Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some help please


  • Please log in to reply
6 replies to this topic

#1 TonyMontana

TonyMontana

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 13 June 2005 - 02:11 PM

My office computer has been hijacked. Badly. The infection is wayyy beyond me. I have run cws shredder and ad aware SE personal 1.06 both in normal and safe mode. The OS is Windows XP. Here is the hijack this! logfile. Any help will be appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 3:08:10 PM, on 6/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Palm\Hotsync.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbSrv.exe
C:\WINDOWS\System32\HPBPRO.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {516B9B0C-2C46-424E-A170-867BB2056901} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5739DFED-8A74-4F39-B49E-5AADFCC0D277} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {587F533B-26C3-4834-AE4B-C200E95919E8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6114D371-309F-4AA6-A3FE-4D3B5070E81B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {63B0A273-E754-4F0C-A16D-15BA11DB0E53} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {66BDD94E-BE8A-4BE5-A635-F3D890EC2C99} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6C1CEF9A-FBF1-415D-970C-D968148B856C} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6F4FF18B-E1A1-4009-90C0-F9DF14B5E92F} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O2 - BHO: (no name) - {8548F2BC-EC95-4ACA-8128-D0BA1CBC5831} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {8B830B68-4A61-4312-8FB5-444A90A8CC5D} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {8B9B4BCF-3796-4595-9D10-C6959B2805F8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {94345026-3807-43E7-A21A-40D106B4E44B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {95335BB6-8A9B-432D-946E-CE4D088DBB49} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {ABAE9E4D-A804-4966-908C-3FA725E5C1D4} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {AF09E8C5-B2D2-4537-B9B9-93D29E4392C1} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {B086CBA2-061F-42FB-9571-C60B6815D3C3} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {B8C1EA8D-FC07-40A3-A5F1-5EB6646394D8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {C9C50271-9945-409C-AA7A-FCEAD1156A19} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D079A6A0-9195-44E8-9198-F9508E5A1F6A} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D235DA34-66F1-4462-9E6A-52632765FA49} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D45956F3-1732-4D24-89C1-8489E334FC47} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {DE5CD011-F49A-465C-BB45-F5F034A8539B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {EDB5725A-4493-4D0A-8885-202127BBA469} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F552F11C-36CB-4C03-A83B-EAC154032F8A} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F8A1815A-37B1-49CA-8302-D95968E75925} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F9727364-2E61-4AE3-B17A-1661C2735781} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O4 - HKLM\..\Run: [ybhiimyr] C:\WINDOWS\System32\gnxaggle.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [epej] C:\WINDOWS\epej.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/ins...ckerutility.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
"All men die. Not all men really live."-Sir William Wallace
"Enjoy yourself. Every day above ground is a good day."-Scarface 1983

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:20 AM

Posted 14 June 2005 - 09:36 AM

If you still need help, could you post a fresh HijackThis log please?

#3 TonyMontana

TonyMontana
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 14 June 2005 - 10:41 AM

Logfile of HijackThis v1.99.1
Scan saved at 3:08:10 PM, on 6/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Palm\Hotsync.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbSrv.exe
C:\WINDOWS\System32\HPBPRO.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {516B9B0C-2C46-424E-A170-867BB2056901} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5739DFED-8A74-4F39-B49E-5AADFCC0D277} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {587F533B-26C3-4834-AE4B-C200E95919E8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6114D371-309F-4AA6-A3FE-4D3B5070E81B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {63B0A273-E754-4F0C-A16D-15BA11DB0E53} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {66BDD94E-BE8A-4BE5-A635-F3D890EC2C99} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6C1CEF9A-FBF1-415D-970C-D968148B856C} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6F4FF18B-E1A1-4009-90C0-F9DF14B5E92F} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O2 - BHO: (no name) - {8548F2BC-EC95-4ACA-8128-D0BA1CBC5831} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {8B830B68-4A61-4312-8FB5-444A90A8CC5D} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {8B9B4BCF-3796-4595-9D10-C6959B2805F8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {94345026-3807-43E7-A21A-40D106B4E44B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {95335BB6-8A9B-432D-946E-CE4D088DBB49} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {ABAE9E4D-A804-4966-908C-3FA725E5C1D4} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {AF09E8C5-B2D2-4537-B9B9-93D29E4392C1} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {B086CBA2-061F-42FB-9571-C60B6815D3C3} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {B8C1EA8D-FC07-40A3-A5F1-5EB6646394D8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {C9C50271-9945-409C-AA7A-FCEAD1156A19} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D079A6A0-9195-44E8-9198-F9508E5A1F6A} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D235DA34-66F1-4462-9E6A-52632765FA49} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D45956F3-1732-4D24-89C1-8489E334FC47} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {DE5CD011-F49A-465C-BB45-F5F034A8539B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {EDB5725A-4493-4D0A-8885-202127BBA469} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F552F11C-36CB-4C03-A83B-EAC154032F8A} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F8A1815A-37B1-49CA-8302-D95968E75925} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F9727364-2E61-4AE3-B17A-1661C2735781} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O4 - HKLM\..\Run: [ybhiimyr] C:\WINDOWS\System32\gnxaggle.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [epej] C:\WINDOWS\epej.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/ins...ckerutility.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
"All men die. Not all men really live."-Sir William Wallace
"Enjoy yourself. Every day above ground is a good day."-Scarface 1983

#4 TonyMontana

TonyMontana
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 14 June 2005 - 10:44 AM

