Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HijackThis Binary Vanishes


  • Please log in to reply

#1
horizvert

horizvert

    New Member

  • Member
  • Pip
  • 8 posts
Thanks for reading this.

My computer was infected with malware a few days ago.

I have run Adaware, Spybot, Spyware Doctor, Cleanup40, CWShredder and trojan hunter. I have removed/fixed each line item that shows up.

I then sought to load Hijack This and get a log file. Because I am unable to get onto the internet without my machine becoming unusable (Processor Pegged 100%) , I am unable to load SP1a or any other applications.

I downloaded HijackThis on another computer and transferred it with a USB thumbdrive. When I open the thumbdrive contents, the HijackThis binary disappears.

I tried 6 or 7 times, I renamed the file and I also zipped it up. Regardless, as soon as I open the folder containing the HijackThis binary, it vanishes.

I started the PC in safemode and was able to run the application. The contents of the logfile are below.

I will appreciate any guidance on this topic.


Logfile of HijackThis v1.99.1
Scan saved at 9:59:04 PM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\SYSTEM32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\rundll32.exe
C:\ashley\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intraweb.bcbsnc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINXP\System32\rnsnxwrv.dll
O2 - BHO: (no name) - {7ED11B12-A6F5-B554-D71D-D21855F090BD} - C:\WINXP\System32\lwakteiq.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [hclean32.exe] C:\WINXP\System32\hclean32.exe
O4 - HKLM\..\Run: [ttupt] C:\WINXP\ttupt.exe
O4 - HKLM\..\Run: [lanbrup] C:\WINXP\System32\lanbrup.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [dmgao.exe] C:\WINXP\System32\dmgao.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Compaq\Compaq 11 Mbps Wireless PC Card\Config.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: RaConfig2500.lnk = C:\WINXP\system32\RaConfig2500.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O14 - IERESET.INF: START_PAGE_URL=http://intraweb.bcbsnc.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcbsnc.com
O17 - HKLM\Software\..\Telephony: DomainName = bcbsnc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B0A072E-9DD4-4789-B9BA-03B35F49A6D3}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{759E8A6B-6575-417D-87B0-A9AC3996219B}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6038660-064D-4CF4-BBF1-B17896B756C0}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D804FB5F-1BDC-4FF8-9916-7C10504D3BA6}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcbsnc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bcbsnc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = bcbsnc.com
O20 - Winlogon Notify: MCD - C:\WINXP\system32\tJpisrv.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINXP\System32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CWShredder Service - InterMute, Inc. - E:\CWShredder.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetIQ Endpoint (NetIQEndpoint) - NetIQ Corporation - C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
O23 - Service: OracleOHOME1ClientCache - Unknown owner - c:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\Program Files\Tivoli\lcf\..\swdis\WebUI\swdres.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\WINXP\RCSERV.EXE
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP