Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis log: Please Diagnose


  • Please log in to reply
1 reply to this topic

#1 jaybohac

jaybohac

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 17 March 2005 - 08:49 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:29:10 PM, on 3/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\acs.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\PROGRA~1\COMPUW~1\DEVPAR~1\DISTRI~1\DASVCNT.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\NavNT\defwatch.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\program files\mssql\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\COMPUW~1\DEVPAR~1\Analysis\NCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Windows\system32\RioMSC.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\MsgSys.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\ltmsg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\ORiNOCO\WirelessClient\Utility\orinoco.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Windows\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\Program Files\Common Files\Compuware\NMShared\DPConfig\7.2\DPConfig.exe
C:\Windows\system32\server05.exe
C:\Windows\system32\winset33.exe
C:\Windows\WINFRW.EXE
C:\m2.exe
C:\Windows\system32\schprop2.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Windows\system32\rwilgs.exe
C:\PROGRA~1\COMMON~1\kkow\kkowm.exe
C:\PROGRA~1\COMMON~1\kkow\kkowa.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\temp\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/2Q00CPT/0409/bF8.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/2Q00CPT/0409/bF8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?p....0&plcid=0x0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bcsproxy:8080
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [proxim_orinoco_11abg] C:\Program Files\ORiNOCO\WirelessClient\Utility\orinoco.exe -nogui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [DPConfig] C:\Program Files\Common Files\Compuware\NMShared\DPConfig\7.2\DPConfig.exe /tray
O4 - HKLM\..\Run: [Server Backbone] server05.exe
O4 - HKLM\..\Run: [MS Unix Binary] winset33.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\Windows\WINFRW.EXE
O4 - HKLM\..\Run: [Windows Security Updater] C:\Windows\WINFRW.EXE
O4 - HKLM\..\Run: [REGRUN] C:\m2.exe
O4 - HKLM\..\Run: [7F7O36g] schprop2.exe
O4 - HKLM\..\Run: [ew3fVp] C:\Windows\txjuvcaa.exe
O4 - HKLM\..\Run: [tadRcOE3v] C:\Windows\crtua.exe
O4 - HKLM\..\Run: [WEsIFUtU] C:\Windows\utcbmdto.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [C3aD1p] C:\Windows\txjuvcaa.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliterhw32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\RunServices: [Server Backbone] server05.exe
O4 - HKLM\..\RunServices: [MS Unix Binary] winset33.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MooERWMFi] rwilgs.exe
O4 - HKCU\..\Run: [MS Unix Binary] winset33.exe
O4 - HKCU\..\Run: [kkow] C:\PROGRA~1\COMMON~1\kkow\kkowm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104826044242
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcs-gis.com
O17 - HKLM\Software\..\Telephony: DomainName = bcs-gis.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcs-gis.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\Windows\System32\NavLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Windows\System32\acs.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Compuware Distributed Analyzer Service - Compuware Corporation - C:\PROGRA~1\COMPUW~1\DEVPAR~1\DISTRI~1\DASVCNT.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DevPartner Control Service (NCS) - Compuware Corporation - C:\PROGRA~1\COMPUW~1\DEVPAR~1\Analysis\NCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\Windows\system32\RioMSC.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:39 PM

Posted 18 March 2005 - 04:10 PM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:
C:\Windows\WINFRW.EXE
C:\Windows\WINFRW.EXE
C:\m2.exe
C:\windows\system32\eliterhw32.exe
c:\windows\system32\server05.exe
c:\windows\system32\winset33.exe
c:\windows\system32\rwilgs.exe
c:\windows\system32\winset33.exe
C:\PROGRA~1\COMMON~1\kkow\kkowm.exe

To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com/submit-malware.php fill in the required fields, and browse to the file. Then click on the Send File button.


Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Server Backbone] server05.exe
O4 - HKLM\..\Run: [MS Unix Binary] winset33.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\Windows\WINFRW.EXE
O4 - HKLM\..\Run: [Windows Security Updater] C:\Windows\WINFRW.EXE
O4 - HKLM\..\Run: [REGRUN] C:\m2.exe
O4 - HKLM\..\Run: [7F7O36g] schprop2.exe
O4 - HKLM\..\Run: [ew3fVp] C:\Windows\txjuvcaa.exe
O4 - HKLM\..\Run: [tadRcOE3v] C:\Windows\crtua.exe
O4 - HKLM\..\Run: [WEsIFUtU] C:\Windows\utcbmdto.exe
O4 - HKLM\..\Run: [C3aD1p] C:\Windows\txjuvcaa.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliterhw32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\RunServices: [Server Backbone] server05.exe
O4 - HKLM\..\RunServices: [MS Unix Binary] winset33.exe
O4 - HKCU\..\Run: [MooERWMFi] rwilgs.exe
O4 - HKCU\..\Run: [MS Unix Binary] winset33.exe
O4 - HKCU\..\Run: [kkow] C:\PROGRA~1\COMMON~1\kkow\kkowm.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\Windows\WINFRW.EXE
C:\Windows\WINFRW.EXE
C:\m2.exe
c:\windows\system32\schprop2.exe
C:\Windows\txjuvcaa.exe
C:\Windows\crtua.exe
C:\Windows\utcbmdto.exe
C:\Windows\txjuvcaa.exe
C:\windows\system32\eliterhw32.exe
C:\Program Files\ISTsvc\
c:\windows\system32\server05.exe
c:\windows\system32\winset33.exe
c:\windows\system32\rwilgs.exe
c:\windows\system32\winset33.exe
C:\PROGRA~1\COMMON~1\kkow\kkowm.exe

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users