hijack log
hi im new, and i recently ran symantec's scan thinggy,and i got 16 viruses, ran the adaware thing and it got rid of 1 so im now here posting the log, plz help
Logfile of HijackThis v1.98.1
Scan saved at 11:04:30 PM, on 8/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Grisoft\AVG6\avgcc32.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
E:\Program Files\Winamp\winampa.exe
E:\WINDOWS\System32\Rlstard\Anti.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\AIM\aim.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Winamp\winamp.exe
E:\Program Files\Azureus\Azureus.exe
E:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
E:\crap\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=E:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] E:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] E:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [nVidia Chip4] nvchip4.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] "E:\Program Files\Kazaa Lite K++\kpp.exe" "E:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [Win Updater] winupdater.exe
O4 - HKLM\..\Run: [sxe52.tmp] E:\WINDOWS\System32\sxe52.tmp
O4 - HKLM\..\Run: [Reg_SAVER] E:\WINDOWS\System32\Rlstard\Anti.exe
O4 - HKLM\..\Run: [sxe7.tmp] E:\WINDOWS\System32\sxe7.tmp
O4 - HKLM\..\RunServices: [nVidia Chip4] nvchip4.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Systmesy] Systmesy.exe
O4 - HKLM\..\RunServices: [Win Updater] winupdater.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "E:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "e:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKCU\..\Run: [Win Updater] winupdater.exe
O4 - HKCU\..\Run: [Systmesy] Systmesy.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
Logfile of HijackThis v1.98.1
Scan saved at 11:04:30 PM, on 8/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Grisoft\AVG6\avgcc32.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
E:\Program Files\Winamp\winampa.exe
E:\WINDOWS\System32\Rlstard\Anti.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\AIM\aim.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Winamp\winamp.exe
E:\Program Files\Azureus\Azureus.exe
E:\Program Files\Java\j2re1.4.2_03\bin\javaw.exe
E:\crap\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=E:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] E:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] E:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [nVidia Chip4] nvchip4.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] "E:\Program Files\Kazaa Lite K++\kpp.exe" "E:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [Win Updater] winupdater.exe
O4 - HKLM\..\Run: [sxe52.tmp] E:\WINDOWS\System32\sxe52.tmp
O4 - HKLM\..\Run: [Reg_SAVER] E:\WINDOWS\System32\Rlstard\Anti.exe
O4 - HKLM\..\Run: [sxe7.tmp] E:\WINDOWS\System32\sxe7.tmp
O4 - HKLM\..\RunServices: [nVidia Chip4] nvchip4.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Systmesy] Systmesy.exe
O4 - HKLM\..\RunServices: [Win Updater] winupdater.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "E:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "e:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKCU\..\Run: [Win Updater] winupdater.exe
O4 - HKCU\..\Run: [Systmesy] Systmesy.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
0
This discussion has been closed.
Comments
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
O4 - HKLM\..\Run: [Win Updater] winupdater.exe
O4 - HKLM\..\Run: [sxe52.tmp] E:\WINDOWS\System32\sxe52.tmp
O4 - HKLM\..\Run: [Reg_SAVER] E:\WINDOWS\System32\Rlstard\Anti.exe
O4 - HKLM\..\Run: [sxe7.tmp] E:\WINDOWS\System32\sxe7.tmp
O4 - HKLM\..\RunServices: [nVidia Chip4] nvchip4.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Systmesy] Systmesy.exe
O4 - HKLM\..\RunServices: [Win Updater] winupdater.exe
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKCU\..\Run: [Win Updater] winupdater.exe
O4 - HKCU\..\Run: [Systmesy] Systmesy.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
Reboot in SAFE MODE, run HJT, and fix all of them.
Then, manually locate each of those files named in the entries. You may need to set your system to show hidden files and folders: http://www.short-media.com/forum/showpost.php?p=172588&postcount=3
Move these files to a new folder called :C:\Quarantine. Rename the the .exe's to .xxx. and the tmp's to .ttt. That way you can always replace them if it somehow turns out that one or more of these are necessary files....which is not likely, but quarantining is safer than deleting them.
Reboot normally, check things out, post a fresh HJT log for further assistance.
Dexter...
E:\WINDOWS\system32\explorer.dll is infected with Hacktool.Rootkit
E:\WINDOWS\system32\sxe7.tmp is infected with Hacktool.Rootkit
E:\WINDOWS\system32\TFTP3248 is infected with W32.Spybot.Worm
E:\WINDOWS\system32\WQAFS\shell.exe is infected with Hacktool.LsassSba
E:\WINDOWS\system32\WQAFS\sxe175.tmp is infected with Hacktool.LsassSba
E:\WINDOWS\system32\WQAFS\plugin\090-ntpass.xpn is infected with Hacktool
E:\WINDOWS\system32\Rlstard\h4ck.ini is infected with IRC Trojan
E:\WINDOWS\system32\Rlstard\shell.exe is infected with Hacktool
E:\WINDOWS\system32\Rlstard\plugin\090-ntpass.xpn is infected with Hacktool
wondering if that could help, HJT log follows
Logfile of HijackThis v1.98.1
Scan saved at 3:31:32 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Grisoft\AVG6\avgcc32.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\AIM\aim.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\PROGRA~1\Grisoft\AVG6\avgserv.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Winamp\winamp.exe
E:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=E:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] E:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] E:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [nVidia Chip4] nvchip4.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] "E:\Program Files\Kazaa Lite K++\kpp.exe" "E:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "E:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "e:\program files\steam\steam.exe" -silent
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
thanx for the help
-Lotous
Dexter...