Browser Hijack...Please Help with HJT Log
azzzul
New
I think I see there some lines that I should fix but anyway I thought I could use some expert help.
Here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 2:49:51, on 14-07-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programas\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wdfmngr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
c:\progra~1\intern~1\iexplore.exe
C:\Documents and Settings\Alves da Costa\Os meus documentos\FICH_INSTAL\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sapo.pt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.unzfguwszxgahu.com/eLUddF3EvXLkSfutu61oHjk8ls60Nb2a0BI0u_oZOH6NMBhsDxqQEd1JKDtNKbKD.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.htgnahxxtpjyxnyhuz.org/eLUddF3EvXJ_PgP4Snrk_xS6RgoVPVViFShhwU0RRoY.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sapo.pt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sapo.pt
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: (no name) - {0357F5B2-4458-2F81-3C02-E692509F02D6} - cmon14.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [softmix] C:\DOCUME~1\ANARIT~1\APPLIC~1\DRAWEG~1\Cdrom mapi style.exe
O4 - HKCU\..\Run: [DA597266] C:\WINDOWS\sys546.exe
O4 - HKCU\..\Run: [FF1279D3] C:\WINDOWS\sys5422.exe
O4 - HKCU\..\Run: [DFB119D3] C:\WINDOWS\sys5511.exe
O4 - HKCU\..\Run: [AFB109D6] C:\WINDOWS\sys5557.exe
O4 - HKCU\..\Run: [4E1279DE] C:\WINDOWS\sys5628.exe
O4 - HKCU\..\Run: [9C127DD3] C:\WINDOWS\sys5233.exe
O4 - HKCU\..\Run: [FA581266] C:\WINDOWS\sys577.exe
O4 - HKCU\..\Run: [8EB119D6] C:\WINDOWS\sys5716.exe
O4 - HKCU\..\Run: [DEB105DB] C:\WINDOWS\sys5749.exe
O4 - HKCU\..\Run: [8EB109D6] C:\WINDOWS\sys5756.exe
O4 - HKCU\..\Run: [E9127DD6] C:\WINDOWS\sys5835.exe
O4 - HKCU\..\Run: [D91309DB] C:\WINDOWS\sys5859.exe
O4 - HKCU\..\Run: [A9B079D6] C:\WINDOWS\sys5927.exe
O4 - HKCU\..\Run: [A9B109D6] C:\WINDOWS\sys5957.exe
O4 - HKCU\..\Run: [49B109D6] C:\WINDOWS\sys5950.exe
O4 - HKCU\..\Run: [F1497263] C:\WINDOWS\sys042.exe
O4 - HKCU\..\Run: [41597A66] C:\WINDOWS\sys120.exe
O4 - HKCU\..\Run: [40496666] C:\WINDOWS\sys230.exe
O4 - HKCU\..\Run: [90497263] C:\WINDOWS\sys243.exe
O4 - HKCU\..\Run: [E0596E66] C:\WINDOWS\sys315.exe
O4 - HKCU\..\Run: [BA497A66] C:\WINDOWS\sys425.exe
O4 - HKCU\..\Run: [CA496663] C:\WINDOWS\sys433.exe
O4 - HKCU\..\Run: [8A497E6B] C:\WINDOWS\sys459.exe
O4 - HKCU\..\Run: [97E25D06] C:\WINDOWS\sys51.exe
O4 - HKCU\..\Run: [1A59726E] C:\WINDOWS\sys548.exe
O4 - HKCU\..\Run: [19496E6E] C:\WINDOWS\sys618.exe
O4 - HKCU\..\Run: [19497E66] C:\WINDOWS\sys650.exe
O4 - HKCU\..\Run: [A9497E63] C:\WINDOWS\sys652.exe
O4 - HKCU\..\Run: [BA596666] C:\WINDOWS\sys535.exe
O4 - HKCU\..\Run: [99597E66] C:\WINDOWS\sys754.exe
O4 - HKCU\..\Run: [D9597E66] C:\WINDOWS\sys756.exe
O4 - HKCU\..\Run: [BC497266] C:\WINDOWS\sys845.exe
O4 - HKCU\..\Run: [DC497266] C:\WINDOWS\sys846.exe
O4 - HKCU\..\Run: [1C49726E] C:\WINDOWS\sys848.exe
O4 - HKCU\..\Run: [8C597A6B] C:\WINDOWS\sys929.exe
O4 - HKCU\..\Run: [CC597263] C:\WINDOWS\sys943.exe
O4 - HKCU\..\Run: [9D13D9D3] C:\WINDOWS\sys1013.exe
O4 - HKCU\..\Run: [DDB0B9D3] C:\WINDOWS\sys1121.exe
O4 - HKCU\..\Run: [9DB0BDD3] C:\WINDOWS\sys1133.exe
O4 - HKCU\..\Run: [DC13D9D3] C:\WINDOWS\sys1211.exe
O4 - HKCU\..\Run: [91597A63] C:\WINDOWS\sys123.exe
O4 - HKCU\..\Run: [8C13C9D6] C:\WINDOWS\sys1256.exe
O4 - HKCU\..\Run: [9CB1C5D3] C:\WINDOWS\sys1343.exe
O4 - HKCU\..\Run: [F1596663] C:\WINDOWS\sys132.exe
O4 - HKCU\..\Run: [4159726E] C:\WINDOWS\sys148.exe
O4 - HKCU\..\Run: [CFB1C9D6] C:\WINDOWS\sys1554.exe
O4 - HKCU\..\Run: [DF13C9DB] C:\WINDOWS\sys1459.exe
O4 - HKCU\..\Run: [AF12B9D6] C:\WINDOWS\sys1427.exe
O4 - HKCU\..\Run: [EFB1C9D6] C:\WINDOWS\sys1555.exe
O4 - HKCU\..\Run: [AEB1D9D6] C:\WINDOWS\sys1717.exe
O4 - HKCU\..\Run: [8913D9D6] C:\WINDOWS\sys1816.exe
O4 - HKCU\..\Run: [4912BDDE] C:\WINDOWS\sys1838.exe
O4 - HKCU\..\Run: [E9B0B9D6] C:\WINDOWS\sys1925.exe
O4 - HKCU\..\Run: [D913C5DB] C:\WINDOWS\sys1849.exe
O4 - HKCU\..\Run: [A0496266] C:\WINDOWS\sys207.exe
O4 - HKCU\..\Run: [D9B1D9DB] C:\WINDOWS\sys1919.exe
O4 - HKCU\..\Run: [4D13F356] C:\WINDOWS\sys2010.exe
O4 - HKCU\..\Run: [4D13EF56] C:\WINDOWS\sys2040.exe
O4 - HKCU\..\Run: [FD13EF53] C:\WINDOWS\sys2042.exe
O4 - HKCU\..\Run: [ACB079D6] C:\WINDOWS\sys5327.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AF5198F8-1145-49A4-8873-5D9C989BEE46} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AF5198F8-1145-49A4-8873-5D9C989BEE46} - (no file) (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114350603011
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido\security suite\ewidoctrl.exe
O23 - Service: HttpsV2 - Unknown owner - C:\WINDOWS\System32\wdfmngr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Just another question... how is it possible that in the same PC the HJT log of another user might be as different as this:
Logfile of HijackThis v1.99.1
Scan saved at 2:48:47, on 14-07-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programas\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wdfmngr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Documents and Settings\Alves da Costa\Os meus documentos\FICH_INSTAL\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sapo.pt
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - Startup: Webshots.lnk = C:\Programas\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114350603011
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido\security suite\ewidoctrl.exe
O23 - Service: HttpsV2 - Unknown owner - C:\WINDOWS\System32\wdfmngr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
thanks for all your help!
Here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 2:49:51, on 14-07-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programas\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wdfmngr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
c:\progra~1\intern~1\iexplore.exe
C:\Documents and Settings\Alves da Costa\Os meus documentos\FICH_INSTAL\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sapo.pt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.unzfguwszxgahu.com/eLUddF3EvXLkSfutu61oHjk8ls60Nb2a0BI0u_oZOH6NMBhsDxqQEd1JKDtNKbKD.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.htgnahxxtpjyxnyhuz.org/eLUddF3EvXJ_PgP4Snrk_xS6RgoVPVViFShhwU0RRoY.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sapo.pt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sapo.pt
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: (no name) - {0357F5B2-4458-2F81-3C02-E692509F02D6} - cmon14.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [softmix] C:\DOCUME~1\ANARIT~1\APPLIC~1\DRAWEG~1\Cdrom mapi style.exe
