Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Log


  • Please log in to reply
1 reply to this topic

#1 lorle

lorle

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 17 February 2008 - 12:04 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:17 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
F:\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8AC0F3CC-2E03-46CE-9F01-995802813DFD} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 2497 bytes






ComboFix 08-02-15.2 - Administrator 2008-02-15 19:45:00.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.874.1.1033.18.178 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\efcdeed.dll
C:\WINDOWS\system32\yzzurzkr.dll
C:\Program Files\inetget2
C:\Program Files\Insider
C:\Program Files\Insider\Insider .exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\Router
C:\Program Files\Router\Router .exe
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Temporary
C:\WINDOWS\b122.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\mrofinu2000201.exe
C:\WINDOWS\system32\1_exception.nls
C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\awtsrpq.dll
C:\WINDOWS\system32\cbxvtst.dll
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\smtpdrv.sys
C:\WINDOWS\system32\efcbcda.dll
C:\WINDOWS\system32\efcdeed.dll
C:\WINDOWS\system32\fcccbxu.dll
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fodogypp.dll
C:\WINDOWS\system32\gbdhuaiq.dll
C:\WINDOWS\system32\gebbbbc.dll
C:\WINDOWS\system32\gebxwus.dll
C:\WINDOWS\system32\gwytgxsn.dll
C:\WINDOWS\system32\hamjjcil.dll
C:\WINDOWS\system32\hggebay.dll
C:\WINDOWS\system32\hgggddd.dll
C:\WINDOWS\system32\hojxpxrg.dll
C:\WINDOWS\system32\iifccab.dll
C:\WINDOWS\system32\ipadeimj.ini
C:\WINDOWS\system32\jkkhfff.dll
C:\WINDOWS\system32\jkkigda.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jmiedapi.dll
C:\WINDOWS\system32\jswtwhex.dll
C:\WINDOWS\system32\khfcawx.dll
C:\WINDOWS\system32\khfggfc.dll
C:\WINDOWS\system32\lcveqsrv.ini
C:\WINDOWS\system32\ljjgfee.dll
C:\WINDOWS\system32\ljjjigh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\nnnmmnn.dll
C:\WINDOWS\system32\ohnpropx.ini
C:\WINDOWS\system32\opnkjki.dll
C:\WINDOWS\system32\pewuaxai.dll
C:\WINDOWS\system32\pmnmjgg.dll
C:\WINDOWS\system32\pmnmmjh.dll
C:\WINDOWS\system32\pmnoppm.dll
C:\WINDOWS\system32\pofyhinu.ini
C:\WINDOWS\system32\qiauhdbg.ini
C:\WINDOWS\system32\rckmyusd.ini
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\RCX45.tmp
C:\WINDOWS\system32\RCX4A.tmp
C:\WINDOWS\system32\RCX4B.tmp
C:\WINDOWS\system32\RCX4D.tmp
C:\WINDOWS\system32\RCX4E.tmp
C:\WINDOWS\system32\RCX4F.tmp
C:\WINDOWS\system32\rqronkh.dll
C:\WINDOWS\system32\setting.ini
C:\WINDOWS\system32\tuvsrsr.dll
C:\WINDOWS\system32\uwofaroq.dll
C:\WINDOWS\system32\vturrrq.dll
C:\WINDOWS\system32\vtutuvs.dll
C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\vtuvspq.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wvusrpq.dll
C:\WINDOWS\system32\xporpnho.dll
C:\WINDOWS\system32\yayayay.dll
C:\WINDOWS\system32\yvhprfpw.dll
C:\WINDOWS\system32\yzzurzkr.dll
C:\WINDOWS\system32\yzzurzkr.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RUNTIME
-------\LEGACY_SMTPDRV
-------\runtime
-------\smtpdrv


