PDA

View Full Version : HJT scan plz help

dman32
05-24-2006, 08:04 PM
Logfile of HijackThis v1.99.1
Scan saved at 7:00:27 PM, on 05/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Preview AdService\PrevAdServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\gprgitqo.exe
C:\Program Files\WebRebates4\webrebates.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\TopSearch\TopSearch.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Preview AdService\PrevAdKeep.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\WebRebates4\w11150.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\J Barr\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tpid=10244&ttid=104
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.look.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Look Communications Inc.
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 69.64.35.177 auto.search.msn.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0 .DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {21AB3030-14C6-442A-8BAC-8AB687C00658} - C:\WINDOWS\System32\rpcrt432.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CEEFBC7A-589C-604A-938E-20D400F9322D} - C:\DOCUME~1\JBARR~1\APPLIC~1\TESTMF~1\onetick.exe (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0 .DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hostdll.exe] C:\WINDOWS\hostdll.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gprgitqo] C:\WINDOWS\System32\gprgitqo.exe
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
O4 - HKLM\..\Run: [RuleExitBashBags] C:\Documents and Settings\All Users\Application Data\JUMPFASTRULEEXIT\cash 1.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /min
O4 - HKCU\..\Run: [PLATFORMFOUR] C:\DOCUME~1\JBARR~1\APPLIC~1\GPLDRV~1\Thirdless.ex e
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.h tm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - [url]http://startpage.iload.to/esp.cab[/url]
O16 - DPF: {11311111-1551-1661-1771-000000000000} - [url]http://www.trafficbeer.biz/web.exe[/url]
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - [url]http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge-c18.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {527196A4-B1A3-4647-931D-37BA5AF23037} - [url]http://www.trafficbeer.biz/web.exe[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - [url]http://webcamnow.com/broadcast/ActiveXWebCam.cab[/url]
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - [url]http://advnt01.com/dialer/int_ver34.CAB[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://sympatico.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab[/url]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab[/url]
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - [url]http://213.200.210.10/dl/101/CA648_100.exe[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{25329409-4A61-4AB9-9CEA-FC342BF7C0F1}: NameServer = 207.136.100.40 209.148.64.40
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

This is for a friends pc.
thanks
mjc
05-24-2006, 08:38 PM
You've got a couple of infections....

But you should give a bit more description as to what problems you are having.

Read this (http://www.sophos.com/virusinfo/analyses/trojbankerbo.html) and if you do any online banking immediately CALL them and ask what to do...this is a password stealer, so the least you will need is to change your password. I would do this even if your bank isn't on the list of known institutions.

Do that before we even start talking clean up...
dman32
05-25-2006, 12:40 PM
Hi mjc
First off thanks for the quick reply. Now back to the problem at hand. Ok he contacted the bank and cancelled his online banking for now. The reason for the HJT scan was due to alot of unkown icons on his desktop and the computer slowed down compared to a few weeks ago.
I installed spyblaster, spybot and scaned and fixed all problems found. I did a disk clean up and defraged aswell.
mjc
05-25-2006, 02:10 PM
Is the posted HJT a before or after?

If it is a before then we need a new one....if it is an after, then have you walked through the Sophos removal instructions?

We'll need another HJT scan after that...
classicsoftware
06-02-2006, 07:31 AM
Your PC is massively infected. If your last log was before you did any fixes you need to post another one. If not let us know as there as a great deal that needs to be removed from that log.
dman32
06-02-2006, 10:20 AM
Yiks that bad eh. Well I'll post a new log soon...sense the pc is not mine or at my house I'll have to go their and do what mjc recomended and I'llpost another at that time.
Thanks for the added reply.