HKUS\S-1-5-21-515967899-1580436667-1060284298-1003\..\Run: [Windows Service Agent] urkeggdeipx.exe (User '?')
O4 - HKUS\S-1-5-21-515967899-1580436667-1060284298-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-515967899-1580436667-1060284298-1003\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User 'Default user')


Have you been fixing things yourself? :flowers:
Are you getting help from another site or being helped by someone else ?
These items do no vanish by themselves!

Edited by SifuMike, 16 September 2007 - 12:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 PhilLearn

PhilLearn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 September 2007 - 05:16 PM

Ohh. I forgot, someone in our team deleted it, suspecting those as malicious items. Sorry.

Did we do something wrong?

Posted Image


#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:35 AM

Posted 16 September 2007 - 06:56 PM

I cant be responsible for the changes your have been making with Hijackthis.
Since you are receiving help elsewhere, I am closing this thread.

Edited by SifuMike, 16 September 2007 - 08:44 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users