Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New HijackThis Log


  • Please log in to reply
3 replies to this topic

#1 gmachado

gmachado

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 14 November 2004 - 06:54 AM

Hello All, Itīs my first time in this Forum...

I have the same problem than another with virus...

I would like to receive some help to diagnose the HijackThis log generated by my box...

Thanks in advance...

_________________
Gustavo Rodrigues
Brasil/RS




Logfile of HijackThis v1.98.2
Scan saved at 09:37:36, on 14/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\pctspk.exe
C:\Arquivos de programas\Winamp\Winampa.exe
C:\Arquivos de programas\NavNT\vptray.exe
C:\WINDOWS\System32\jrpurzu.exe
C:\WINDOWS\System32\systime.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\systime.exe
C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Arquivos de programas\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Discador iBest\discador.exe
C:\WINDOWS\System32\dllhost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\ARQUIV~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\Programas\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Swish Browser Helper - {D44B5436-B3E4-4595-B0E9-106690E70A58} - C:\DOCUME~1\eu\DADOSD~1\voaithczoo.dll (file missing)
O3 - Toolbar: Accessories - {9B35A850-66AB-4c6d-8A66-136ECADCD904} - C:\DOCUME~1\eu\DADOSD~1\voaithczoo.dll (file missing)
O3 - Toolbar: Discador iBest - {4F869C58-D71D-4850-8BDD-7B5CDF8EC911} - C:\Arquivos de programas\Discador iBest\ibestbar.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\Arquivos de programas\NavNT\vptray.exe
O4 - HKLM\..\Run: [Microsoft Update] jrpurzu.exe
O4 - HKLM\..\Run: [nse] nse.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\RunServices: [Microsoft Update] jrpurzu.exe
O4 - HKLM\..\RunServices: [nse] nse.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] C:\Arquivos de programas\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Microsoft Update] jrpurzu.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...edceabcca450006
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thko.com
O17 - HKLM\Software\..\Telephony: DomainName = thko.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F6F328C-77C9-409F-9825-79862C4C5C5F}: NameServer = 201.10.1.2 201.10.120.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF47005D-4E30-4E58-B6AF-EFE4527442D2}: Domain = thko.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thko.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F6F328C-77C9-409F-9825-79862C4C5C5F}: NameServer = 201.10.1.2 201.10.120.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thko.com
O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F} - C:\DOCUME~1\eu\DADOSD~1\sstuggrzgrdr.dll (file missing)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

BC AdBot (Login to Remove)

 


#2 Submit2s

Submit2s

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA-Missouri
  • Local time:06:16 PM

Posted 14 November 2004 - 08:19 AM

:thumbsup: Hi gmachado,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
"We are what we think, All that we are arises in our thoughts; with our thoughts, we make the world. You can make your world or break your world by your thinking." Buddha~

#3 gmachado

gmachado
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 14 November 2004 - 11:24 AM

Thanks for you compreension, Iīll be glad with your help..

Gustavo

#4 Submit2s

Submit2s

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:USA-Missouri
  • Local time:06:16 PM

Posted 14 November 2004 - 12:45 PM

gmachado thanks for your patience, :thumbsup:

Please print this out and follow ALL these directions carefully.

Your system is infected with several trojans viruses.

Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan


Download Cleanup from here, but DO NOT RUN YET

Make sure 'show all files' is enabled:


Boot intoSafe Mode by tapping F8 key repeatedly at bootup.


Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: Swish Browser Helper - {D44B5436-B3E4-4595-B0E9-106690E70A58} - C:\DOCUME~1\eu\DADOSD~1\voaithczoo.dll (file missing)
O3 - Toolbar: Accessories - {9B35A850-66AB-4c6d-8A66-136ECADCD904} - C:\DOCUME~1\eu\DADOSD~1\voaithczoo.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Update] jrpurzu.exe
O4 - HKLM\..\Run: [nse] nse.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\RunServices: [Microsoft Update] jrpurzu.exe
O4 - HKLM\..\RunServices: [nse] nse.exe
O4 - HKCU\..\Run: [Microsoft Update] jrpurzu.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE <==non essential,resource hog
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - no file)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...edceabcca450006
O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F} - C:\DOCUME~1\eu\DADOSD~1\sstuggrzgrdr.dll (file missing)



Find these files and delete if present:

search for the location of this one by using the XP search utility as follows:
START-->SEARCH-->All Files and Folders-->More Advanced Options-->
Check- ->show system files, show hidden files, search all subfolders.
Now copy and paste this file into the search box and hit search, then delete when found.


C:\WINDOWS\System32\sistray.EXE <==file
C:\WINDOWS\System32\jrpurzu.exe <==file
C:\WINDOWS\System32\systime.exe <==file
C:\DOCUME~1\eu\DADOSD~1\sstuggrzgrdr.dll <==file
C:\DOCUME~1\eu\DADOSD~1\voaithczoo.dll<==file
nse.exe <==file



Now Run Cleanup,

Then reboot after it has finished cleaning


You should install Windows Service Pack 2 and ALL Critical Updates to help from being continually infected.
In Internet Explorer go to Tools then Windows Updates and install each patch one by one rebooting when necessary.

Post A new log after you have updated your Windows Service Packs Critical Updates.
"We are what we think, All that we are arises in our thoughts; with our thoughts, we make the world. You can make your world or break your world by your thinking." Buddha~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users