Jump to content

[Solved]Hjt Logs


KansasConnection

Recommended Posts

Had some trojan issues lately but think I gottem all. :blink: Could ya'll check my log please? Many thanks in advance. :mrwinky:

 

Logfile of HijackThis v1.99.0

Scan saved at 10:47:43 PM, on 1/7/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\program files\valve\steam\steam.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R3 - URLSearchHook: Search - {2365A327-36F4-4E4F-A274-45AD275806B3} - C:\WINDOWS\system32\Q99312.dll

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecust.dll (file missing)

O3 - Toolbar: Search - {48C56539-1900-4C69-95EE-77C03CCC28D8} - C:\WINDOWS\system32\Q99312.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O4 - Global Startup: winlogin.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra button: Search - {48C56539-1900-4C69-95EE-77C03CCC28D8} - C:\WINDOWS\system32\Q99312.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/beta/PCPitstop.cab?6750

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7462904E-9DD4-4F58-BE3E-FE7B3A365F51}: NameServer = 69.50.166.94,69.31.80.244

O17 - HKLM\System\CCS\Services\Tcpip\..\{78BDCAD9-54D3-4FD0-B060-3704FB15AB91}: NameServer = 69.50.166.94,69.31.80.244

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E2AB300-80A9-4ADD-A7E7-4B23EB955654}: NameServer = 69.50.166.94,69.31.80.244

O17 - HKLM\System\CCS\Services\Tcpip\..\{C494D20B-9D3D-4273-9B89-6066B3F48331}: NameServer = 69.50.166.94,69.31.80.244

O20 - AppInit_DLLs: 1smomj38lpkph2i.dll.dll.dll

O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InCD Helper (read only) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

Link to post
Share on other sites

AVG is known to find and fix the bad files related to this infection. Please update the definition files and do a full system scan.

 

Download the Pocket KillBox

Unzip the file to your desktop.

Open TheKillbox.

 

Select the Delete on reboot option.

 

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

 

It will prompt you to reboot, press the NO button. Instead, copy and paste the following and click the 'Delete File' button again:

 

C:\WINDOWS\system32\Q99312.dll

 

Then repeat for these files also:

 

C:\WINDOWS\System32\1smomj38lpkph2i.dll.dll.dll

 

When it prompts for a reboot, do so.

 

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

 

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R3 - URLSearchHook: Search - {2365A327-36F4-4E4F-A274-45AD275806B3} - C:\WINDOWS\system32\Q99312.dll

 

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecust.dll (file missing)

O3 - Toolbar: Search - {48C56539-1900-4C69-95EE-77C03CCC28D8} - C:\WINDOWS\system32\Q99312.dll

 

O4 - Global Startup: winlogin.exe

 

O9 - Extra button: Search - {48C56539-1900-4C69-95EE-77C03CCC28D8} - C:\WINDOWS\system32\Q99312.dll

 

O20 - AppInit_DLLs: 1smomj38lpkph2i.dll.dll.dll

 

Reboot and post another log please.

Link to post
Share on other sites

Logfile of HijackThis v1.99.0

Scan saved at 11:19:17 PM, on 1/7/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\program files\valve\steam\steam.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/beta/PCPitstop.cab?6750

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7462904E-9DD4-4F58-BE3E-FE7B3A365F51}: NameServer = 69.50.166.94,69.31.80.244

O17 - HKLM\System\CCS\Services\Tcpip\..\{78BDCAD9-54D3-4FD0-B060-3704FB15AB91}: NameServer = 69.50.166.94,69.31.80.244

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E2AB300-80A9-4ADD-A7E7-4B23EB955654}: NameServer = 69.50.166.94,69.31.80.244

O17 - HKLM\System\CCS\Services\Tcpip\..\{C494D20B-9D3D-4273-9B89-6066B3F48331}: NameServer = 69.50.166.94,69.31.80.244

O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InCD Helper (read only) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

 

Hopefully this worked ;) Oh and AVG said no updates available.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...