Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

infected pc (with a trojan?)[RESOLVED]

Started by nijnijn , May 13 2005 09:24 AM

  • This topic is locked This topic is locked

#1
nijnijn
Posted 13 May 2005 - 09:24 AM

nijnijn

    Member

  • Member
  • PipPip
  • 25 posts
My pc is infected with I think a trojan. I share this pc with 2 others, and there account is working ok, mine's not.
Here's my log.

Logfile of HijackThis v1.99.1
Scan saved at 17:19:11, on 13/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mocih.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\ahtun.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\switpb.exe
C:\PROGRA~1\TELENE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\windows\omhtges.exe
C:\wp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\TELENE~1\bin\mpbtn.exe
C:\Program Files\TELENE~1\bin\mad.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\WINDOWS\System32\wisvccz.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Stijn\Mijn documenten\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ucxewfwnefh] C:\WINDOWS\System32\ymbbaf.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [4k2dxIUs] C:\WINDOWS\vftccfk.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpb.exe
O4 - HKLM\..\Run: [Update Player] C:\WINDOWS\System32\winssvcs.exe
O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe
O4 - HKLM\..\Run: [ Themes] C:\WINDOWS\System32\wwwicom.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELENE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpecialOffers] C:\WINDOWS\SpecialOffers.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [fbeefqp] c:\windows\omhtges.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [inqxwhl] c:\windows\dbhmhtf.exe
O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe
O4 - HKCU\..\Run: [pkvilqm] c:\windows\jconlvb.exe
O4 - HKCU\..\Run: [gjpvxnq] c:\windows\qpeehqm.exe
O4 - HKCU\..\Run: [gemrbkx] c:\windows\imiwjxb.exe
O4 - HKCU\..\Run: [gvqwcxq] c:\windows\blijakj.exe
O4 - HKCU\..\Run: [uheribd] c:\windows\lhxoqre.exe
O4 - HKCU\..\Run: [gqgusoh] c:\windows\jmcdreq.exe
O4 - HKCU\..\Run: [sfqptxk] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [llfdgag] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [luxwtyt] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [ncfjyga] c:\windows\iadyjwl.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Telenet EasyCare.lnk = C:\Program Files\Telenet EasyCare\bin\matcli.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {5523A818-425B-49C0-989C-226D51123230} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5523A818-425B-49C0-989C-226D51123230} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9FF4CC83-CE09-467D-A828-0FCC42FE6144} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9FF4CC83-CE09-467D-A828-0FCC42FE6144} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FF81B6B3-80D3-4BDE-90A0-323F6F9A8BE6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FF81B6B3-80D3-4BDE-90A0-323F6F9A8BE6} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .ssc: C:\WINDOWS\Downloaded Program Files\Ubizen\SmartStart\NPSmartStart32.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: FortisCzPc - https://www.fortisba.../FortisCzPC.cab
O16 - DPF: {13789418-3E69-4649-73C6-71AA0027B46B} - http://69.50.182.94/1/rdgBE1882.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscri...2/ms7531_be.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://www.telenet.b...pgweb/setup.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda..../bep/games4.cab
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.c.../110/484/be.exe
O18 - Protocol: bw+0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - {CF2C07A4-F3E4-467B-80CB-A6CBE955935B} - C:\Documents and Settings\Stijn\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat
O21 - SSODL: Themes Agent - {4D32E494-6159-4AE2-90F4-C0DCFAF506F3} - C:\WINDOWS\System32\dsseptif.dll
O21 - SSODL: Update Player - {041940A1-5BF1-4B87-B1C5-4C8A060B1773} - C:\WINDOWS\System32\adslwww.dll
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\System32\mocih.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe
  • 0

Advertisements

#2
miekiemoes
Posted 13 May 2005 - 10:59 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hoi,
Nice collection. :tazz:

* Download and install CCleaner
Do not use it yet.

* Please set your system to show all files; please see here if you're unsure how to do this.

Download LSPfix and save it to the Desktop and unzip it.

