Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log-pocapt


  • Please log in to reply
25 replies to this topic

#1 pocapt

pocapt

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 09 June 2005 - 07:34 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:28:12 PM, on 6/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\tvs\tvs_b.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\Program Files\America Online 9.0c\shellmon.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10MT1.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10RN1.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0c\AOL.EXE" -b
O4 - HKCU\..\Run: [Noim] C:\Documents and Settings\Mike Wheelis\Application Data\leuc.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.boats.com/listing/ImageUploader2.cab
O20 - Winlogon Notify: H323TSP - C:\WINNT\system32\mvjml9111.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

BC AdBot (Login to Remove)

 


#2 pocapt

pocapt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 09 June 2005 - 08:18 PM

My computer keeps getting pop ups. It sometimes says inqwire, other times it is 62 something.

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 10 June 2005 - 10:56 PM

Hello pocapt and welcome to the BC forums. Let's start out with a special scan to see what it turns up.
  • Download FindQoologic2.zip save it to your Desktop.
  • Unzip Find-Qoologic2.zip to its own folder and then use Windows Explorer to navigate to that folder.
  • Double-click the Find-Qoologic2.bat file to run it. It will take some time so be patient.
  • When Notepad opens with the results in it copy/paste the entire contents of the document back here.
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 pocapt

pocapt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 13 June 2005 - 12:29 AM

I am working nights and can not get back to you until Tues. I will down load the file and do as you ask on Tues morning, Thanks Pocapt

#5 pocapt

pocapt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 13 June 2005 - 03:51 PM

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINNT\System32\INCINE~1.DLL
* aspack C:\WINNT\VSAPI32.DLL
* UPX! C:\WINNT\ICONT.EXE
* UPX! C:\WINNT\TSC.EXE
* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Adobe Reader Speed Launch.lnk
Exif Launcher.lnk

User Startup:
C:\Documents and Settings\Mike Wheelis\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

http://43.asp060.com/remove?r.Confirmation...mlwpolicecapt?r

#6 pocapt

pocapt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 13 June 2005 - 03:53 PM

I ran the program, I have to go to work now but I will check it in the morning. pocapt

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 13 June 2005 - 05:17 PM

Hi pocapt. This is only a partial file of what should be there. Please vrify that all of the following files are present and then run the scan again. It can take some time to complete so let it run until it is finished:Find-Qoologic2.bat
XFIND.COM
fstarts.exe
gstarts.exe
Activesetup.vbs

If you have any script blocking software installed you will either need to disable it or allow the vbs script to run.

Post back the results and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 pocapt

pocapt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 14 June 2005 - 07:48 PM

I tryed reloading the file but Activesetup. vbs does not show up. How do I turn off script. thanks pocapt

#9 pocapt

pocapt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 14 June 2005 - 08:38 PM

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINNT\VSAPI32.DLL
* UPX! C:\WINNT\ICONT.EXE
* UPX! C:\WINNT\TSC.EXE
* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Adobe Reader Speed Launch.lnk
Exif Launcher.lnk

User Startup:
C:\Documents and Settings\Mike Wheelis\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 14 June 2005 - 09:21 PM

Hi pocapt. Let's try a different scan that doesn't use vbs scripting and see if that shows up anything.

Download PFind.zip and unzip the contents to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\pfind.txt back here and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 pocapt

pocapt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 15 June 2005 - 06:37 AM

Sir,
I tryed to run Pfind.zip but it will not run. I restarted in safe mode but when I try to run the program it opens but closes in less than a second. It shows it is still running but nothing shows up in the notebook. pocapt

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 15 June 2005 - 11:30 AM

Hi pocapt. Make sure that all of the following files are in the folder:pfind.bat
regentries.bat
locate.com
ah.exe
grep.exe
reg.exe
strings.exe
unix2dos.exe
patterns.txt

Boot into Safe Mode and try it again.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 pocapt

pocapt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 15 June 2005 - 11:15 PM

I rebooted in safe mode and tried to run it but it flashs on and then flashs off. Nothing shows up in notepad. The program will not start.