((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-15 19:55 . 2008-02-15 19:55 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-02-15 19:55 . 2008-02-15 19:55 <DIR> d-------- C:\WINDOWS\srchasst
2008-02-15 19:55 . 2008-02-15 19:55 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-02-15 12:13 . 2008-02-15 12:14 294 ---hs---- C:\WINDOWS\system32\qashvdfg.ini
2008-02-15 10:54 . 2008-02-15 10:54 474,624 -rahs---- C:\WINDOWS\system32\msinfo.exe
2008-02-15 10:53 . 2008-02-15 10:53 338,432 --a------ C:\WINDOWS\system32\RCXD53.tmp
2008-02-15 10:52 . 2008-02-15 12:19 354,816 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-02-15 10:51 . 2008-02-15 10:51 <DIR> d--hs---- C:\FOUND.003
2008-02-14 09:11 . 2008-01-16 10:18 580,608 -rahs---- C:\WINDOWS\system32\tsclient.exe
2008-02-14 08:40 . 2008-02-14 08:40 338,432 --a------ C:\WINDOWS\system32\RCX960.tmp
2008-02-13 11:15 . 2008-02-13 11:15 338,432 --a------ C:\WINDOWS\system32\RCX583.tmp
2008-02-13 11:14 . 2008-02-13 11:14 <DIR> d--hs---- C:\FOUND.002
2008-01-23 11:51 . 2008-01-23 11:51 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-23 11:36 . 2008-02-15 10:53 376,320 --a------ C:\WINDOWS\mrofinu2000201.exe.tmp
2008-01-23 09:49 . 2008-01-16 10:18 580,608 -rahs---- C:\WINDOWS\system\services.exe
2008-01-23 09:49 . 2008-01-23 09:49 2 -rahs---- C:\WINDOWS\system32\Explorer.sm1
2008-01-18 09:17 . 2008-02-15 16:34 16,384 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-18 09:16 . 2008-02-15 16:34 338,432 --a------ C:\WINDOWS\system32\pmkhf.exe2
2008-01-17 23:37 . 2008-01-17 23:38 334,848 --a------ C:\WINDOWS\system32\pmkhf.dll2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 02:46 32,517 ----a-w C:\WINDOWS\system32\drivers\BkavAuto.sys
2008-01-23 02:46 3,729,158 ----a-w C:\WINDOWS\system32\drivers\SysLib.sys
2008-01-15 05:09 24,832 ----a-w C:\WINDOWS\system32\drivers\Iap38.sys
2008-01-11 03:06 71,168 --sh--r C:\WINDOWS\system32\msgrlive.exe
2007-06-22 16:48 276,840 --sh--w C:\WINDOWS\dllhost.exe
.
<pre>
----a-w			16,384 2008-02-15 09:34:38  C:\WINDOWS\system32\ctfmon .exe
----a-w			16,384 2008-02-15 05:20:08  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w			49,152 2008-02-15 05:20:26  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w		   819,712 2008-02-15 03:53:18  C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer .exe
----a-w			15,872 2008-02-03 03:15:44  C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w			16,384 2008-02-15 05:20:02  C:\Program Files\Eset\nod32kui .exe
----a-w		 6,044,160 2008-01-23 02:44:48  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w		 6,044,160 2008-01-23 13:27:24  C:\Program Files\MSN Messenger\msnmsgr  .exe
----a-w		 6,044,160 2008-01-29 13:56:22  C:\Program Files\MSN Messenger\msnmsgr   .exe
----a-w		 6,044,160 2008-01-30 15:53:36  C:\Program Files\MSN Messenger\msnmsgr	.exe
----a-w		 6,044,160 2008-02-12 08:23:08  C:\Program Files\MSN Messenger\msnmsgr	 .exe
----a-w		 6,044,160 2008-02-13 04:14:52  C:\Program Files\MSN Messenger\msnmsgr	  .exe
----a-w		 6,044,160 2008-02-14 01:39:26  C:\Program Files\MSN Messenger\msnmsgr	   .exe
----a-w		 5,674,352 2008-02-14 01:41:30  C:\Program Files\MSN Messenger\msnmsgr		.exe
----a-w		 1,230,848 2008-02-03 06:39:44  C:\Program Files\Windows Sidebar\sidebar .exe
----a-w		 1,593,856 2008-01-23 02:45:44  C:\Program Files\Bkav2006\Bkav2006 .exe
----a-w			16,384 2008-02-15 05:20:12  C:\Program Files\LSWin\LaoKey .exe
----a-w			16,384 2008-02-15 05:20:18  C:\Program Files\Realtek\InstallShield\AzMixerSel .exe
----a-w		   766,041 2008-02-14 01:40:34  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w			40,960 2008-02-15 05:20:24  C:\Program Files\HPQ\Default Settings\cpqset .exe
----a-w			32,768 2008-02-15 03:53:16  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w		   176,128 2008-02-15 03:53:20  C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication .exe
----a-w		   860,160 2008-02-14 01:41:06  C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 .exe
----a-w			16,384 2008-02-15 03:53:52  C:\Program Files\MessengerPlus! 3\MsgPlus .exe
----a-w			16,384 2008-02-15 05:20:30  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w			64,512 2008-02-15 05:20:24  C:\HEROSOFT\Hero3000\SYSEXPLR .EXE
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AC0F3CC-2E03-46CE-9F01-995802813DFD}]
C:\WINDOWS\system32\pmkhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

S0 Iap38;Iap38;C:\WINDOWS\system32\Drivers\Iap38.sys [2008-01-15 12:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a83256e-db7f-11dc-8560-0014a5d2825b}]
\Shell\AutoRun\command - F:\sxs.exe
\Shell\explore\Command - F:\sxs.exe
\Shell\open\Command - F:\sxs.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{07D9341A-9EF3-A709-30F0-F8B18174862E}]
C:\WINDOWS\system32\test1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
C:\WINDOWS\system32\hidec /W "C:\Program Files\VAIOXP\Tools\regtlib.exe" "C:\Program Files\Windows Sidebar\sidebar.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 12:50:02 C:\WINDOWS\Tasks\User_Feed_Synchronization-{2C43804D-218D-4953-BBAE-645851030DC4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2008-02-14 02:00:10 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\blastclnnn.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 19:56:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\logonui.exe
.
**************************************************************************
.
Completion time: 2008-02-16 8:29:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-16 01:29:04

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 26 February 2008 - 10:40 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments or inside code boxes,thanks.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users