Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - surrender31


  • Please log in to reply
1 reply to this topic

#1 surrender31

surrender31

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 15 March 2005 - 11:30 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:28:20 PM, on 3/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\WINDOWS\System32\ysejqvmj.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\System32\BSHARELITE.EXE
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\Services\{E4029D6B-B798-455E-933A-71AD7489205C}\SVCHOST.EXE
C:\WINDOWS\System32\ntddetect.exe
C:\Program Files\Ad-Protect\ad-protect.exe
C:\Program Files\TV Media\Tvm.exe
C:\Program Files\Ad-Protect\ad-protect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\Tipy86.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\Tipy86.exe
C:\WINDOWS\explorer.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\System32\winupdt.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Erin.BECKFAMILY\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daosearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: CIEExtension Object - {B51DC573-E998-4834-9B45-BAB7C2AE0A75} - C:\Program Files\Ad-Protect\ADPIEmonitor.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mwxoouxl] C:\WINDOWS\dnyaqoib.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Q] C:\documents and settings\erin\local settings\temp\Q.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Cyf0o.exe
O4 - HKLM\..\Run: [rreg] C:\Program Files\Common Files\System\rreg.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [vmcqldevazpa] C:\WINDOWS\System32\ysejqvmj.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [jqyrdc] C:\WINDOWS\System32\jqyrdc.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mshost mngr] C:\WINDOWS\System32\Rtdx119.dat
O4 - HKLM\..\Run: [hcaeeab] C:\WINDOWS\System32\hcaeeab.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Waitdashrealgrim] C:\Documents and Settings\All Users\Application Data\ManagerBoneWaitDash\Eq face.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [BearShare Lite] BSHARELITE.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AutoLoaderosxp1NMXJIXV] "C:\WINDOWS\System32\pngrt4.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [ln7h9tqe] C:\Program Files\ln7h9tqe\ln7h9tqe.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{E4029D6B-B798-455E-933A-71AD7489205C}\SVCHOST.EXE
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\System32\lsass.exe
O4 - HKLM\..\Run: [Ad-Protect] C:\Program Files\Ad-Protect\ad-protect.exe /s
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [BearShare Lite] BSHARELITE.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Search.vbs
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Search and Remove Spyware - {CDB280E8-BE43-4128-8A5A-3FCD094E2D88} - C:\Program Files\RegFreeze\rfsearchhandler.dll
O9 - Extra 'Tools' menuitem: Search and Remove Spyware - {CDB280E8-BE43-4128-8A5A-3FCD094E2D88} - C:\Program Files\RegFreeze\rfsearchhandler.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {63346A01-55D5-4F52-8E76-F706BCEA28B6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {63346A01-55D5-4F52-8E76-F706BCEA28B6} - (no file) (HKCU)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/1w2fcksh.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.ntsearch.com/popengine/POP.CHM::/sp.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {D534A0F8-E0F2-4F11-8E53-345819B2451F} (Streaming VisualFX) - http://www.rmgdrs.com/update/x1ff.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AAA8DA3-BAD8-40B0-A4C0-D6AEED47C123}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AAA8DA3-BAD8-40B0-A4C0-D6AEED47C123}: NameServer = 205.188.146.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AAA8DA3-BAD8-40B0-A4C0-D6AEED47C123}: NameServer = 205.188.146.145
O17 - HKLM\System\CS3\Services\Tcpip\..\{0AAA8DA3-BAD8-40B0-A4C0-D6AEED47C123}: NameServer = 205.188.146.145
O21 - SSODL: Microsoft DirectXb - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Gbecoq32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common files\WinTools\WToolsS.exe (file missing)

BC AdBot (Login to Remove)

 


#2 picard_uk

picard_uk

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 16 March 2005 - 03:11 PM

Hi surrender31,

Welcome to the forums.

There are a few things going on in that log. Let's get the obvious one out of the way.

You have a Peper infection

First, download this Peper trojan fix.
http://downloads.subratam.org/PeperFix.exe do NOT run it yet.


Reboot, on restart, start in "Safe Mode".
How To
1. Restart the computer.
2. As the computer restarts, begin tapping the F8 key until the Windows XP startup menu appears.
3. Choose Safe mode from the startup menu, and then press Enter. Windows starts in Safe mode.

Run the PeperFix.exe two times with a reboot into Safe Mode between each run.

Reboot normally.



Run HiJackThis, scan and post a fresh log in this thread.


picard.
Every day's a school day.

ASAP Proud member since 2005 Alliance of Security Analysis Professionals




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users