Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - jhoess


  • This topic is locked This topic is locked
2 replies to this topic

#1 jhoess

jhoess

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 05 January 2005 - 01:53 PM

Logfile of HijackThis v1.98.2
Scan saved at 10:30:48 AM, on 1/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Shavlik Technologies\HFNetChkPro4\4.0.76.6\HFNetChkProService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Plaxo\2.1.0.77\InstallStub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\OfficeScan NT\PCCNTMON.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\unzipped\zip2\disk2\mstsc.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?840828 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exxcel.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://out.true-counter.com/c/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Exxcel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ISA01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.10.0.0;*.exxcel.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.77\InstallStub.exe -a
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...8000/model.html
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://interact.cdw.com/netagent/objects/emagic.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {546A19C4-1DB3-4703-83DF-27AEDACEE2F9} (IObjSafety.logoff) - https://secretariat:8098/util/logoff.CAB
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://messagelabs.webex.com./client/v_myw...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = exxcel.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = exxcel.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = exxcel.com
O19 - User stylesheet: C:\WINNT\Web\oslogo.bmp (file missing)

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:23 PM

Posted 05 January 2005 - 04:47 PM

Hi

Download the stand-alone version of CWShredder from here
Install the program.

Make sure all browser windows are closed and run cwshredder.exe, and click on the FIX button (not the "Scan only" button) and let it scan your computer.

REBOOT your computer and post a new hijackthis log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 jhoess

jhoess
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 24 February 2005 - 04:50 PM

sorry for the delay. I followed your directions. Here is the new post:

****************************************
Bazooka Scanner v1.13.02
http://www.kephyr.com/spywarescanner/
http://www.kephyr.com/spywarescanner/library/
support@kephyr.com
Log created 16:44:17.
OS: Windows NT 5.0
Database version: 2.710000
Database format version: 1.020000
Database date: 20050222
Current date: 2005-02-24 16:44


****************************************
Result when scanning:

No threats found.
****************************************
Auto start entries:
C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l
C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l

Go here to analyse the startup entries and the associated files:
http://www.kephyr.com/filedb/index.php

****************************************
Run entries:
Synchronization Manager mobsync.exe /logon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager

QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task

gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\gcasServ

OfficeScanNT Monitor "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OfficeScanNT Monitor

ctfmon.exe ctfmon.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe

MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS

PlaxoUpdate C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PlaxoUpdate


Go here to analyse the run entries and the associated files:
http://www.kephyr.com/filedb/index.php

****************************************
Browser helper objects:

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} not set C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

{AA58ED58-01DD-4d91-8333-CF10577473F7} not set c:\program files\google\googletoolbar1.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}


****************************************
Toolbars:

{8E718888-423F-11D2-876E-00A0C9082467} C:\WINNT\System32\msdxm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{8E718888-423F-11D2-876E-00A0C9082467}

{2318C2B1-4965-11d4-9B18-009027A5CD4F} c:\program files\google\googletoolbar1.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2318C2B1-4965-11d4-9B18-009027A5CD4F}

{01E04581-4EEE-11D0-BFE9-00AA005B4383} C:\WINNT\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}

{0E5CBF21-D15F-11D0-8301-00AA005B4383} C:\WINNT\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}

{01E04581-4EEE-11D0-BFE9-00AA005B4383} C:\WINNT\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}

{0E5CBF21-D15F-11D0-8301-00AA005B4383} C:\WINNT\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}

{2318C2B1-4965-11D4-9B18-009027A5CD4F} c:\program files\google\googletoolbar1.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F}

{4D5C8C25-D075-11d0-B416-00C04FB90376} C:\WINNT\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

{32683183-48A0-441B-A342-7C2A440A9478} C:\WINNT\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48A0-441B-A342-7C2A440A9478}

{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

{EFA24E61-B078-11D0-89E4-00C04FC9E26E} C:\WINNT\System32\shdocvw.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}

{EFA24E62-B078-11D0-89E4-00C04FC9E26E} C:\WINNT\System32\shdocvw.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}

{EFA24E64-B078-11D0-89E4-00C04FC9E26E} C:\WINNT\System32\shdocvw.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}


****************************************
All processes:

[System Process]
System
SMSS.EXE
CSRSS.EXE
WINLOGON.EXE
SERVICES.EXE
LSASS.EXE
svchost.exe
spoolsv.exe
svchost.exe
HFNetChkProServ
mdm.exe
NTRtScan.exe
OfcPfwSvc.exe
regsvc.exe
mstask.exe
TmListen.exe
WinMgmt.exe
MsPMSPSv.exe
svchost.exe
TP4EE6.EXE
explorer.exe
qttask.exe
gcasServ.exe
PccNTMon.exe
CTFMON.EXE
InstallStub.exe
WZQKPICK.EXE
gcasDtServ.exe
spywarescanner.

Go here to analyse the running processes:
http://www.kephyr.com/filedb/index.php

****************************************
Internet Explorer Settings:

http://www.google.com/keyword/%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\

Default_Page_URL http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

Default_Search_URL
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

Local Page C:\WINNT\System32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page

Search Page http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

Start Page http://www.exxcel.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

SearchAssistant http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

CustomizeSearch http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\

www http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www

Search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search

http://www.google.com/keyword/%s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\

provider gogl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\provider

Default_Page_URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

Default_Search_URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

Local Page C:\WINNT\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page

Search Bar http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar

Search Page http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

Start Page http://www.exxcel.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

Use Search Asst no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search Asst

SearchAssistant
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant

CustomizeSearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch


****************************************




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users