Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Logfile


  • This topic is locked This topic is locked
2 replies to this topic

#1 happyhour19

happyhour19

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 04 May 2006 - 07:11 AM

hi everybody,

i know i have bad entries in this logfile but i fear i didnīt find them all - can somebody please help me?!?

itīs urgent because iīm facing a customerīs presentation including online activity and i donīt want to be surprised :-)

this is the file (and i would like to say thank you in advance to everybody who starts thinking and wants help). btw: the german entries are OK, iīve checked each single of them the entire night ;-)

Logfile of HijackThis v1.99.1
Scan saved at 12:35:27, on 04.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\cJPCSC.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\programme\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Programme\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0M2.EXE
C:\Programme\Iomega\AutoDisk\ADUserMon.exe
C:\Programme\Iomega\DriveIcons\ImgIcon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programme\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Programme\McAfee.com\VSO\oasclnt.exe
C:\Programme\T-DSL Business\BOLog.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programme\Apoint\Apntex.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\iPod\bin\iPodService.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programme\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R3 - URLSearchHook: (no name) - {F984A15B-639B-9384-6855-2BDA815A03B1} - utsgmon.dll (file missing)
F3 - REG:win.ini: load=
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Programme\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Programme\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0M2.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [ADUserMon] C:\Programme\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programme\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Programme\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Programme\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Programme\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [BusinessOnline Log] "C:\Programme\T-DSL Business\BOLog.exe"
O4 - HKLM\..\Run: [Siemens SmartSync - ScheduleSync] C:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cnftips] xsetup.exe
O4 - HKLM\..\Run: [NopeZ] dialer423.exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Programme\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [prgsys0984] PasswdMon.exe
O4 - HKCU\..\Run: [utsgmon] Shaitan1678.exe
O4 - HKCU\..\Run: [AppMasterCenter] uio.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Iomega - Startoptionen.lnk = C:\Iomg_NT\startnt.exe
O4 - Startup: Quick Tools NT.lnk = C:\Iomg_NT\Quick.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: In &neuem Fenster öffnen - C:\Dokumente und Einstellungen\Marco Langner ExCo\Anwendungsdaten\TuneUp Software\TuneUp Utilities\Web\tuofinw.tui
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Zoom &In  - C:\Dokumente und Einstellungen\Marco Langner ExCo\Anwendungsdaten\TuneUp Software\TuneUp Utilities\Web\tuzoomin.tui
O8 - Extra context menu item: Zoom &Out  - C:\Dokumente und Einstellungen\Marco Langner ExCo\Anwendungsdaten\TuneUp Software\TuneUp Utilities\Web\tuzoomout.tui
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Übersetzen mit &dict.leo.org - C:\Dokumente und Einstellungen\Marco Langner ExCo\Anwendungsdaten\TuneUp Software\TuneUp Utilities\Web\tutrans.tui
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {03BCF80B-B975-498C-B9CC-1F517915995A} (Office2003.Install) - https://secure.interfax.net/Office2003.ocx
O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (PIXACO Drag and Drop upload plugin) - http://www.pixaco.de/static/download/pixacodndupload.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094287141047
O16 - DPF: {826287F8-454E-11D9-ADFE-00062919A34C} (ActiveXUploadFotoCom.UserCtrlFotoCom) - http://fotobook.foto.com/activeX/newUploadFotoCom.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/SFUploader/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F6A8E8F-13B7-4B6C-9E8D-3EC31A48ADB5}: NameServer = 85.255.115.59,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{68FC7DA3-CDCF-43D1-B5E9-17623890F83E}: NameServer = 85.255.115.59,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{87790BCF-AAB1-4A5C-B242-5A6781B2CA92}: NameServer = 85.255.115.59,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB2C23C2-835C-449C-B0C3-C211FA54B24E}: NameServer = 85.255.115.59,85.255.112.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F6A8E8F-13B7-4B6C-9E8D-3EC31A48ADB5}: NameServer = 85.255.115.59,85.255.112.77
O18 - Protocol: t-mobile - {C6D89159-3467-4C2F-9918-3362DA57BCD2} - C:\PROGRA~1\T-Mobile\HOTSPO~1\TMOBIL~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: cyberJack PC/SC Service (cjPCSC) - REINER SCT - C:\WINDOWS\System32\cJPCSC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\programme\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programme\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programme\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programme\Iomega\AutoDisk\ADService.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:54 PM

Posted 04 May 2006 - 05:03 PM

Hello happyhour 19,

Hello and Welcome to BC. :thumbsup:

You have a Wareout infection. The following fix is developed by LonnyRJones (Thank you Lonny) for that infection.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
  • Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
When you run fixwareout , simply follow the prompts, you will need to restart when prompted.

Once back in Windows, close all web browsers. Go into Control Panel>Network Connections.

Right click on your connection and click Properties. On the Properties page, highlight Internet Protocol(TCP/IP)

Click Properties. This will bring up another page. Select Obtain DNS Server Automatically. Click the ok button. The page will close. Press ok on the page in front of you.

Restart the computer. Start the Internet and IE.
Open this file c:\fixwareout\report.txt and post the contents of it and a new HijackThis log please. And, please stay offline as much as possible until the computer is clean.

#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:54 PM

Posted 12 May 2006 - 10:57 AM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me or a moderator with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users