Sign in to follow this  
MeatHauler

Requested Hijackthis log

Recommended Posts

Here's the requested log file, hope it helps.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 2:39:10 PM, on 4/22/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SG9tZSBUb3du\command.exe

C:\WINDOWS\csrss.exe

C:\WINDOWS\System32\hwclock.exe

C:\WINDOWS\system\svchost.exe

C:\Program Files\Network Monitor\netmon.exe

C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system\svchost.exe

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll

O4 - HKLM\..\Run: [Microsoft ® Windows Network Mapping Service] C:\WINDOWS\system\svchost.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O15 - Trusted Zone: http://click.getmirar.com (HKLM)

O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O20 - AppInit_DLLs: iniwin32.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9tZSBUb3du\command.exe

O23 - Service: Windows Security Drivers (csrs) - Unknown owner - C:\WINDOWS\csrss.exe

O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe

O23 - Service: Windows Network Mapping Service (NetMap) - Unknown owner - C:\WINDOWS\system\svchost.exe

O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Share this post


Link to post
Share on other sites

:D Oh boy, you have some nasty trojans on there among other things - very difficult to remove so this will take several stages. Hold on while I decide the best plan of attack and write it up for you.

 

Here is one I'm really concerned about as it has backdoor capability, meaning your computer may have been compromised by an intruder. It also may have infected Explorer.exe which will need a fully funcitonal Antivirus program to disinfect. That is going to be the first priority.

 

http://www.sophos.com/virusinfo/analyses/w32hwbota.html

W32/Hwbot-A is a network worm with IRC backdoor functionaility.

 

W32/Hwbot-A copies itself to the Windows system folder with the filename HWCLOCK.EXE and creates a service with the following characteristics so as to run itself on system startup:

 

Service Name: hwclock

Display Name: Hardware Clock Driver

Service Description: Enables a computer to save and restore system time information using the hardware clock. Stopping or disabling this service will result in system instability.

 

W32/Hwbot-A sets the following entries in the registry:

 

HKLM\software\microsoft\ole

enabledcom

"n"

 

HKLM\system\currentcontrolset\control\lsa

restrictanonymous

"1"

 

W32/Hwbot-A attempts to create a read-only file called DCPROMO.LOG in the DEBUG subfolder of the Windows folder to patch against certain network vulnerabilities.

 

W32/Hwbot-A connects to an IRC server and waits for instructions from a remote user. Possible instructions include downloading and execute further code or to spreading via network secruity exploits.

 

W32/Hwbot-A may attempt to inject code to delete itself into explorer.exe and may crash the infected computer during this process.

 

.......................................

 

Even if you have an AV on your computer, it may have been damaged or compromised. So please start with this free tool from Trend-Micro to disinfect and clean first.

 

Get this tool from Trend-Micro

Damage Cleanup Engine / Template

 

http://www.trendmicro.com/download/dcs.asp

Get the Sysclean Package for non-Trend customers.

 

Grab a copy of the instructions here. You will need them to run this tool properly:

please download the following files

http://www.trendmicro.com/ftp/products/tsc/readme.txt

 

NOTE:

For instructions on how to use this package, consult the "How to Use" section of the readme file, readme_sysclean.txt. This file also contains the description and the different features of this package.

 

Note that for the Trend Micro Sysclean Package to be effective, you must download and place the latest pattern file in the same folder as the Trend Micro Sysclean Package.

 

Note: You have to get this too (it's the latest signature updates for the tool.... and read the instructions on how to install in the proper folder for the Damage Cleanup Tool to work

DCT CONTROL RELEASE

Download Latest DCT Control Release

http://www.trendmicro.com/download/pattern...-disclaimer.asp

 

The Damage Cleanup Template (DCT) Control Release is a pre-release version of Damage Cleanup Template (DCT) and is updated by TrendLabs almost as often as new samples come in. Since it is designed to clean registries and system files from 'in-the-wild' malware infections, DCT Control release receives only preliminary testing. DCT Control Release also must be deployed manually to your product.

 

Click the link above for additional information and deployment instructions. Users are advised to read the succeeding disclaimer carefully before downloading the current DCT Control Release.

 

reboot your computer after cleaning

.............................................

When you are done, please save any logs it may create and post them back here with the results. We also need a fresh Hijackthis scan log please.

 

Ooops - I inadvertenly added my reply as an edit to the previous post. Sorry about that. Just scoll up and follow the directions.

 

Ooops - I inadvertenly added my reply as an edit to the previous post. Sorry about that. Just scoll up and follow the directions.

 

3rd try: Ooops - I inadvertenly added my reply as an edit to the previous post. Sorry about that. Just scoll up and follow the directions.

Share this post


Link to post
Share on other sites

CJ -- that is a function of the more recent software updates to IPB. When a reply is made by the same poster within a particular time period, it is added to the post. It can be adjusted or turned off in the ACP.

Share this post


Link to post
Share on other sites

Whew, thanks guys - thought I was losing my mind :D

 

So, Meathauler, please scroll up to my first reply and follow the instructions I posted for you. :)

 

~crosses fingers this posts as a separate reply~

Share this post


Link to post
Share on other sites
:) Oh boy, you have some nasty trojans on there among other things - very difficult to remove so this will take several stages. Hold on while I decide the best plan of attack and write it up for you.

 

Here is one I'm really concerned about as it has backdoor capability, meaning your computer may have been compromised by an intruder. It also may have infected Explorer.exe which will need a fully funcitonal Antivirus program to disinfect. That is going to be the first priority.

.....

 

Ouch!!

Oh well, I guess this is what I get for buying a used lap top from a fella I know I'll never see again! :D

 

Would it be any easier/cleaner to format the hd and reinstall the os and programs I want? I have the cd's, and haven't put any info on it that I need to keep. I've only had it two weeks and have only used it for mapping and my log books.

 

Either way, Calamity Jane, thanks for the help.

Ah needs all ah kin git!

Share this post


Link to post
Share on other sites
Would it be any easier/cleaner to format the hd and reinstall the os and programs I want? I have the cd's, and haven't put any info on it that I need to keep. I've only had it two weeks and have only used it for mapping and my log books.

Yes, definitely. Under those circumstances that is your best remedy :D There is no telling what the damage to the system is - I do recommend you reformat/reinstall in this situation

Share this post


Link to post
Share on other sites
Yes, definitely. Under those circumstances that is your best remedy :) There is no telling what the damage to the system is - I do recommend you reformat/reinstall in this situation

 

 

At least it' a cheap fix!! :lol:

And comparatively easy.

I do tend to look on the brighter/lighter side of things.

I think it comes from driving a truck for 23 years. :D

 

Anyway, thanks for the help and advice.

I'll be home next weekend and will have the time to take care of it then.

I'll just limit my online time until then and run ad-aware constantly.

 

BTW, I **LOVE** the Calamity Jane handle.

Unusual, distinctive and historical.

Share this post


Link to post
Share on other sites
BTW, I **LOVE** the Calamity Jane handle.

Unusual, distinctive and historical.

<And we **LOVE** CalamityJane!>

 

Since you've elected the format route, please make sure to update Windows and your security software programs.

Share this post


Link to post
Share on other sites

Small world, Meat Hauler! My son is a trucker too, I'm proud to say :D

 

Reformat and reinstall is your best answer, especially as you acquired this PC from someone else. You know what they say about inheriting other people's headaches (Hope you got a good deal on that one) :)

 

A friend of mine wrote a detailed instruction on how to determine when to reinstall or not with notes on reinstallation, that may be helpful:

When should I re-format? How should I reinstall?

http://www.dslreports.com/faq/10063

 

Good luck and enjoy your clean computer - if you need help keeping it that way, let us know! We'll be glad to help :)

Share this post


Link to post
Share on other sites
Sign in to follow this