1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

interpret hijackthis log?

Discussion in 'Virus & Other Malware Removal' started by aeternanox, Sep 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. aeternanox

    aeternanox Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    11
    Hi! I stumbled upon this board - hopefully someone here can help me. I found the viruses worm_spybot.b and backdoor.sdbot.gen on my computer. I've deleted the files that contained them with a system cleaner, and I've deleted one key registry related to them, but I'm not sure what else to delete. I ran hijackthis, so can someone please interpret my log to help me get rid of these little suckers? Thanks. -Lacey-

    Logfile of HijackThis v1.97.2
    Scan saved at 2:26:16 PM, on 9/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\WINDOWS\System32\ndmonNT.exe
    C:\Program Files\Internet Neighborhood\clipmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\WINDOWS\System32\explorer32.exe
    D:\PROGRA~1\PERSON~1\MpfTray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
    D:\America Online 9.0\aoltray.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\cisvc.exe
    D:\PROGRA~1\PERSON~1\MPFSERVICE.exe
    D:\PROGRA~1\PERSON~1\MpfAgent.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm3m.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\MOStat.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\AeternalisNox\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.refer=slv&.intl=us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/yessentials/defaults/*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
    O2 - BHO: (no name) - {2E12B523-3D4C-4FAC-9B04-0376A8F5E879} - c:\windows\WindowsIE.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {A3A5A240-8350-49D9-9E90-88CED2EBF28D} - C:\WINDOWS\system32\mo030414s.dll
    O2 - BHO: (no name) - {B396F546-85D5-4158-9109-6774BECDE0F2} - C:\WINDOWS\system32\fqzjukhd.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [BearShare] C:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /pause
    O4 - HKLM\..\Run: [Drive Monitoring Agent] C:\WINDOWS\System32\ndmonNT.exe
    O4 - HKLM\..\Run: [IN Clipboard Monitor] C:\Program Files\Internet Neighborhood\clipmon.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\web\printers\images\update.bat
    O4 - HKLM\..\Run: [WorkFlo] F:\Install\WorkFlow.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [SysExplore] C:\WINDOWS\System32\explorer32.exe
    O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
    O4 - HKLM\..\Run: [MSConfig] C:\EmergencyUtils\MSConfig1.exe /auto
    O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
    O4 - HKCU\..\Run: [PopupKiller] C:\PROGRA~1\POPUPK~1\PopupKiller.exe
    O4 - Startup: BJ Status Monitor Canon S520.lnk = C:\Documents and Settings\AeternalisNox\cnmss3m.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
    O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.charter.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.coupons.com/v6/brix6ie.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0603dec34f6b5ad46f06/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - c:\program files\yahoo!\installs\ymmapi.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} (PdpPi Class) - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} (EGStripDownload Class) - http://fr4-download.strip-player.com/download/stripplayer/bin/activestripsetup_minsize.cab
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    First thing you have to do, aeternanox, is to update and run your antivirus as you appear to have contracted the Backdoor.Fraggle Trojan


    You will need to temporarily disable System restore

    Once done, Download and run Spybot

    Once installed, start it,
    Click Updates | Search for Updates
    and if necessary Download Updates

    Now Click Search and destroy
    Click Check for Problems

    It may take a bit of time to do the scan, but when done, put a check mark against the red and green labelled items and click Fix Selected Problems

    Once done, repost a new Hijack this log :)
     
  3. aeternanox

    aeternanox Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    11
    Okie dokie! i installed and ran spybot. I got rid of a buncha junk. Also, I thought that I'd mention that everytime I boot windows in regular mode there's a small window that's labeled "UPDATE". I know that it's part of a virus. Inside of that window is another window in which the virus is trying to log into IRC through port 6667. It tries twice and fails. There's also another window in the UPDATE window that's labeled "@microsoft.windows.update" and it keeps popping up over the IRC window to hide the connection attempts. Not sure if that helps in diagnosing the problem. I've read that the viruses I have both try to connect through IRC. Here's my new log:

