Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - asingh


  • Please log in to reply
1 reply to this topic

#1 sarva

sarva

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 07 December 2004 - 03:15 PM

Hi,
I did adaware, spybot and CWS but there is a utilreg.exe that keeps taking a lot of CPU.
Please advise.

Thanks,

Sarva

Logfile of HijackThis v1.97.7
Scan saved at 1:22:29 PM, on 12/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe
C:\WINNT\myCIO\Agent\myAgtSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\system32\NWTRAY.EXE
C:\WINNT\myCIO\Agent\myagttry.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe
C:\Program Files\Privoxy\privoxy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system\utilreg.exe
C:\Documents and Settings\anujasin\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\anujasin\Application Data\Mozilla\Profiles\default\ualyfi87.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\anujasin\Application Data\Mozilla\Profiles\default\ualyfi87.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18722863-6D1D-4300-BF29-406948EDA7CB} - C:\DOCUME~1\anujasin\LOCALS~1\Temp\pctsmw.dat
O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: (no name) - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\Documents and Settings\anujasin\Local Settings\Temp\numoc.dat
O2 - BHO: (no name) - {44E5B409-35A2-4E8D-BF94-344222323A53} - C:\DOCUME~1\anujasin\LOCALS~1\Temp\gerlitu.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\anujasin\LOCALS~1\Temp\numoc.dat
O2 - BHO: (no name) - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\anujasin\LOCALS~1\Temp\numoc.dat
O2 - BHO: (no name) - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\anujasin\LOCALS~1\Temp\numoc.dat
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\Documents and Settings\anujasin\Local Settings\Temp\niwxaf.dat
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT\Downloaded Program Files\SbCIe02a.dll
O2 - BHO: (no name) - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\Documents and Settings\anujasin\Local Settings\Temp\ofninu.dat
O2 - BHO: (no name) - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\Documents and Settings\anujasin\Local Settings\Temp\numoc.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [nkkrro] C:\WINNT\System32\swjnyf.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [comun] C:\WINNT\Fonts\comun.exe
O4 - HKLM\..\Run: [*comun] C:\WINNT\Fonts\comun.exe
O4 - HKLM\..\Run: [*adc] C:\WINNT\addins\adc.exe
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINNT\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [rgjaai] C:\WINNT\system32\gfrud.exe
O4 - HKLM\..\Run: [bddq] C:\WINNT\system32\kpnoja.exe
O4 - HKLM\..\Run: [*libdos] C:\WINNT\Driver Cache\libdos.exe
O4 - HKLM\..\Run: [okpt] C:\WINNT\system32\plnuay.exe
O4 - HKLM\..\Run: [drsrr] C:\WINNT\system32\hsbypd.exe
O4 - HKLM\..\Run: [rbhl] C:\WINNT\system32\zndmha.exe
O4 - HKLM\..\Run: [*psmsvc] C:\WINNT\Web\psmsvc.exe
O4 - HKLM\..\Run: [vwbvas] C:\WINNT\system32\dqjkzve.exe
O4 - HKLM\..\Run: [lcunv] C:\WINNT\system32\powddz.exe
O4 - HKLM\..\Run: [gkmy] C:\WINNT\system32\tzofqnnk.exe
O4 - HKLM\..\Run: [ykjzhs] C:\WINNT\system32\zjokkzw.exe
O4 - HKLM\..\Run: [wilvesmj] C:\WINNT\system32\wzlfmdl.exe
O4 - HKLM\..\Run: [fvffnf] C:\WINNT\system32\rmdr.exe
O4 - HKLM\..\Run: [vyzfwfot] C:\WINNT\system32\tpictxoh.exe
O4 - HKLM\..\Run: [pvkun] C:\WINNT\system32\wtsoz.exe
O4 - HKLM\..\Run: [*utilreg] C:\WINNT\system\utilreg.exe
O4 - HKLM\..\Run: [syqoiua] C:\WINNT\system32\ttlzvcb.exe
O4 - HKLM\..\Run: [mxkywexh] C:\WINNT\system32\dcrqci.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [fyzj] C:\WINNT\system32\uqdgkyu.exe k:fyzj:
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINNT\system32\nrxdkkdo.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.06] C:\WINNT\system32\lali.exe
O4 - HKLM\..\RunOnce: [*utilreg] C:\WINNT\system\utilreg.exe rerun
O4 - Global Startup: IPSec Dial Client.lnk = C:\Program Files\CoSine Communications\IPSec Dial Client\SafeCfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: SideStep (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwga.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37939.322962963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/viz...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cnt.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://eroom/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cnt.ad.cnt.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cnt.ad.cnt.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cnt.ad.cnt.com

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:33 AM

Posted 08 December 2004 - 07:57 AM

Hi

Please download and run this tool from Symantec:

http://securityresponse.symantec.com/avcen...moval.tool.html
Follow Symantec's instructions for how to run it.

When the removal process is finished you will find a log on your Desktop . Don't delete it. Please copy & paste the contents of the log as a reply to this post.

You are running an outdated version of HijackThis.. Delete the copy you have and download the latest version of HijackThis!: Download here HJT 1.98.2. Save it on your Desktop. You will need now to unzip hijackthis.exe to a permanent folder, such as c:\hjt . This has to be done as HijackThis creates backups. You may need to use these backups.

First create a new folder:
A. Click My Computer icon on your desktop
B. Click C: drive
C. Click the File menu --> New --> Folder, a folder "New folder" will be created.
D. Rename it HJT

Unzip hijackthis.exe to the c:\HJT folder.
Do not run HijackThis from your desktop or a temp folder.

Please post a new hijackthis log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users