Run LSPfix and place a check against the I know what I am doing checkbox.
Highlight every instance of the following name and move it from the Keep to the Remove panel. Be sure to move nothing other than the file listed below!

flsmngr.dll

When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [ucxewfwnefh] C:\WINDOWS\System32\ymbbaf.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [4k2dxIUs] C:\WINDOWS\vftccfk.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpb.exe
O4 - HKLM\..\Run: [Update Player] C:\WINDOWS\System32\winssvcs.exe
O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe
O4 - HKLM\..\Run: [ Themes] C:\WINDOWS\System32\wwwicom.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [SpecialOffers] C:\WINDOWS\SpecialOffers.exe
O4 - HKCU\..\Run: [fbeefqp] c:\windows\omhtges.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [inqxwhl] c:\windows\dbhmhtf.exe
O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe
O4 - HKCU\..\Run: [pkvilqm] c:\windows\jconlvb.exe
O4 - HKCU\..\Run: [gjpvxnq] c:\windows\qpeehqm.exe
O4 - HKCU\..\Run: [gemrbkx] c:\windows\imiwjxb.exe
O4 - HKCU\..\Run: [gvqwcxq] c:\windows\blijakj.exe
O4 - HKCU\..\Run: [uheribd] c:\windows\lhxoqre.exe
O4 - HKCU\..\Run: [gqgusoh] c:\windows\jmcdreq.exe
O4 - HKCU\..\Run: [sfqptxk] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [llfdgag] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [luxwtyt] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [ncfjyga] c:\windows\iadyjwl.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: Microsoft AntiSpyware helper - {5523A818-425B-49C0-989C-226D51123230} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5523A818-425B-49C0-989C-226D51123230} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9FF4CC83-CE09-467D-A828-0FCC42FE6144} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9FF4CC83-CE09-467D-A828-0FCC42FE6144} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FF81B6B3-80D3-4BDE-90A0-323F6F9A8BE6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FF81B6B3-80D3-4BDE-90A0-323F6F9A8BE6} - (no file) (HKCU)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {13789418-3E69-4649-73C6-71AA0027B46B} - http://69.50.182.94/1/rdgBE1882.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscri...2/ms7531_be.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda..../bep/games4.cab
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.c.../110/484/be.exe
ALL O18's!
O21 - SSODL: Themes Agent - {4D32E494-6159-4AE2-90F4-C0DCFAF506F3} - C:\WINDOWS\System32\dsseptif.dll
O21 - SSODL: Update Player - {041940A1-5BF1-4B87-B1C5-4C8A060B1773} - C:\WINDOWS\System32\adslwww.dll
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\System32\mocih.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe

* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\System32\mocih.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\ahtun.exe
C:\WINDOWS\switpb.exe
C:\Program Files\Media Pass <== folder
C:\Program Files\Common Files\CMEII <== folder
C:\windows\omhtges.exe
C:\wp.exe
C:\wp.bmp
C:\WINDOWS\System32\wldr.dll
C:\Program Files\Common Files\GMT <== folder
C:\WINDOWS\System32\wisvccz.exe
C:\Program Files\Security IGuard <== folder
C:/Program Files/FirstEnter <== folder
C:\Program Files\MyWay <== folder
C:\Program Files\ISTbar <== folder
C:\WINDOWS\System32\ymbbaf.exe
C:\WINDOWS\vftccfk.exe
C:\WINDOWS\System32\winssvcs.exe
C:\WINDOWS\System32\wwwicom.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\SpecialOffers.exe
c:\windows\dbhmhtf.exe
c:\windows\jconlvb.exe
c:\windows\qpeehqm.exe
c:\windows\imiwjxb.exe
c:\windows\blijakj.exe
c:\windows\lhxoqre.exe
c:\windows\jmcdreq.exe
c:\windows\iadyjwl.exe
C:\WINDOWS\System32\dsseptif.dll
C:\WINDOWS\System32\adslwww.dll

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

* Reboot your system back to normal mode.

Download http://www.bleepingc...g/smitfraud.reg and save it on your desktop
Doubleclick on it and when it asks you if you want to add the content to the registry, click yes/ok.

Post back a fresh HijackThis log and I'll take another look.

If you had any problems with deleting files or noticed any other problems during your fix, let me also know in your next reply.
  • 0

#3
nijnijn
Posted 16 May 2005 - 03:26 AM

nijnijn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thanks for your help! I did everything as you told me, but it seems not all of it has left. I did not delete all the 018's, because that seems to be from logitech (our mouse and keybord is from them...)