    Logfile of HijackThis v1.97.2
    Scan saved at 3:54:20 PM, on 9/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\cisvc.exe
    D:\PROGRA~1\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    D:\PROGRA~1\PERSON~1\MpfAgent.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\WINDOWS\System32\ndmonNT.exe
    C:\Program Files\Internet Neighborhood\clipmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\WINDOWS\System32\explorer32.exe
    D:\PROGRA~1\PERSON~1\MpfTray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
    D:\America Online 9.0\aoltray.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm3m.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\AeternalisNox\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.refer=slv&.intl=us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/yessentials/defaults/*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
    O2 - BHO: (no name) - {B396F546-85D5-4158-9109-6774BECDE0F2} - C:\WINDOWS\system32\fqzjukhd.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [BearShare] C:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /pause
    O4 - HKLM\..\Run: [Drive Monitoring Agent] C:\WINDOWS\System32\ndmonNT.exe
    O4 - HKLM\..\Run: [IN Clipboard Monitor] C:\Program Files\Internet Neighborhood\clipmon.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\web\printers\images\update.bat
    O4 - HKLM\..\Run: [WorkFlo] F:\Install\WorkFlow.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [SysExplore] C:\WINDOWS\System32\explorer32.exe
    O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
    O4 - HKLM\..\Run: [MSConfig] C:\EmergencyUtils\MSConfig1.exe /auto
    O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
    O4 - HKCU\..\Run: [PopupKiller] C:\PROGRA~1\POPUPK~1\PopupKiller.exe
    O4 - Startup: BJ Status Monitor Canon S520.lnk = C:\Documents and Settings\AeternalisNox\cnmss3m.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.charter.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.coupons.com/v6/brix6ie.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0603dec34f6b5ad46f06/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - c:\program files\yahoo!\installs\ymmapi.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} (EGStripDownload Class) - http://fr4-download.strip-player.com/download/stripplayer/bin/activestripsetup_minsize.cab

    You might notice, too, that there's somthing called a "strip-player" I think it installed through my browser and I've been trying to get it the heck off of my computer. I'm pretty sure that it's porn related. Is there a registry key or something that I should delete for that? It angers me - all the porn on the web - so, I feel strongly about keeping that stuff out of my system.

    Thanks again!
     
  4. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Restart Hijack this and put a checj Mar against the following:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    O2 - BHO: (no name) - {B396F546-85D5-4158-9109-6774BECDE0F2} - C:\WINDOWS\system32\fqzjukhd.dll
    O4 - HKLM\..\Run: [BearShare] C:\PROGRA~1\BEARSH~1\BEARSH~1.EXE /pause
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\web\printers\images\update.bat
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [SysExplore] C:\WINDOWS\System32\explorer32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MSConfig] C:\EmergencyUtils\MSConfig1.exe /auto
    O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0603dec34f6b5a...ip/RdxIE601.cab
    O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4...20/cpbrxpie.cab
    O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} (EGStripDownload Class) - http://fr4-download.strip-player.co...tup_minsize

    Click Fix checked

    Restart your computer

    Go to C:\Program files\System32

    Find, Right Click and delete the P2P Networking folder
    Find, Right Click and delete explorer32.exe
    Find, right click and delete fqzjukhd.dll
     
  5. aeternanox

    aeternanox Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    11
    Woohoo! Well, that "UPDATE" window with the IRC connection attempts isn't popping up anymore! Everything seems like it's back to normal. Thank you so much! I'm going to post another hijackthis log incase I've missed anything. Also, the folder that update.bat was located it (which I guessed was partly responsible for the "UPDATE" window) - I was wondering if anything else in there should be deleted. The update.bat file is gone now, of course, so is the rest of this stuff okay? Here are the remaining contents of c:\WINDOWS\Web\printers\images:

    cygregex.dll
    cygwin1.dll
    first.bat
    first.exe
    ipp_0002.gif
    ipp_0003.gif
    ipp_0004.gif
    ipp_0005.gif
    ipp_0012.gif
    ipp_0015.gif
    ir.dll
    libeay32.dll
    regex.dll
    scvhost.exe
    ServUCert.crt
    ServUCert.key
    servudaemon.ini
    ssleay32.dll
    su.txt
    suw.txt
    TzoLibr.dll

    The GIF files look normal - but most of those other files look pretty suspicious to me - especially considering the folder that they're in and that update.bat was located with them.

    And here's my latest hijackthis log:

    Logfile of HijackThis v1.97.2
    Scan saved at 5:02:50 PM, on 9/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\WINDOWS\System32\ndmonNT.exe
    C:\Program Files\Internet Neighborhood\clipmon.exe
    D:\PROGRA~1\PERSON~1\MpfTray.exe
    C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
    D:\America Online 9.0\aoltray.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\Program Files\AOL COMPANION\COMPANION.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\cisvc.exe
    D:\PROGRA~1\PERSON~1\MPFSERVICE.exe
    D:\PROGRA~1\PERSON~1\MpfAgent.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\WINDOWS\System32\wuauclt.exe
    D:\Warez\Windows Tools\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.refer=slv&.intl=us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/yessentials/defaults/*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [Drive Monitoring Agent] C:\WINDOWS\System32\ndmonNT.exe
    O4 - HKLM\..\Run: [IN Clipboard Monitor] C:\Program Files\Internet Neighborhood\clipmon.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WorkFlo] F:\Install\WorkFlow.exe
    O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
    O4 - HKCU\..\Run: [PopupKiller] C:\PROGRA~1\POPUPK~1\PopupKiller.exe
    O4 - Startup: BJ Status Monitor Canon S520.lnk = C:\Documents and Settings\AeternalisNox\cnmss3m.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.charter.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.coupons.com/v6/brix6ie.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - c:\program files\yahoo!\installs\ymmapi.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    Jeez, I think I need to take some classes on this stuff - I was thinking of majoring in computer science and it might do me a whole lot of good! :)
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Regarding those "suspicious" files, most of them are worm files....

