Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Logfile of Trend Micro HijackThis v2.0.4


  • This topic is locked This topic is locked
2 replies to this topic

#1 ksges

ksges

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 16 March 2011 - 01:44 AM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:26:09, on 16.03.2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Windows folder: E:\WINDOWS
System folder: E:\WINDOWS\SYSTEM32
Hosts file: E:\WINDOWS\System32\drivers\etc\hosts

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
E:\Program Files\ATKGFNEX\GFNEXSrv.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe
E:\WINDOWS\system32\hasplms.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exe
E:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
E:\Program Files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Rhozet\Carbon Coder\Kernel\PNXKERNL.Exe
E:\WINDOWS\ATK0100\HControl.exe
E:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\Program Files\ATKOSD2\ATKOSD2.exe
E:\Program Files\Elantech\ETDCtrl.exe
E:\WINDOWS\ATK0100\ATKOSD.exe
E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
E:\Program Files\ASUS\ATK Media\DMedia.exe
E:\Program Files\ASUS\Splendid\ACMON.exe
E:\Program Files\USBDiskSecurity\USBGuard.exe
E:\WINDOWS\system32\ACEngSvr.exe
E:\Program Files\WebMoney Agent\wmagent.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\VistaDriveIcon\VistaDrv.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Mozilla Firefox\plugin-container.exe
E:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 178.33.26.119:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - E:\Program Files\WebMoney Advisor\tbhelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (filesize 75200 bytes, MD5 203A74767EB81F96A5166B1933DB46D0)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 41368 bytes, MD5 192E39C717013A0BD532B33AC29D6E7D)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (filesize 73728 bytes, MD5 9A0CA264EC3210E77764C45AD7C5F339)
O2 - BHO: TBSB03374 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - E:\Program Files\WebMoney Advisor\tbcore3.dll (filesize 2559608 bytes, MD5 3E348DD201E4A1B6B0F03EEAA387E2AF)
O3 - Toolbar: WebMoney Advisor - {3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840} - E:\Program Files\WebMoney Advisor\tbcore3.dll (filesize 2559608 bytes, MD5 3E348DD201E4A1B6B0F03EEAA387E2AF)
O4 - HKLM\..\Run: [HControl] E:\WINDOWS\ATK0100\HControl.exeE:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (filesize 61440 bytes, MD5 42BA3584F05842350066B6AA0C867C6F)
O4 - HKLM\..\Run: [HControlUser] E:\Program Files\ASUS\ATK Hotkey\HControlUser.exeE:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
O4 - HKLM\..\Run: [ATKHOTKEY] E:\Program Files\ASUS\ATK Hotkey\HControl.exeE:\Program Files\ASUS\ATK Hotkey\HControl.exe
O4 - HKLM\..\Run: [ATKOSD2] "E:\Program Files\ATKOSD2\ATKOSD2.exe" (filesize 7766016 bytes, MD5 2299E0CBEFB41A9DD72E293CE0B00C8B)
O4 - HKLM\..\Run: [ETDWare] E:\Program Files\Elantech\ETDCtrl.exeE:\Program Files\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [HDAudDeck] E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 (filesize 33619968 bytes, MD5 F12F353C3708D755CA89912DB86503B7)
O4 - HKLM\..\Run: [ATKMEDIA] E:\Program Files\ASUS\ATK Media\DMedia.exeE:\Program Files\ASUS\ATK Media\DMedia.exe
O4 - HKLM\..\Run: [ACMON] E:\Program Files\ASUS\Splendid\ACMON.exeE:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [USB Antivirus] E:\Program Files\USBDiskSecurity\USBGuard.exeE:\Program Files\USBDiskSecurity\USBGuard.exe
O4 - HKLM\..\Run: [Adobe ARM] "E:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" (filesize 932288 bytes, MD5 BAD6BEA0DE1F69C82BDB74378CE0C20A)
O4 - HKLM\..\Run: [wmagent.exe] "E:\Program Files\WebMoney Agent\wmagent.exe" (filesize 210400 bytes, MD5 7275BF729E7050005328104BED942135)
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (filesize 1039360 bytes, MD5 A81C2966F7D74E9710D58F359DE363B8)
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exeE:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VistaIcon] E:\Program Files\VistaDriveIcon\VistaDrv.exeE:\Program Files\VistaDriveIcon\VistaDrv.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [VistaIcon] E:\Program Files\VistaDriveIcon\VistaDrv.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ZZZZ1_FirstLogonSetting] %SystemRoot%\System32\rundll32.exe advpack.dll,LaunchINFSection E:\WINDOWS\INF\custom.inf,OnceFirstLogonInstall,0 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8_02] rundll32 advpack.dll,LaunchINFSectionEx IE8int.inf,AfterUserStart,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ZZZZ1_FirstLogonSetting] %SystemRoot%\System32\rundll32.exe advpack.dll,LaunchINFSection E:\WINDOWS\INF\custom.inf,OnceFirstLogonInstall,0 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ZZZZ2_FirstLogonSetting] %SystemRoot%\System32\rundll32.exe advpack.dll,LaunchINFSection E:\WINDOWS\INF\custom.inf,NewUserFirstLogonInstall,0 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ZZZZ2_FirstLogonSetting] %SystemRoot%\System32\rundll32.exe advpack.dll,LaunchINFSection E:\WINDOWS\INF\custom.inf,NewUserFirstLogonInstall,0 (User 'Default user')
O4 - Startup: Create virtual drive for Denwer.lnk = C:\WebServers\denwer\Boot.exe (filesize 6656 bytes, MD5 18D946FCE311A819BABE5AEFF8D31EBD)
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: WebMoney Advisor - {3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840} - E:\Program Files\WebMoney Advisor\tbcore3.dll (filesize 2559608 bytes, MD5 3E348DD201E4A1B6B0F03EEAA387E2AF)
O9 - Extra 'Tools' menuitem: WebMoney Advisor - {3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840} - E:\Program Files\WebMoney Advisor\tbcore3.dll (filesize 2559608 bytes, MD5 3E348DD201E4A1B6B0F03EEAA387E2AF)
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL (filesize 63840 bytes, MD5 22BDC1E6E606C9BAE68141D7099309AB)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (filesize 2135336 bytes, MD5 028FF74DAFDC7BB45C956A5EC8926CEE)
O20 - Winlogon Notify: Aspwdflt - E:\Program Files\ASUS\ASUS Data Security Manager\ASPWDFLT.dllE:\Program Files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
O22 - SharedTaskScheduler: Предзагрузчик Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\system32\browseui.dll (filesize 1030144 bytes, MD5 54A4659B52E6BE484C36442B63B00A09)
O22 - SharedTaskScheduler: Демон кэша категорий компонентов - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\system32\browseui.dll (filesize 1030144 bytes, MD5 54A4659B52E6BE484C36442B63B00A09)
O23 - Service: ABBYY FineReader 9.0 Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - E:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exeE:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe
O23 - Service: ADSM Service (ADSMService) - ASUSTek Computer Inc. - E:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exeE:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exeE:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - E:\Program Files\ATKGFNEX\GFNEXSrv.exeE:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - E:\WINDOWS\system32\services.exeE:\WINDOWS\system32\services.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - E:\WINDOWS\system32\hasplms.exeE:\WINDOWS\system32\hasplms.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - E:\WINDOWS\system32\imapi.exeE:\WINDOWS\system32\imapi.exe
O23 - Service: Nexus Server (Carbon Coder) (Nexus Server) - Unknown owner - E:\Program Files\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exeE:\Program Files\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - E:\WINDOWS\system32\services.exeE:\WINDOWS\system32\services.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - E:\Program Files\Common Files\Protexis\License Service\PsiService_2.exeE:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - E:\WINDOWS\system32\sessmgr.exeE:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - E:\WINDOWS\System32\SCardSvr.exeE:\WINDOWS\System32\SCardSvr.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exeC:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: SRS Volume Sync Service (SRS_VolSync_Service) - SRS Labs, Inc. - E:\Program Files\SRS Labs\SRS Premium Sound\SRS_VolSync.exeE:\Program Files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - E:\WINDOWS\system32\smlogsvc.exeE:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - E:\WINDOWS\system32\ZoneLabs\vsmon.exeE:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - E:\WINDOWS\System32\vssvc.exeE:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - E:\WINDOWS\system32\wbem\wmiapsrv.exeE:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 12298 bytes

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:19 AM

Posted 21 March 2011 - 08:07 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:19 AM

Posted 30 March 2011 - 08:47 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users