Logfile of HijackThis v1.99.1
Scan saved at 11:22:06, on 16/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\hsoloic.exe
C:\windows\hsoloic.exe
C:\Documents and Settings\Stijn\Mijn documenten\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [etydqic] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [nfyhtbn] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [owefpep] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [ovllonv] c:\windows\fbaxjxt.exe
O4 - HKCU\..\Run: [evbnljm] c:\windows\fbaxjxt.exe
O4 - HKCU\..\Run: [ybedubm] c:\windows\fbaxjxt.exe
O4 - HKCU\..\Run: [osjdkxd] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [jshukwj] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [xjswwol] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [febkltn] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [mirjvcq] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [qkflhlr] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [smkvpir] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [wnbxkmk] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [qjixgmd] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [naamtkk] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [cfpwley] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [rbbmeec] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [cmrauvf] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [btbdqsw] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [hkseosg] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [ukqdlkn] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [vaevabm] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [vndechy] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [gkxufpt] c:\windows\ltjlchc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .ssc: C:\WINDOWS\Downloaded Program Files\Ubizen\SmartStart\NPSmartStart32.dll
O16 - DPF: FortisCzPc - https://www.fortisba.../FortisCzPC.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://www.telenet.b...pgweb/setup.cab
O18 - Protocol: bw+0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {F6239368-155B-4452-B4E6-67C248517DEA} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - {CF2C07A4-F3E4-467B-80CB-A6CBE955935B} - C:\Documents and Settings\Stijn\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\System32\mocih.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
  • 0

#4
miekiemoes
Posted 16 May 2005 - 03:57 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

I did not delete all the 018's, because that seems to be from logitech (our mouse and keybord is from them...)


Yes, I know, but it doesn't hurt to fix them, because they can cause a system-slowdown and errors eventually, but if you really want to keep them -- no problem, it's no malware :tazz:

We are making progress -- good.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKCU\..\Run: [etydqic] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [nfyhtbn] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [owefpep] c:\windows\iadyjwl.exe
O4 - HKCU\..\Run: [ovllonv] c:\windows\fbaxjxt.exe
O4 - HKCU\..\Run: [evbnljm] c:\windows\fbaxjxt.exe
O4 - HKCU\..\Run: [ybedubm] c:\windows\fbaxjxt.exe
O4 - HKCU\..\Run: [osjdkxd] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [jshukwj] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [xjswwol] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [febkltn] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [mirjvcq] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [qkflhlr] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [smkvpir] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [wnbxkmk] c:\windows\hsoloic.exe
O4 - HKCU\..\Run: [qjixgmd] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [naamtkk] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [cfpwley] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [rbbmeec] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [cmrauvf] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [btbdqsw] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [hkseosg] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [ukqdlkn] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [vaevabm] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [vndechy] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [gkxufpt] c:\windows\ltjlchc.exe
O18 - Filter: text/html - {CF2C07A4-F3E4-467B-80CB-A6CBE955935B} - C:\Documents and Settings\Stijn\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\System32\mocih.exe (file missing)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)

Reboot in safe mode and delete next files if still present:

C:\windows\hsoloic.exe
c:\windows\iadyjwl.exe
c:\windows\fbaxjxt.exe
c:\windows\tpylyfy.exe
c:\windows\ltjlchc.exe

Still in safe mode, go to start > run and type:

sc delete ACCRA <enter>
sc delete KDE <enter>
sc delete LAGOS <enter>

Reboot and post a new hijackthislog. ;)
  • 0

#5
nijnijn
Posted 16 May 2005 - 04:08 AM

nijnijn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
"Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:"

Do I have to Click on Fix Checked ?
  • 0

#6
miekiemoes
Posted 16 May 2005 - 04:14 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Yes :tazz:
I forgot to tell you that. ;)
  • 0

#7
nijnijn
Posted 16 May 2005 - 04:30 AM

nijnijn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I didn't do that last thing, because I don't understand what's "go to start > run and type ..."

Logfile of HijackThis v1.99.1
Scan saved at 12:28:19, on 16/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Stijn\Mijn documenten\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ukqdlkn] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [msqhasf] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [pqwyoim] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [mwtrrmx] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [ipoqhoh] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [cnnqlct] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [vygcgdt] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [hyfrsvj] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [rcqrcne] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [qtutbfl] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [hwpqffd] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [tljjbhp] c:\windows\ltjlchc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .ssc: C:\WINDOWS\Downloaded Program Files\Ubizen\SmartStart\NPSmartStart32.dll
O16 - DPF: FortisCzPc - https://www.fortisba.../FortisCzPC.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://www.telenet.b...pgweb/setup.cab
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\System32\mocih.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
  • 0

#8
miekiemoes
Posted 16 May 2005 - 04:42 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

Still in safe mode, go to start > run and type:

sc delete ACCRA <enter>
sc delete KDE <enter>
sc delete LAGOS <enter>


I'll explain it in dutch :tazz:

Ga naar start > uitvoeren en in het venster moet je één voor één die regels ingeven en op enter klikken. ;)

I want to check something -- because I think some files are hiding in here:

Download rkfiles.zip
UNZIP the contents to a permanent folder

Reboot in SAFE MODE !! Important !!
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.
  • 0

#9
nijnijn
Posted 16 May 2005 - 06:22 AM

nijnijn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thanks for the short explanation in Dutch, because i don't wanna mess up my pc more then he's already :tazz:
Amai, what a scan ;) Here's the log:

C:\Documents and Settings\Stijn\Mijn documenten\Anti spyware\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\cmdteld.exe: UPX!
C:\WINDOWS\system32\com.exe: UPX!
C:\WINDOWS\system32\cp.exe: UPX!
C:\WINDOWS\system32\dll.exe: UPX!
C:\WINDOWS\system32\dqjgxaaa.exe: UPX!
C:\WINDOWS\system32\gxposepn.exe: UPX!
C:\WINDOWS\system32\hit.exe: UPX!
C:\WINDOWS\system32\init32m.exe: UPX!
C:\WINDOWS\system32\jksycaaa.exe: UPX!
C:\WINDOWS\system32\jouvoaaa.exe: UPX!
C:\WINDOWS\system32\mocihd.exe: UPX!
C:\WINDOWS\system32\mxsrrymq.exe: UPX!
C:\WINDOWS\system32\mxsrrymq.exe: upX!
C:\WINDOWS\system32\plugin.exe: UPX!
C:\WINDOWS\system32\runme.exe: UPX!
C:\WINDOWS\system32\sed.exe: UPX!
C:\WINDOWS\system32\slrhxaaa.exe: UPX!
C:\WINDOWS\system32\taskmg.exe: UPX!
C:\WINDOWS\system32\vtaeixoq.exe: UPX!
C:\WINDOWS\system32\vxpaaaaa.exe: UPX!
C:\WINDOWS\system32\web.exe: UPX!
C:\WINDOWS\system32\~update.exe: UPX!
C:\WINDOWS\system32\amhevbgy.exe: FSG!
C:\WINDOWS\system32\shqaaaaa.exe: FSG!
C:\WINDOWS\system32\vxjgaaaa.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dvrbsfvt.exe: PEC2
C:\WINDOWS\system32\jjmbsaaa.exe: PEC2
C:\WINDOWS\system32\srpcsrv32.dll: PEC2
C:\WINDOWS\system32\vujkaaaa.exe: PEC2
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dvrbsfvt.exe: PEC2
C:\WINDOWS\system32\jjmbsaaa.exe: PEC2
C:\WINDOWS\system32\srpcsrv32.dll: PEC2
C:\WINDOWS\system32\vujkaaaa.exe: PEC2

