Options

HJT log for review please

Unknown
edited April 2005 in Spyware & Virus Removal
This is the HiJackThis log on a computer at work. Please help. Thanks.



Logfile of HijackThis v1.99.1
Scan saved at 2:00:27 PM, on 4/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\pqkmb\doiw.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\etxkftu\ylqv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\brgnsi\uclxdj.exe
C:\WINDOWS\System32\ktbjbi\cpthgfk.exe
C:\WINDOWS\System32\duslman.exe
C:\WINDOWS\WinTask.exe
C:\WINDOWS\system\ggpot.exe
C:\Program Files\Comdata\Shared\Applications\CDAtl.exe
C:\Program Files\MailAlert\MailAlert.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6HOJUT25\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\System32\r3proxy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitepyk32.exe
O4 - HKLM\..\Run: [uclxdj] C:\WINDOWS\System32\brgnsi\uclxdj.exe
O4 - HKLM\..\Run: [doiw] C:\WINDOWS\System32\pqkmb\doiw.exe
O4 - HKLM\..\Run: [ylqv] C:\WINDOWS\System32\etxkftu\ylqv.exe
O4 - HKLM\..\Run: [cpthgfk] C:\WINDOWS\System32\ktbjbi\cpthgfk.exe
O4 - HKLM\..\Run: [C:\WINDOWS\WinTask.exe] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [rsFP36R] duslman.exe
O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AutomatedTaskLauncher] C:\Program Files\Comdata\Shared\Applications\CDAtl.exe
O4 - HKCU\..\Run: [aBwFRWdFS] bfcill.exe
O4 - Startup: MailAlert.lnk = C:\Program Files\MailAlert\MailAlert.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NEC Sheduler.lnk = C:\Program Files\NEC\Scheduler\Schedule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Unknown owner - C:\Program Files\Executive Software\Diskeeper\DkService.exe (file missing)
O23 - Service: doiwpqkmb - Unknown owner - C:\WINDOWS\System32\pqkmb\doiw.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ylqvetxkftu - Unknown owner - C:\WINDOWS\System32\etxkftu\ylqv.exe

Comments

  • jaredjared College Station, TX Icrontian
    edited April 2005
    Alrighty, Welcome to Short-Media! :)

    I will try to make this as easy, quick, and painless as possible :cool:

    I need to you get a couple programs read to use. Since you already have HTJ (on a side note, next time you need to extract HJT this when run it), I just need you to download Ad-Aware. You can get this utility from the Short-Media download page or from Download.com. After you have installed it go ahead and update the defs. so it will pick up all the recent threats. If you are not sure how to do this see the guide HERE.

    Once you have updated AdAware, don't worry about scanning yet. Now I want you to reboot into 'Safe Mode'. To do this reboot your PC. As it starts to power back up tap 'F8' on the keyboard until you are presented with a menu. If you get the Windows screen you were not fast enough. When the menu comes up just select 'Safe Mode'.

    Once you are in safe mode go ahead and fire up your copy of HiJackThis. Now I want you to select and delete the following entries:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe " -boot
    O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitepyk32.exe
    O4 - HKLM\..\Run: [uclxdj] C:\WINDOWS\System32\brgnsi\uclxdj.exe
    O4 - HKLM\..\Run: [doiw] C:\WINDOWS\System32\pqkmb\doiw.exe
    O4 - HKLM\..\Run: [ylqv] C:\WINDOWS\System32\etxkftu\ylqv.exe
    O4 - HKLM\..\Run: [cpthgfk] C:\WINDOWS\System32\ktbjbi\cpthgfk.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\WinTask.exe] C:\WINDOWS\WinTask.exe
    O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
    O4 - HKLM\..\Run: [rsFP36R] duslman.exe
    O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe
    O4 - HKCU\..\Run: [AutomatedTaskLauncher] C:\Program Files\Comdata\Shared\Applications\CDAtl.exe
    O4 - HKCU\..\Run: [aBwFRWdFS] bfcill.exe
    O23 - Service: doiwpqkmb - Unknown owner - C:\WINDOWS\System32\pqkmb\doiw.exe
    O23 - Service: ylqvetxkftu - Unknown owner - C:\WINDOWS\System32\etxkftu\ylqv.exe


    Once you have removed these entries you can close HJT.

    Now I want you to open up that Ad-Aware program. Go ahead and run a FULL system scan. It should remove most of these files on your system.

    After the scan completes select and remove the questionable objects it finds.

    Go ahead and reboot. I would recommend making sure you Anti-Virus program is up to date and then running a full system scan to make sure you still don't have a trojan on there.

    You can read up on how to keep your system from getting reinfected HERE. Also I would recommend not using Internet Explorer and switching to Firefox. If you want more info on that just click 'Firefox' in my signature.

    Good luck!
    :cool:
Sign In or Register to comment.