Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help me


  • This topic is locked This topic is locked
2 replies to this topic

#1 alaskapolo

alaskapolo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 18 May 2010 - 11:28 AM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:27:51, on 2010-05-18
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
c:\Boot\winiogen.exe
C:\WINDOWS\system32\EpStsSrv.exe
C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LSASvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\Boot\winlogen.exe
C:\WINDOWS\system32\ESDUSBMon.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://exchange.active24.com/exchweb/bin/a...e/&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 93.186.119.129 www.google.com
O1 - Hosts: 93.186.119.129 google.com
O1 - Hosts: 93.186.119.129 google.com.au
O1 - Hosts: 93.186.119.129 www.google.com.au
O1 - Hosts: 93.186.119.129 google.be
O1 - Hosts: 93.186.119.129 www.google.be
O1 - Hosts: 93.186.119.129 google.com.br
O1 - Hosts: 93.186.119.129 www.google.com.br
O1 - Hosts: 93.186.119.129 google.ca
O1 - Hosts: 93.186.119.129 www.google.ca
O1 - Hosts: 93.186.119.129 google.ch
O1 - Hosts: 93.186.119.129 www.google.ch
O1 - Hosts: 93.186.119.129 google.de
O1 - Hosts: 93.186.119.129 www.google.de
O1 - Hosts: 93.186.119.129 google.dk
O1 - Hosts: 93.186.119.129 www.google.dk
O1 - Hosts: 93.186.119.129 google.fr
O1 - Hosts: 93.186.119.129 www.google.fr
O1 - Hosts: 93.186.119.129 google.ie
O1 - Hosts: 93.186.119.129 www.google.ie
O1 - Hosts: 93.186.119.129 google.it
O1 - Hosts: 93.186.119.129 www.google.it
O1 - Hosts: 93.186.119.129 google.co.jp
O1 - Hosts: 93.186.119.129 www.google.co.jp
O1 - Hosts: 93.186.119.129 google.nl
O1 - Hosts: 93.186.119.129 www.google.nl
O1 - Hosts: 93.186.119.129 google.no
O1 - Hosts: 93.186.119.129 www.google.no
O1 - Hosts: 93.186.119.129 google.co.nz
O1 - Hosts: 93.186.119.129 www.google.co.nz
O1 - Hosts: 93.186.119.129 google.pl
O1 - Hosts: 93.186.119.129 www.google.pl
O1 - Hosts: 93.186.119.129 google.se
O1 - Hosts: 93.186.119.129 www.google.se
O1 - Hosts: 93.186.119.129 google.co.uk
O1 - Hosts: 93.186.119.129 www.google.co.uk
O1 - Hosts: 93.186.119.129 google.co.za
O1 - Hosts: 93.186.119.129 www.google.co.za
O1 - Hosts: 93.186.119.129 www.google-analytics.com
O1 - Hosts: 93.186.119.129 www.bing.com
O1 - Hosts: 93.186.119.129 search.yahoo.com
O1 - Hosts: 93.186.119.129 www.search.yahoo.com
O1 - Hosts: 93.186.119.129 uk.search.yahoo.com
O1 - Hosts: 93.186.119.129 ca.search.yahoo.com
O1 - Hosts: 93.186.119.129 de.search.yahoo.com
O1 - Hosts: 93.186.119.129 fr.search.yahoo.com
O1 - Hosts: 93.186.119.129 au.search.yahoo.com
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O4 - Startup: Program Neighborhood Agent.lnk = ?
O4 - Startup: Skärmurklipp och start för OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Unibet - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\unibetpokerMPP\MPPoker.exe (file missing) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {D289E463-771A-4964-B664-F3020E751A56} - http://acs.pandasoftware.com/asp/cabs/agen...2-0/miniagt.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Netlogin Updates (DocUpdates) - Unknown owner - c:\Boot\winiogen.exe
O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe
O23 - Service: Shiva VPN Client (ICService) - Unknown owner - C:\Program Files\Shiva\Shiva VPN Client\icsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Microsoft LSA Logon Authorization Service (LSAService) - Unknown owner - C:\WINDOWS\system32\LSASvc.exe
O23 - Service: TCP/IP NetBIOS (TIN) (msnbptc) - Unknown owner - C:\WINDOWS\system32\LmHosts.exe (file missing)
O23 - Service: Network_Server - Unknown owner - C:\WINDOWS\system32\srvany.exe (file missing)
O23 - Service: Unifaun Web Order (UnifaunWebOrder) - Unifaun AB - C:\Program Files\UnifaunWebPrinter\UnifaunWebOrder.exe
O23 - Service: Windows Updata Storage (WindowsUpdates) - Unknown owner - c:\Boot\winlogen.exe

--
End of file - 9433 bytes


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:06 AM

Posted 20 May 2010 - 12:27 AM

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

  • Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #3 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:08:06 AM

    Posted 28 May 2010 - 01:03 AM

    Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users