Files Found in all users startup Folder............
------------------------
C:\WINDOWS\system32\cmdteld.exe: UPX!
C:\WINDOWS\system32\com.exe: UPX!
C:\WINDOWS\system32\cp.exe: UPX!
C:\WINDOWS\system32\dll.exe: UPX!
C:\WINDOWS\system32\dqjgxaaa.exe: UPX!
C:\WINDOWS\system32\gxposepn.exe: UPX!
C:\WINDOWS\system32\hit.exe: UPX!
C:\WINDOWS\system32\init32m.exe: UPX!
C:\WINDOWS\system32\jksycaaa.exe: UPX!
C:\WINDOWS\system32\jouvoaaa.exe: UPX!
C:\WINDOWS\system32\mocihd.exe: UPX!
C:\WINDOWS\system32\mxsrrymq.exe: UPX!
C:\WINDOWS\system32\mxsrrymq.exe: upX!
C:\WINDOWS\system32\plugin.exe: UPX!
C:\WINDOWS\system32\runme.exe: UPX!
C:\WINDOWS\system32\sed.exe: UPX!
C:\WINDOWS\system32\slrhxaaa.exe: UPX!
C:\WINDOWS\system32\taskmg.exe: UPX!
C:\WINDOWS\system32\vtaeixoq.exe: UPX!
C:\WINDOWS\system32\vxpaaaaa.exe: UPX!
C:\WINDOWS\system32\web.exe: UPX!
C:\WINDOWS\system32\~update.exe: UPX!
C:\WINDOWS\system32\amhevbgy.exe: FSG!
C:\WINDOWS\system32\shqaaaaa.exe: FSG!
C:\WINDOWS\system32\vxjgaaaa.exe: FSG!
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\cb006376[1].exe: UPX!
C:\WINDOWS\imiwjxb.exe: UPX!
C:\WINDOWS\sys2026.exe: UPX!
C:\WINDOWS\sys2038.exe: UPX!
C:\WINDOWS\sys2049.exe: UPX!
C:\WINDOWS\sys216.exe: UPX!
C:\WINDOWS\sys228.exe: UPX!
C:\WINDOWS\sys2444.exe: UPX!
C:\WINDOWS\sys2454.exe: UPX!
C:\WINDOWS\sys2537.exe: UPX!
C:\WINDOWS\sys2538.exe: UPX!
C:\WINDOWS\sys255.exe: UPX!
C:\WINDOWS\sys2620.exe: UPX!
C:\WINDOWS\sys2631.exe: UPX!
C:\WINDOWS\sys2642.exe: UPX!
C:\WINDOWS\sys2647.exe: UPX!
C:\WINDOWS\sys2658.exe: UPX!
C:\WINDOWS\sys279.exe: UPX!
C:\WINDOWS\sys3211.exe: UPX!
C:\WINDOWS\sys3213.exe: UPX!
C:\WINDOWS\sys3214.exe: UPX!
C:\WINDOWS\sys3451.exe: UPX!
C:\WINDOWS\sys3513.exe: UPX!
C:\WINDOWS\sys352.exe: UPX!
C:\WINDOWS\sys4451.exe: UPX!
C:\WINDOWS\sys4514.exe: UPX!
C:\WINDOWS\sys453.exe: UPX!
C:\WINDOWS\sys4848.exe: UPX!
C:\WINDOWS\sys4859.exe: UPX!
C:\WINDOWS\sys4910.exe: UPX!
C:\WINDOWS\sys5114.exe: UPX!
C:\WINDOWS\sys512.exe: UPX!
C:\WINDOWS\sys5125.exe: UPX!
C:\WINDOWS\sys5218.exe: UPX!
C:\WINDOWS\sys5228.exe: UPX!
C:\WINDOWS\sys5239.exe: UPX!
C:\WINDOWS\sys5450.exe: UPX!
C:\WINDOWS\sys5451.exe: UPX!
C:\WINDOWS\sys5735.exe: UPX!
C:\WINDOWS\sys5747.exe: UPX!
C:\WINDOWS\sys5758.exe: UPX!
C:\WINDOWS\sys638.exe: UPX!
C:\WINDOWS\sys649.exe: UPX!
C:\WINDOWS\sys659.exe: UPX!
Finished
bye
  • 0

#10
miekiemoes
Posted 16 May 2005 - 07:02 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Well well -- look here -- that did reveal a lot!!

Some worms - a lot op dialers and Trojan startpages, so now, let's take care of it!

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINDOWS\cb006376[1].exe
C:\WINDOWS\imiwjxb.exe
C:\WINDOWS\sys2026.exe
C:\WINDOWS\sys2038.exe
C:\WINDOWS\sys2049.exe
C:\WINDOWS\sys216.exe
C:\WINDOWS\sys228.exe
C:\WINDOWS\sys2444.exe
C:\WINDOWS\sys2454.exe
C:\WINDOWS\sys2537.exe
C:\WINDOWS\sys2538.exe
C:\WINDOWS\sys255.exe
C:\WINDOWS\sys2620.exe
C:\WINDOWS\sys2631.exe
C:\WINDOWS\sys2642.exe
C:\WINDOWS\sys2647.exe
C:\WINDOWS\sys2658.exe
C:\WINDOWS\sys279.exe
C:\WINDOWS\sys3211.exe
C:\WINDOWS\sys3213.exe
C:\WINDOWS\sys3214.exe
C:\WINDOWS\sys3451.exe
C:\WINDOWS\sys3513.exe
C:\WINDOWS\sys352.exe
C:\WINDOWS\sys4451.exe
C:\WINDOWS\sys4514.exe
C:\WINDOWS\sys453.exe
C:\WINDOWS\sys4848.exe
C:\WINDOWS\sys4859.exe
C:\WINDOWS\sys4910.exe
C:\WINDOWS\sys5114.exe
C:\WINDOWS\sys512.exe
C:\WINDOWS\sys5125.exe
C:\WINDOWS\sys5218.exe
C:\WINDOWS\sys5228.exe
C:\WINDOWS\sys5239.exe
C:\WINDOWS\sys5450.exe
C:\WINDOWS\sys5451.exe
C:\WINDOWS\sys5735.exe
C:\WINDOWS\sys5747.exe
C:\WINDOWS\sys5758.exe
C:\WINDOWS\sys638.exe
C:\WINDOWS\sys649.exe
C:\WINDOWS\sys659.exe
C:\WINDOWS\system32\vxjgaaaa.exe
C:\WINDOWS\system32\cmdteld.exe
C:\WINDOWS\system32\com.exe
C:\WINDOWS\system32\cp.exe
C:\WINDOWS\system32\dll.exe
C:\WINDOWS\system32\dqjgxaaa.exe
C:\WINDOWS\system32\gxposepn.exe
C:\WINDOWS\system32\hit.exe
C:\WINDOWS\system32\init32m.exe
C:\WINDOWS\system32\jksycaaa.exe
C:\WINDOWS\system32\jouvoaaa.exe
C:\WINDOWS\system32\mocihd.exe
C:\WINDOWS\system32\mxsrrymq.exe
C:\WINDOWS\system32\mxsrrymq.exe
C:\WINDOWS\system32\plugin.exe
C:\WINDOWS\system32\runme.exe
C:\WINDOWS\system32\sed.exe
C:\WINDOWS\system32\slrhxaaa.exe
C:\WINDOWS\system32\taskmg.exe
C:\WINDOWS\system32\vtaeixoq.exe
C:\WINDOWS\system32\vxpaaaaa.exe
C:\WINDOWS\system32\web.exe
C:\WINDOWS\system32\~update.exe
C:\WINDOWS\system32\amhevbgy.exe
C:\WINDOWS\system32\shqaaaaa.exe
C:\WINDOWS\system32\dvrbsfvt.exe
C:\WINDOWS\system32\jjmbsaaa.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\vujkaaaa.exe
C:\WINDOWS\system32\dvrbsfvt.exe
C:\WINDOWS\system32\jjmbsaaa.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\vujkaaaa.exe

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your computer must reboot now.

Post back a fresh rkfiles-log together with a new hijackthislog.
  • 0

Advertisements

#11
nijnijn
Posted 16 May 2005 - 09:11 AM

nijnijn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
This new rkfiles-log, should it be done in safe mode? Here's my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 17:06:12, on 16/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Stijn\Mijn documenten\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ukqdlkn] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [msqhasf] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [pqwyoim] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [mwtrrmx] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [ipoqhoh] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [cnnqlct] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [vygcgdt] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [hyfrsvj] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [rcqrcne] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [qtutbfl] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [hwpqffd] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [tljjbhp] c:\windows\ltjlchc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .ssc: C:\WINDOWS\Downloaded Program Files\Ubizen\SmartStart\NPSmartStart32.dll
O16 - DPF: FortisCzPc - https://www.fortisba.../FortisCzPC.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://www.telenet.b...pgweb/setup.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
  • 0

#12
miekiemoes
Posted 16 May 2005 - 09:54 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Yes, perform rkfiles in safe mode again, because in some cases it can be possible that some files are hidden in normal mode.
Let's see if you could delete everything. :tazz:

Your running processes are looking good. Let's fix in hijackthis afterwards, fisrt i want to see the rkfiles-log. ;)
  • 0

#13
nijnijn
Posted 19 May 2005 - 11:37 AM

nijnijn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Et voila, here's the rkfiles log:

C:\Documents and Settings\Stijn\Mijn documenten\Anti spyware\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
  • 0

#14
miekiemoes
Posted 19 May 2005 - 11:57 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Looks good. :tazz:


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O4 - HKCU\..\Run: [ukqdlkn] c:\windows\tpylyfy.exe
O4 - HKCU\..\Run: [msqhasf] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [pqwyoim] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [mwtrrmx] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [ipoqhoh] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [cnnqlct] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [vygcgdt] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [hyfrsvj] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [rcqrcne] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [qtutbfl] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [hwpqffd] c:\windows\ltjlchc.exe
O4 - HKCU\..\Run: [tljjbhp] c:\windows\ltjlchc.exe

* Click on Fix Checked when finished and exit HijackThis.

Reboot and post a new hijackthislog. ;)
  • 0

#15
nijnijn
Posted 23 May 2005 - 11:15 AM

nijnijn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
We're on the way, but not there yet :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 19:12:41, on 23/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Documents and Settings\Stijn\Mijn documenten\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .ssc: C:\WINDOWS\Downloaded Program Files\Ubizen\SmartStart\NPSmartStart32.dll
O16 - DPF: FortisCzPc - https://www.fortisba.../FortisCzPC.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://www.telenet.b...pgweb/setup.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP