hijack this log may 27

  1. 27-05-2006  #1
    theycallmedolo
    theycallmedolo is offline Junior Member

    hijack this log may 27

    Logfile of HijackThis v1.99.1
    Scan saved at 11:02:28 AM, on 5/27/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\system32\nvsvc32.exe
    C:\windows\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\RUNDLL32.EXE
    C:\Program Files\uTorrent\utorrent.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://altavista.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
    F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
    F2 - REG:system.ini: Shell=
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [Sound Driver] sounddrvr.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
    O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  2. 27-05-2006  #2
    Neal
    Neal is offline Dedicated Member
    Welcome to DAL,


    You got a worm or two running around on your computer so...



    Go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

    When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

    And post a new HJT log also..
  3. 28-05-2006  #3
    theycallmedolo
    theycallmedolo is offline Junior Member
    BitDefender Online Scanner







    Scan report generated at: Sat, May 27, 2006 - 19:46:18









    Scan path: A:\;C:\;D:\;E:\;F:\;















    Statistics

    Time


    01:28:47

    Files


    245320

    Folders


    2099

    Boot Sectors


    4

    Archives


    951

    Packed Files


    25545







    Results

    Identified Viruses


    6

    Infected Files


    7

    Suspect Files


    1

    Warnings


    0

    Disinfected


    0

    Deleted Files


    8







    Engines Info

    Virus Definitions


    383357

    Engine build


    AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

    Scan plugins


    13

    Archive plugins


    40

    Unpack plugins


    4

    E-mail plugins


    6

    System plugins


    1







    Scan Settings

    First Action


    Disinfect

    Second Action


    Delete

    Heuristics


    Yes

    Enable Warnings


    Yes

    Scanned Extensions


    *;

    Exclude Extensions




    Scan Emails


    Yes

    Scan Archives


    Yes

    Scan Packed


    Yes

    Scan Files


    Yes

    Scan Boot


    Yes








    Scanned File


    Status

    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\07WP6R0D\applyc1[1].gif


    Infected with: Dropped:Trojan.Downloader.Agent.FE

    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\07WP6R0D\applyc1[1].gif


    Disinfection failed

    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\07WP6R0D\applyc1[1].gif


    Deleted

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP838\A0435528.exe


    Infected with: Trojan.Downloader.Agent.WD

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP838\A0435528.exe


    Disinfection failed

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP838\A0435528.exe


    Deleted

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP842\A0435703.exe


    Detected with: Adware.Winad.I

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP842\A0435703.exe


    Disinfection failed

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP842\A0435703.exe


    Deleted

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP846\A0436983.exe


    Suspected of: BehavesLike:Win32.RemoteInjector

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP846\A0436983.exe


    Disinfection failed

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP846\A0436983.exe


    Deleted

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP846\A0437831.exe


    Infected with: Trojan.Downloader.Small.AID

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP846\A0437831.exe


    Disinfection failed

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP846\A0437831.exe


    Deleted

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP847\A0437887.exe


    Infected with: Trojan.Downloader.Time2Pay.AW

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP847\A0437887.exe


    Disinfection failed

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP847\A0437887.exe


    Deleted

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP847\A0437894.exe


    Infected with: Trojan.Downloader.Adload.AI

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP847\A0437894.exe


    Disinfection failed

    C:\System Volume Information\_restore{FFC1C5FC-1AFF-40C7-8A9D-6985023D3D97}\RP847\A0437894.exe


    Deleted

    C:\WINDOWS\Icp3p2BxK0.exe


    Infected with: Trojan.Downloader.Small.AID

    C:\WINDOWS\Icp3p2BxK0.exe


    Disinfection failed

    C:\WINDOWS\Icp3p2BxK0.exe


    Deleted














    Logfile of HijackThis v1.99.1
    Scan saved at 7:49:06 PM, on 5/27/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\RUNDLL32.EXE
    C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
    C:\windows\system32\nvsvc32.exe
    C:\windows\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://altavista.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
    F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
    F2 - REG:system.ini: Shell=
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [Sound Driver] sounddrvr.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O20 - Winlogon Notify: AutorunsDisabled - C:\windows\
    O20 - Winlogon Notify: WgaLogon - C:\windows\
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    thats it hopefully you guy can help
  4. 28-05-2006  #4
    theycallmedolo
    theycallmedolo is offline Junior Member
    also there was a second user account made without my consent i dont know if that is related but when i saw it that was news to me
  5. 28-05-2006  #5
    Neal
    Neal is offline Dedicated Member
    Save 20% on AVG Internet Security 2012 Suite!
    OK thanks for that info never heard of an account being created on it's own before.


    Let's do this and see what turns up.



    To clean your temp folder, recycle bin, etc..please download this free tool:

    CCleaner

    Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
    It will put a shortcut on your Desktop.
    Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

    Then Reboot (Exit)


    Then...



    Please download, install, and update the NEW free version of Ewido trojan scanner:

    When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    From the main ewido screen, click on update in the left menu, then click the Start update button.

    After the update finishes (the status bar at the bottom will display "Update successful")

    Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

    If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

    Post the log Ewido makes back here please and a new hijackthis log. Thanks.
+ Reply to Thread
« HijackThis Log 24May2006(RESOLVED) | HJT Log of a dying computer »