Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Please Help With My Hijack This Log

  • Please log in to reply
1 reply to this topic

#1 bbelack


  • Members
  • 1 posts
  • Local time:04:46 PM

Posted 04 December 2007 - 11:12 PM


I'm trying to disinfect my roomate's computer. Every time I try to run ad-aware (not connected to the internet, of course) it shuts down the computer. I did some research on some forums, and based on that, I think he has a worm of some kind. I downloaded hijack this, to try and stop whatever is getting in the way of ad-aware. Below is my log, and my startup list. Any help on what to stop would be helpful.


Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:06 PM, on 12/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
O1 - Hosts: pagead2.googlesyndication.com
O1 - Hosts: pagead2.googlesyndication.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [MS Task Manager 32] C:\WINNT\System32\mstskmgr.exe
O4 - HKLM\..\Run: [0c2bc04a] rundll32.exe "C:\WINNT\tuspmk.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192987351711
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DomainService - - C:\WINNT\System32\skfbfoew.exe
O23 - Service: Microsoft Agent - Unknown owner - C:\WINNT\System32\dllcache\cvchost.exe

End of file - 3616 bytes

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
D-Link AirPlus G Wireless Utility.lnk = ?
D-Link REG Utility.lnk = ?
NETGEAR WPN111 Smart Wizard.lnk = ?


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,


Autorun entries from Registry:

SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
0c2bc04a = rundll32.exe "C:\WINNT\System32\cmauqoiw.dll",b
MS Task Manager 32 = C:\WINNT\System32\mstskmgr.exe


Autorun entries from Registry:

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager = 1


Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - (no file) - {04E15EFD-6FFC-4C80-8E33-7FBC32F44515}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {2378aa35-57f4-4653-85e5-c756c170214e}
(no name) - C:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64}
(no name) - (no file) - {47D40C56-A28C-478A-B879-FAC692F6CF4B}
(no name) - C:\WINNT\System32\tuvwv.dll - {75FE208C-3A19-47EC-AF06-C0791749503E}
(no name) - C:\WINNT\system32\loadSrv.dll - {8b75f980-2081-47de-9530-f44252ac4157}
(no name) - (no file) - {8EABD55A-7043-4897-88EC-D371C9A692ED}
(no name) - (no file) - {9BB58CD2-C0BA-4E24-AB3F-941CC86E3C2A}
(no name) - (no file) - {9D4EF5C9-548E-46EE-8EFD-0DCE70272D8F}
(no name) - (no file) - {AF0CA5E2-E90D-470B-BA8C-806AFF8EE573}
(no name) - C:\WINNT\System32\awtqnkh.dll - {BCC73622-F72D-4277-803C-D65565A0947F}
(no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}


Enumerating Task Scheduler jobs:

Symantec NetDetect.job


Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll

CODEBASE = http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab

[MUWebControl Class]
InProcServer32 = C:\WINNT\System32\muweb.dll
CODEBASE = http://www.update.microsoft.com/microsoftu...b?1192987351711


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

End of report, 5,534 bytes
Report generated in 0.101 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)



#2 jurgenv


  • Members
  • 1,093 posts
  • Gender:Male
  • Location:Belgium
  • Local time:01:46 AM

Posted 23 December 2007 - 07:57 AM

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Greets Jürgenv

Donation: Click me.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users