O4 - HKCU\..\Run: [DA597266] C:\WINDOWS\sys546.exe
O4 - HKCU\..\Run: [FF1279D3] C:\WINDOWS\sys5422.exe
O4 - HKCU\..\Run: [DFB119D3] C:\WINDOWS\sys5511.exe
O4 - HKCU\..\Run: [AFB109D6] C:\WINDOWS\sys5557.exe
O4 - HKCU\..\Run: [4E1279DE] C:\WINDOWS\sys5628.exe
O4 - HKCU\..\Run: [9C127DD3] C:\WINDOWS\sys5233.exe
O4 - HKCU\..\Run: [FA581266] C:\WINDOWS\sys577.exe
O4 - HKCU\..\Run: [8EB119D6] C:\WINDOWS\sys5716.exe
O4 - HKCU\..\Run: [DEB105DB] C:\WINDOWS\sys5749.exe
O4 - HKCU\..\Run: [8EB109D6] C:\WINDOWS\sys5756.exe
O4 - HKCU\..\Run: [E9127DD6] C:\WINDOWS\sys5835.exe
O4 - HKCU\..\Run: [D91309DB] C:\WINDOWS\sys5859.exe
O4 - HKCU\..\Run: [A9B079D6] C:\WINDOWS\sys5927.exe
O4 - HKCU\..\Run: [A9B109D6] C:\WINDOWS\sys5957.exe
O4 - HKCU\..\Run: [49B109D6] C:\WINDOWS\sys5950.exe
O4 - HKCU\..\Run: [F1497263] C:\WINDOWS\sys042.exe
O4 - HKCU\..\Run: [41597A66] C:\WINDOWS\sys120.exe
O4 - HKCU\..\Run: [40496666] C:\WINDOWS\sys230.exe
O4 - HKCU\..\Run: [90497263] C:\WINDOWS\sys243.exe
O4 - HKCU\..\Run: [E0596E66] C:\WINDOWS\sys315.exe
O4 - HKCU\..\Run: [BA497A66] C:\WINDOWS\sys425.exe
O4 - HKCU\..\Run: [CA496663] C:\WINDOWS\sys433.exe
O4 - HKCU\..\Run: [8A497E6B] C:\WINDOWS\sys459.exe
O4 - HKCU\..\Run: [97E25D06] C:\WINDOWS\sys51.exe
O4 - HKCU\..\Run: [1A59726E] C:\WINDOWS\sys548.exe
O4 - HKCU\..\Run: [19496E6E] C:\WINDOWS\sys618.exe
O4 - HKCU\..\Run: [19497E66] C:\WINDOWS\sys650.exe
O4 - HKCU\..\Run: [A9497E63] C:\WINDOWS\sys652.exe
O4 - HKCU\..\Run: [BA596666] C:\WINDOWS\sys535.exe
O4 - HKCU\..\Run: [99597E66] C:\WINDOWS\sys754.exe
O4 - HKCU\..\Run: [D9597E66] C:\WINDOWS\sys756.exe
O4 - HKCU\..\Run: [BC497266] C:\WINDOWS\sys845.exe
O4 - HKCU\..\Run: [DC497266] C:\WINDOWS\sys846.exe
O4 - HKCU\..\Run: [1C49726E] C:\WINDOWS\sys848.exe
O4 - HKCU\..\Run: [8C597A6B] C:\WINDOWS\sys929.exe
O4 - HKCU\..\Run: [CC597263] C:\WINDOWS\sys943.exe
O4 - HKCU\..\Run: [9D13D9D3] C:\WINDOWS\sys1013.exe
O4 - HKCU\..\Run: [DDB0B9D3] C:\WINDOWS\sys1121.exe
O4 - HKCU\..\Run: [9DB0BDD3] C:\WINDOWS\sys1133.exe
O4 - HKCU\..\Run: [DC13D9D3] C:\WINDOWS\sys1211.exe
O4 - HKCU\..\Run: [91597A63] C:\WINDOWS\sys123.exe
O4 - HKCU\..\Run: [8C13C9D6] C:\WINDOWS\sys1256.exe
O4 - HKCU\..\Run: [9CB1C5D3] C:\WINDOWS\sys1343.exe
O4 - HKCU\..\Run: [F1596663] C:\WINDOWS\sys132.exe
O4 - HKCU\..\Run: [4159726E] C:\WINDOWS\sys148.exe
O4 - HKCU\..\Run: [CFB1C9D6] C:\WINDOWS\sys1554.exe
O4 - HKCU\..\Run: [DF13C9DB] C:\WINDOWS\sys1459.exe
O4 - HKCU\..\Run: [AF12B9D6] C:\WINDOWS\sys1427.exe
O4 - HKCU\..\Run: [EFB1C9D6] C:\WINDOWS\sys1555.exe
O4 - HKCU\..\Run: [AEB1D9D6] C:\WINDOWS\sys1717.exe
O4 - HKCU\..\Run: [8913D9D6] C:\WINDOWS\sys1816.exe
O4 - HKCU\..\Run: [4912BDDE] C:\WINDOWS\sys1838.exe
O4 - HKCU\..\Run: [E9B0B9D6] C:\WINDOWS\sys1925.exe
O4 - HKCU\..\Run: [D913C5DB] C:\WINDOWS\sys1849.exe
O4 - HKCU\..\Run: [A0496266] C:\WINDOWS\sys207.exe
O4 - HKCU\..\Run: [D9B1D9DB] C:\WINDOWS\sys1919.exe
O4 - HKCU\..\Run: [4D13F356] C:\WINDOWS\sys2010.exe
O4 - HKCU\..\Run: [4D13EF56] C:\WINDOWS\sys2040.exe
O4 - HKCU\..\Run: [FD13EF53] C:\WINDOWS\sys2042.exe
