Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log... analysis apreciated


  • This topic is locked This topic is locked
3 replies to this topic

#1 cfairLazy

cfairLazy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 25 February 2005 - 03:03 AM

hello all... first would like to say this is my first time use of this forum found it searching google for spyware removal. so regardless the outcome thanks for being here...

breif summary: kids playin with pc now i got popups galore and ultimately i also wanna make sure my pc is spy/mal/trojan/virus free this is first step :flowers:

ok followed someones post for utils. freshly downloaded tonight.

-hijack this
-bleep cleaner
-ad aware se personal 1.05

ran adaware, updated and removed a huge batch (something like 600 files bad).
ran hjt and grabbed a log which im gonna post here. and thats where i stopped so pls if you could take a sec to look it would be great :trumpet:

Logfile of HijackThis v1.99.1
Scan saved at 2:50:47 AM, on 2/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ptcore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mir3europe.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Bkpbhj.exe
O4 - HKLM\..\Run: [ijrbbpd] C:\WINDOWS\ptcore.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rbqjfz.exe
O4 - HKLM\..\Run: [Imboel] C:\Program Files\Wquh\Ghgct.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {A929AC20-545A-11D8-9E6E-0004614B51D7} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {A929AC21-545A-11D8-9E6E-0004614B51D7} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {A929AC22-545A-11D8-9E6E-0004614B51D7} - http://www.comcastsupport.com (file missing) (HKCU)
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094069528311
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3europe.com/nProtect/nPKeyCrypt/npkcx.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

ill check this post frequently see if anyone has got to it :thumbsup:
thanks again...

chris

BC AdBot (Login to Remove)

 


#2 cfairLazy

cfairLazy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 25 February 2005 - 03:11 AM

ermm on top of whatever you guys come up with was real curious about a few lines specifically...

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Bkpbhj.exe
O4 - HKLM\..\Run: [ijrbbpd] C:\WINDOWS\ptcore.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rbqjfz.exe
O4 - HKLM\..\Run: [Imboel] C:\Program Files\Wquh\Ghgct.exe

qttask i saw could be quicktime which i don't want anyway...

and this:
C:\WINDOWS\System32\smss.exe
heard if its real its needed in windows, but masks for "Win32.Ladex.a" trojan... anyway to find out ?

thanks again

#3 cfairLazy

cfairLazy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 25 February 2005 - 04:45 AM

thx sam for your time, would still like to see what some other people come up with also i used the automated hjt log scanner just to see what it said didn't make any changes till i hear you pros comments :thumbsup:

another thing i did was i ran ad aware personal in safe mode just to see if it could delete things better there, and as i mentioned in a previously, in reference to a few of the possible trojan ideas something else caught my eye in the adaware logs... look at this too...

here is the info it gave me on the first 3 runnin processes.... which are supposed to be integral OS functions, yet look at the lack of info it has.... check it out then look whats next... also look @ the file paths of these... 2 with \??\ (wtf is that)

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 380
ThreadCreationTime : 2-25-2005 9:06:37 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 428
ThreadCreationTime : 2-25-2005 9:06:38 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 452
ThreadCreationTime : 2-25-2005 9:06:40 AM
BasePriority : High

these are the next few which are also integral microsoft XP processes... Far more detail on them...

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 496
ThreadCreationTime : 2-25-2005 9:06:40 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 508
ThreadCreationTime : 2-25-2005 9:06:40 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 652
ThreadCreationTime : 2-25-2005 9:06:40 AM
BasePriority : Normal
FileVersion : 6.14.10.4110
ProductVersion : 6.14.10.4110.03
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE


im pretty sure im infected... i need advice on how to remove this...
thanks in advance

chris

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:14 AM

Posted 25 February 2005 - 11:43 AM

Since this is an open forum it is possible you may receive advice on what to fix with HijackThis from inexperienced members. However well-intentioned that advice may be, please do not act on it until an Administrator, Moderator or member of the HJT Team posts to your Topic. Improper use of HijackThis or other Spyware Removal Tools can cause serious operating system damage to your computer.

Please post a new hijackthis log.



Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Edited by Scarlett, 26 March 2006 - 06:57 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users