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:02 AM

Posted 16 June 2005 - 12:36 AM

Hi pocapt. Ok, let's try something else.

Download rkfiles.zip and unzip it to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt back here and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 pocapt

pocapt
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 17 June 2005 - 10:31 AM

Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINNT folder

C:\WINNT\icont.exe: UPX!
C:\WINNT\tsc.exe: UPX!
C:\WINNT\vsapi32.dll: UPX!t4


Checking the C:\WINNT\SYSTEM32 folder

C:\WINNT\SYSTEM32\Incinerator.dll: .aspack


Checking all directories under the C:\WINNT\SYSTEM32\drivers folder

C:\WINNT\SYSTEM32\Drivers\VsapiNT.sys: UPX!t4
C:\WINNT\SYSTEM32\Drivers\etc\hosts: 127.0.0.1 www.qoologic.com
C:\WINNT\SYSTEM32\Drivers\etc\hosts: 127.0.0.1 www.urllogic.com


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Mike Wheelis\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Mike Wheelis\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINNT\
shelli~1 Thu Jun 16 2005 10:49:20p ...H. 466,124 455.20 K

C:\WINNT\CSC\
00000001 Thu Jun 16 2005 10:49:44p A.S.. 64 0.06 K
00000002 Thu Jun 16 2005 4:24:24p A.S.. 64 0.06 K
csc1.tmp Fri Jun 10 2005 12:47:44a A.S.. 64 0.06 K

C:\WINNT\SYSTEM32\
anstream.dll Tue Jun 14 2005 11:26:04p ..S.R 234,730 229.23 K
cznsole.dll Tue Jun 14 2005 10:19:02p ..S.R 234,730 229.23 K
ddusic.dll Tue Jun 14 2005 10:01:04p ..S.R 234,730 229.23 K
fp4003~1.dll Thu Jun 9 2005 2:20:14a ..S.R 235,447 229.93 K
g6220g~1.dll Tue Jun 14 2005 6:24:48a ..S.R 236,065 230.53 K
g8220i~1.dll Wed Jun 15 2005 11:04:20p ..S.R 234,730 229.23 K
gfu32.dll Thu Jun 16 2005 9:19:02p ..S.R 234,784 229.28 K
hp4023~1.dll Thu Jun 16 2005 10:53:40p ..S.R 233,757 228.28 K
hrjm05~1.dll Wed Jun 15 2005 9:08:30a ..S.R 236,195 230.66 K
ir24l5~1.dll Thu Jun 16 2005 9:19:00p ..S.R 236,209 230.67 K
khdus.dll Tue Jun 14 2005 11:46:36p ..S.R 236,195 230.66 K
mtrd3x40.dll Thu Jun 16 2005 4:04:48p ..S.R 234,784 229.28 K
n02ula~1.dll Fri Jun 10 2005 12:30:12a ..S.R 234,272 228.78 K
noplg80n.dll Thu Jun 16 2005 10:53:40p ..S.R 236,209 230.67 K
nrprint.dll Wed Jun 15 2005 3:18:18p ..S.R 234,730 229.23 K
sbecli.dll Thu Jun 16 2005 4:24:38p ..S.R 234,784 229.28 K

C:\WINNT\TASKS\
sa.dat Thu Jun 16 2005 10:49:44p A..H. 6 0.00 K

C:\WINNT\SYSTEM32\CONFIG\
default.log Thu Jun 16 2005 10:53:50p A..H. 1,024 1.00 K
sam.log Thu Jun 16 2005 10:53:36p A..H. 1,024 1.00 K
security.log Thu Jun 16 2005 10:51:44p A..H. 1,024 1.00 K
software.log Fri Jun 17 2005 12:11:34a A..H. 1,024 1.00 K

25 items found: 25 files, 0 directories.
Total of file sizes: 4,232,769 bytes 4.04 M


Thank you, pocapt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users