    http://symantec.com.tw/avcenter/venc/data/w32.tkbot.worm.html

    ... including scvhost.exe which is a permutation of the legit svchost.exe

    Can you account for what this startup is doing?

    O4 - HKLM\..\Run: [Drive Monitoring Agent] C:\WINDOWS\System32\ndmonNT.exe

    I can't find any hits for it and looks suspiciously like it might be a keylogging trojan.

    Also you will find that running two antivirus programs simultaneously is widely discouraged. They may interfere with each other at crucial times.

    Finally, one doesn't like to see wscript.exe (C:\WINDOWS\System32\WScript.exe)

    as a Running Task without knowing what is putting it there. It is not a "normal" startup and is used to run scripts which may or may not be legit.

    Never seen this before either and can't find any info on it, perhaps you could enlighten...

    O4 - HKLM\..\Run: [IN Clipboard Monitor] C:\Program Files\Internet Neighborhood\clipmon.exe
     
  7. aeternanox

    aeternanox Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    11
    Hmmm...

    O4 - HKLM\..\Run: [Drive Monitoring Agent] C:\WINDOWS\System32\ndmonNT.exe:

    Not sure about that one. It may be related to Internet Neighborhood, but I really don't know.

    O4 - HKLM\..\Run: [IN Clipboard Monitor] C:\Program Files\Internet Neighborhood\clipmon.exe:

    Internet Neighborhood is an FTP client that I installed once to use for downloading files from FTP servers. However, I did not initiate the use of this program. Perhaps the worm is using it? I tried to uninstall it, but it claimed that the program was in use. So, I killed the processes named above and it still wouldn't uninstall.

    C:\WINDOWS\System32\WScript.exe

    Well, there is a registry key (O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs) and I'm thinking it's part of a worm. Since that's a script - would wscript be running because of it? I don't know much about this - I'm just making guesses.

    I was wondering about this registry key, as well, because it looks funky to me:

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

    I must be like, brimming with infection over here. This is nuts. Heh.
     
  8. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    ZTGServerswitch is part of Sony's Vaio support agent - designed by Support.com. Not required if the user does not wish to use the Vaio support agent and regarded as spyware is installed by sony and can be considered spyware

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize is part of your Nvidia software
     
  9. aeternanox

    aeternanox Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    11
    Okay, cool. Well, I quarantined the files that I thought were suspicious. I'm still looking around for anything else that I've seen mentioned in worm info sites. I think I'll scan again with pc-cillin (making sure that it's the only virus protection program I have open, of course - heheh). Thanks for everyone's help so far. I'm getting somewhere.
     
  10. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    You can certainly delete the files in c:\WINDOWS\Web\printers

    cygregex.dll
    cygwin1.dll
    first.bat
    first.exe
    ir.dll
    libeay32.dll
    regex.dll
    scvhost.exe
    ServUCert.crt
    ServUCert.key
    servudaemon.ini
    ssleay32.dll
    su.txt
    suw.txt
    TzoLibr.dll

    Before you do the scan, make sure that you temporarily disable system restore
     
  11. aeternanox

    aeternanox Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    11
    Yeah, I disabled that yesterday and I'm not turning it back on until I know my system's clean. :)
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're right, that would account for the wscript.exe being there. Not to worry about it, but if you don't need it for anything you could just run msconfig and clear the check for it under startups; that way if there is some use for it, it's easy to re-enable.

    You may have to remove ndmonNT.exe and whatever is associated with it in Safe Mode. If it doesn't uninstall just delete the files, folders and registry startup entries.
     
  13. aeternanox

    aeternanox Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    11
    Yeah, I found that ndmonNT.exe is associated with the program Internet Neighborhood. I'm going to boot up in safe mode and get rid of them for safety's sake. A process explorer sure can be handy! Thanks much!
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - interpret hijackthis
  1. hfrei
    Replies:
    1
    Views:
    485
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165443

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice