Hijack Log [Archive] - SpeedGuide.net Broadband Community
PDA

View Full Version : Hijack Log

Jaman
01-09-08, 10:24 AM
Friends comp is screwed up and since posting the log to my computer helped last time I figured I'd run hijackthis on hers and post it here. Any help would be great!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Healthcare Management Systems\VPN_Client\cvpnd.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\system32\LxrJD31s.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\1XConfig.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\winshow .exe
C:\WINNT\Gwang.exe
C:\WINNT\win32098108776768.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\?icrosoft\w?nspool.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Documents and Settings\pks671\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {61CA9648-7A9A-46C8-8D7A-00C57096CF4E} - (no file)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - (no file)
O2 - BHO: (no name) - {C2DEA941-63A9-3E06-DA2B-4BE674F50DCD} - (no file)
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [winshow] "C:\WINNT\winshow .exe"
O4 - HKLM\..\Run: [TMT] C:\WINNT\Gwang.exe
O4 - HKLM\..\Run: [win32098108776768] C:\WINNT\win32098108776768.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Dewnb] C:\WINNT\system32\?icrosoft\w?nspool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Healthcare Management Systems\VPN_Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hmstn.webex.com/client/T25L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BCHOSP.BCH-JBR.ORG
O17 - HKLM\Software\..\Telephony: DomainName = BCHOSP.BCH-JBR.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD1EF361-8EE8-475A-8D0E-5315831071D8}: NameServer = 216.84.135.7,216.84.135.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BCHOSP.BCH-JBR.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BCHOSP.BCH-JBR.ORG
O20 - Winlogon Notify: opnmljg - opnmljg.dll (file missing)
O20 - Winlogon Notify: Sebring - c:\WINNT\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Healthcare Management Systems\VPN_Client\cvpnd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
mnosteele52
01-09-08, 02:31 PM
There are quite a few malicious things I see, but first follow these instructions. Uninstall CA Antivirus, it sucks and it's not catching active malware on your pc.

If you think your computer has been compromised by malware then please follow these instructions for proper cleanup.

1. Disable System Restore then reboot your pc, this will delete all old restore points.

2. Download and run CrapCleaner (http://www.ccleaner.com/), this will clean out all of your temporary and junk files.

3. Do a free online virus scan from BitDefender (http://www.bitdefender.com/scan8/ie.html) and remove all that it finds.

4. Download, update and do a full system scan with SpyBot Search & Destroy 1.5.1 (http://www.safer-networking.org/en/download/index.html) and remove all that it finds.

5. Download, update and do a full system scan with Ad-Aware 2007 (http://www.majorgeeks.com/Ad-Aware_2007_d506.html) and remove all that it finds.

6. Download, update and do a full system scan with SUPERAntiSpyware (http://www.superantispyware.com/) and remove all that it finds.

7. Download, update and do a full system scan with AVG Anti-Spyware (http://www.ewido.net/en/download) and remove all that it finds.

8. Download and run AutoRuns (http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx) and see if there is anything suspicious. You have to know what you are looking for but it is an invaluable tool, it is kind of like HijackThis on steriods.

9. Download, update and do a full system scan with Windows Defender (http://www.microsoft.com/downloads/details.aspx?familyid=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en) and remove all that it finds.

10. Download the free 15-day trial of CounterSpy (http://www.majorgeeks.com/CounterSpy_d4520.html) and do a full system scan, you can remove this after you use it if you like.

11. Download and do a scan with HijackThis 2.0.0 (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download) and post the results here in the forums so I can assist you.

12. Download and update SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help stay malware free.

13. Use ZonedOut (http://www.funkytoad.com/content/view/15/33/) to help prevent future infections.

14. If you are not already using Kaspersky Anti-Virus, BitDefender Anti-Virus or NOD32 Anti-Virus then uninstall your current anti-virus program (Norton, McAfee, TrendMicro etc.) and install then update and scan with the free 30 day trial of Kaspersky Anti-Virus 7 (http://usa.kaspersky.com/downloads/KAV-product-update.php) or if you prefer to stick with a free antivirus program I would recommend AntiVir Personal Edition (http://majorgeeks.com/download955.html).

15. Do ALL of the latest Windows Updates to ensure your OS is patched properly.

:D