Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
1 reply to this topic

#1 kg6abb

kg6abb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 25 January 2007 - 02:24 PM

I seem to have worm(s) and Trojan(s) on my system and this is my last hope.
the system is making 46.1 kB T Files in almost every folder. Here are my HijackThis and SmitfraudFix logs.
====================================================================
Logfile of HijackThis v1.99.1
Scan saved at 11:12:46 AM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32875545-FAF0-9E7F-4BEC-083D92EB621E} - C:\WINDOWS\system32\jlnkdnb.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {FDB4A896-AD39-4C1D-A41A-038CADF44F5E} - C:\Program Files\AOD\hober.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe
O4 - HKCU\..\Run: [Agent] C:\WINDOWS\system32\alsys.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - AppInit_DLLs: C:\WINDOWS\system32\userinit.dll c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincjf32 - wincjf32.dll (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\system32\tccpip.exe (file missing)

==========================================================
***************Here is my SmitfraudFix log as Well******
==========================================================

>>SmitFraudFix v2.128
>>
>>Scan done at 10:51:48.16, Thu 01/25/2007
>>Run from C:\Documents and >>Settings\User\Desktop\SmitfraudFix
>>OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
>>The filesystem type is NTFS
>>Fix run in safe mode
>>
>>»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
>>!!!Attention, following keys are not inevitably >>infected!!!
>>
>>SrchSTS.exe by S!Ri
>>Search SharedTaskScheduler's .dll
>>
>>»»»»»»»»»»»»»»»»»»»»»»»» Killing process
>>
>>
>>»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
>>
>>GenericRenosFix by S!Ri
>>
>>
>>»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
>>
>>
>>»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
>>
>>
>>»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
>>!!!Attention, following keys are not inevitably >>infected!!!
>>
>>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows >>NT\CurrentVersion\Winlogon]
>>"System"=""
>>
>>
>>»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
>>
>>Registry Cleaning done.
>>
>>»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
>>!!!Attention, following keys are not inevitably >>infected!!!
>>
>>SrchSTS.exe by S!Ri
>>Search SharedTaskScheduler's .dll
>>
>>
>>»»»»»»»»»»»»»»»»»»»»»»»» End
*note:SmitfraudFix was used before running HijackThis

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:52 PM

Posted 29 January 2007 - 06:18 AM

Hi kg6abb and welcome to the Forums :flowers:

You have infections there. The HijackThis looks like it was taken in safe mode. Are you able to use the computer in normal mode ?

One or more of the identified infections is a backdoor trojan :huh:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users