Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Logs: Please Dianogsis


  • Please log in to reply
1 reply to this topic

#1 Daven81

Daven81

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 06 February 2007 - 10:02 AM

Hi guys, i think my pc has been infected by spyware. pls help to check the log. thx in advance. :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 22:42:06, on 06/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\QClient6.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\uninstall\rundl132.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\System\temp[4].exe
C:\Program Files\Common Files\System\temp[4].exe
C:\Program Files\Common Files\System\temp[4].exe
C:\Program Files\Common Files\System\temp[5].exe
C:\WINDOWS\System32\C07344F5.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cmd.exe
D:\denise's Documents\My Documents\Installer\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.128.10:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {85ECAFCC-BDD9-5B03-97A8-FA65CBE8809A} - C:\WINDOWS\SYSTEM32\1234.ini
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [load] C:\WINDOWS\uninstall\rundl132.exe
O4 - HKLM\..\Run: [wsvbs] C:\WINDOWS\wsvbs.exe
O4 - HKLM\..\Run: [cmdbc] C:\WINDOWS\cmdbc.exe
O4 - HKLM\..\Run: [msccr] C:\WINDOWS\msccr.exe
O4 - HKLM\..\Run: [mppis] C:\WINDOWS\mppis.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wsvs] C:\WINDOWS\wsvs.exe
O4 - HKLM\..\Run: [wsttrs] C:\WINDOWS\wsttrs.exe
O4 - HKLM\..\Run: [upx] C:\DOCUME~1\denise\LOCALS~1\Temp\upx.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\srvdll.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\srvdll.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {8366E3E6-FFB8-11D3-AD13-0060B0FB0247} (ensoChemDatCaller Control) - file://E:\tedisdata\prods\ensoCDCC.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: inicfg32.dll,iniwin32.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: MSWindowsUpdate006 - Unknown owner - C:\WINDOWS\System32\QClient6.exe
O23 - Service: Windows Createddos (Windows Processdos) - Unknown owner - C:\WINDOWS\System32\dos.exe
O23 - Service: Windows_rejoice - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice4.exe

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:39 AM

Posted 08 February 2007 - 07:08 PM

Hi and welcome

O My! :thumbsup:

Have we got ourselves a mess here.
This looks like one seriously comprimised machine! :flowers:

Before we even start doing anything...a few points I have to bring up.
It is not pretty but has to be said.

If you do anything sensitive online such as banking, credit card purchases, paypal, or like services consider your personal/sensitive info 0wned!
You are advised to contact your banks, credit card companies to have your accounts watched or cancelled and new ones created.
You will need to get to a clean machine to change ALL your passwords to sensitive log-in sites.
Please don't use this machine to log into these sites or change passwords or attackers may get new info!


Looks like you are backdoored to no end and I cannot guarenty we can fix all the damage that has been done.
What backdoors do is allow the attacker complete access to your system. They can also send commands to your machine to make it do whatever the attacker wants including steal passwords, perform attacks on other machines, download/run more malware.
They can do anything that you can except physically touch the machine.

I can rip out almost anything nasty but it is near impossible to know what all changes have been made if the attacker actually had control of the machine.
If you want the cold-hard truth; if this was my machine I would be formatting it and re-installing it from scratch or a backup image if you have one.
I do not recommend format very often but if you have alot of sensitive info stored on machine it is in my opinion the best/safest route.

If this is not possible I can try & help you clean it out nad I'll do my best but I do recommend a fresh start if you have the resorces to do so.
It will take several tools to clean up.

I would like to have some file samples if possible so I can get them out to AV companies for analysis/detection.

Copy these instructions to a notepad file so you have em while in safe mode.

Please download Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.
It must be unzipped to work.

Boot to SAFE mode:
Shut down computer & wait 30 seconds
Restart computer
AS soon as the BIOS screen loads but before the XP loading screen loads start tapping F8 key
This brings you to advanced start menu
Choose Safe mode using arrow keys and press enter.
Answer yes to the next prompt
Log into your normal account.

Graphics look bad. This is normal for safe mode.

Double click sfp.exe to start it.

Please copy the following lines:
C:\WINDOWS\SYSTEM32\1234.ini
C:\WINDOWS\uninstall\rundl132.exe
C:\WINDOWS\wsvbs.exe
C:\WINDOWS\cmdbc.exe
C:\WINDOWS\msccr.exe
C:\WINDOWS\mppis.exe
C:\WINDOWS\wsvs.exe
C:\WINDOWS\wsttrs.exe
C:\DOCUME~1\denise\LOCALS~1\Temp\upx.exe
c:\windows\system32\srvdll.dll
c:\windows\system32\inicfg32.dll
c:\windows\system32\iniwin32.dll
C:\WINDOWS\System32\QClient6.exe
C:\WINDOWS\System32\dos.exe
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice4.exe
C:\Program Files\Common Files\System\temp[4].exe
C:\Program Files\Common Files\System\temp[4].exe
C:\Program Files\Common Files\System\temp[4].exe
C:\Program Files\Common Files\System\temp[5].exe
C:\WINDOWS\System32\C07344F5.exe

and paste it in the box in SFP, then click "Continue".

It will copy the files and zip em up to a cab file on your desktop.
Called something like "Requested files [time/date].cab"

You can reboot to normal windows now.

Please upload the cab file to this site:

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Start yourself a new topic & use your name from here so I can find your post easier.
Put in topic title "Request by Blender"
Put in body of messege the link to our thread here.
then press the browse button and then navigate to & select the cab file on desktop.
press Post to upload the file

It is normal you will not see the file you just posted cus only approved members can see em to download them.

Let me know here when you have posted.

Let me know please if we are cleaning or you are going to opt for fresh start.
If cleaning I will need several other logs to determine what all is going on. Hijackthis does not tell all.
If cleaning....do you have another computer we can use to communicate while we work on this one? If possible I would like to take it offline so more junk does not get installed.

Thanks :huh:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users