Whoops! Accidentally posted old log again. Here is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 11:43:37 AM, on 6/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Palm\Hotsync.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbSrv.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\System32\HPBPRO.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {516B9B0C-2C46-424E-A170-867BB2056901} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5739DFED-8A74-4F39-B49E-5AADFCC0D277} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {587F533B-26C3-4834-AE4B-C200E95919E8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6114D371-309F-4AA6-A3FE-4D3B5070E81B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {63B0A273-E754-4F0C-A16D-15BA11DB0E53} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {66BDD94E-BE8A-4BE5-A635-F3D890EC2C99} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6C1CEF9A-FBF1-415D-970C-D968148B856C} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6F4FF18B-E1A1-4009-90C0-F9DF14B5E92F} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O2 - BHO: (no name) - {8548F2BC-EC95-4ACA-8128-D0BA1CBC5831} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {8B830B68-4A61-4312-8FB5-444A90A8CC5D} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {8B9B4BCF-3796-4595-9D10-C6959B2805F8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {94345026-3807-43E7-A21A-40D106B4E44B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {95335BB6-8A9B-432D-946E-CE4D088DBB49} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {ABAE9E4D-A804-4966-908C-3FA725E5C1D4} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {AF09E8C5-B2D2-4537-B9B9-93D29E4392C1} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {B086CBA2-061F-42FB-9571-C60B6815D3C3} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {B8C1EA8D-FC07-40A3-A5F1-5EB6646394D8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {C9C50271-9945-409C-AA7A-FCEAD1156A19} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D079A6A0-9195-44E8-9198-F9508E5A1F6A} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D235DA34-66F1-4462-9E6A-52632765FA49} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D45956F3-1732-4D24-89C1-8489E334FC47} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {DE5CD011-F49A-465C-BB45-F5F034A8539B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {EDB5725A-4493-4D0A-8885-202127BBA469} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F552F11C-36CB-4C03-A83B-EAC154032F8A} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F8A1815A-37B1-49CA-8302-D95968E75925} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F9727364-2E61-4AE3-B17A-1661C2735781} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
O4 - HKLM\..\Run: [ybhiimyr] C:\WINDOWS\System32\gnxaggle.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [epej] C:\WINDOWS\epej.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/ins...ckerutility.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
"All men die. Not all men really live."-Sir William Wallace
"Enjoy yourself. Every day above ground is a good day."-Scarface 1983

#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:20 AM

Posted 14 June 2005 - 11:51 AM

One problem is that you have not done any system updates at all, so the chances for reinfection are pretty high. :thumbsup:

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O2 - BHO: (no name) - {516B9B0C-2C46-424E-A170-867BB2056901} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5739DFED-8A74-4F39-B49E-5AADFCC0D277} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {587F533B-26C3-4834-AE4B-C200E95919E8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6114D371-309F-4AA6-A3FE-4D3B5070E81B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {63B0A273-E754-4F0C-A16D-15BA11DB0E53} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {66BDD94E-BE8A-4BE5-A635-F3D890EC2C99} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6C1CEF9A-FBF1-415D-970C-D968148B856C} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {6F4FF18B-E1A1-4009-90C0-F9DF14B5E92F} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {8548F2BC-EC95-4ACA-8128-D0BA1CBC5831} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {8B830B68-4A61-4312-8FB5-444A90A8CC5D} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {8B9B4BCF-3796-4595-9D10-C6959B2805F8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {94345026-3807-43E7-A21A-40D106B4E44B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {95335BB6-8A9B-432D-946E-CE4D088DBB49} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {ABAE9E4D-A804-4966-908C-3FA725E5C1D4} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {AF09E8C5-B2D2-4537-B9B9-93D29E4392C1} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {B086CBA2-061F-42FB-9571-C60B6815D3C3} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {B8C1EA8D-FC07-40A3-A5F1-5EB6646394D8} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {C9C50271-9945-409C-AA7A-FCEAD1156A19} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D079A6A0-9195-44E8-9198-F9508E5A1F6A} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D235DA34-66F1-4462-9E6A-52632765FA49} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {D45956F3-1732-4D24-89C1-8489E334FC47} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {DE5CD011-F49A-465C-BB45-F5F034A8539B} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {EDB5725A-4493-4D0A-8885-202127BBA469} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F552F11C-36CB-4C03-A83B-EAC154032F8A} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F8A1815A-37B1-49CA-8302-D95968E75925} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O2 - BHO: (no name) - {F9727364-2E61-4AE3-B17A-1661C2735781} - C:\Program Files\e74wpq1l\e74wpq1l.dll (file missing)
O4 - HKLM\..\Run: [epej] C:\WINDOWS\epej.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O4 - Global Startup: PowerReg Scheduler.exe

***********************************************************************

Boot into SAFE MODE by tapping the f8 key during boot up.

Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click"Apply to all folders"

Click "Apply" then "OK. While you still have the My Computer Window open, click on C:\. Browse to these entries and delete them:

C:\WINDOWS\epej.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\prutqct.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
************************************************************************

Reboot and post a fresh HJT log please. There will be more to go yet.

#6 TonyMontana

TonyMontana
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 14 June 2005 - 01:23 PM

Hello! :thumbsup: I followed your steps, but I couldnt find any of those three files you wanted me to delete. Here is a new hijack this!

Logfile of HijackThis v1.99.1
Scan saved at 2:20:47 PM, on 6/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Palm\Hotsync.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
"All men die. Not all men really live."-Sir William Wallace
"Enjoy yourself. Every day above ground is a good day."-Scarface 1983

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:20 AM

Posted 14 June 2005 - 01:27 PM

Did you manually try to drill down to the files, or did you try to use the explorer Search feature? The search feature will not search system files and hidden folders unless you tell it to under the advanced options.

Other than that, are things working better? You really need to do your updates. Someone will be running your system as a warez server.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users