O4 - HKCU\..\Run: [ACB079D6] C:\WINDOWS\sys5327.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AF5198F8-1145-49A4-8873-5D9C989BEE46} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AF5198F8-1145-49A4-8873-5D9C989BEE46} - (no file) (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114350603011
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido\security suite\ewidoctrl.exe
O23 - Service: HttpsV2 - Unknown owner - C:\WINDOWS\System32\wdfmngr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Just another question... how is it possible that in the same PC the HJT log of another user might be as different as this:
Logfile of HijackThis v1.99.1
Scan saved at 2:48:47, on 14-07-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programas\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wdfmngr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Documents and Settings\Alves da Costa\Os meus documentos\FICH_INSTAL\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sapo.pt
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - Startup: Webshots.lnk = C:\Programas\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114350603011
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido\security suite\ewidoctrl.exe
O23 - Service: HttpsV2 - Unknown owner - C:\WINDOWS\System32\wdfmngr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
thanks for all your help!
0
Comments
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sapo.pt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.unzfguwszxgahu.com/eLUdd...d1JKDtNKbKD.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.htgnahxxtpjyxnyhuz.org/e...ShhwU0RRoY.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sapo.pt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sapo.pt
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: (no name) - {0357F5B2-4458-2F81-3C02-E692509F02D6} - cmon14.dll (file missing)
O4 - HKCU\..\Run: [softmix] C:\DOCUME~1\ANARIT~1\APPLIC~1\DRAWEG~1\Cdrom mapi style.exe
O4 - HKCU\..\Run: [DA597266] C:\WINDOWS\sys546.exe
O4 - HKCU\..\Run: [FF1279D3] C:\WINDOWS\sys5422.exe
O4 - HKCU\..\Run: [DFB119D3] C:\WINDOWS\sys5511.exe
O4 - HKCU\..\Run: [AFB109D6] C:\WINDOWS\sys5557.exe
O4 - HKCU\..\Run: [4E1279DE] C:\WINDOWS\sys5628.exe
O4 - HKCU\..\Run: [9C127DD3] C:\WINDOWS\sys5233.exe
O4 - HKCU\..\Run: [FA581266] C:\WINDOWS\sys577.exe
O4 - HKCU\..\Run: [8EB119D6] C:\WINDOWS\sys5716.exe
O4 - HKCU\..\Run: [DEB105DB] C:\WINDOWS\sys5749.exe
O4 - HKCU\..\Run: [8EB109D6] C:\WINDOWS\sys5756.exe
O4 - HKCU\..\Run: [E9127DD6] C:\WINDOWS\sys5835.exe
O4 - HKCU\..\Run: [D91309DB] C:\WINDOWS\sys5859.exe
O4 - HKCU\..\Run: [A9B079D6] C:\WINDOWS\sys5927.exe
O4 - HKCU\..\Run: [A9B109D6] C:\WINDOWS\sys5957.exe
O4 - HKCU\..\Run: [49B109D6] C:\WINDOWS\sys5950.exe
O4 - HKCU\..\Run: [F1497263] C:\WINDOWS\sys042.exe
O4 - HKCU\..\Run: [41597A66] C:\WINDOWS\sys120.exe
O4 - HKCU\..\Run: [40496666] C:\WINDOWS\sys230.exe
O4 - HKCU\..\Run: [90497263] C:\WINDOWS\sys243.exe
O4 - HKCU\..\Run: [E0596E66] C:\WINDOWS\sys315.exe
O4 - HKCU\..\Run: [BA497A66] C:\WINDOWS\sys425.exe
O4 - HKCU\..\Run: [CA496663] C:\WINDOWS\sys433.exe
O4 - HKCU\..\Run: [8A497E6B] C:\WINDOWS\sys459.exe
O4 - HKCU\..\Run: [97E25D06] C:\WINDOWS\sys51.exe
O4 - HKCU\..\Run: [1A59726E] C:\WINDOWS\sys548.exe
O4 - HKCU\..\Run: [19496E6E] C:\WINDOWS\sys618.exe
O4 - HKCU\..\Run: [19497E66] C:\WINDOWS\sys650.exe
O4 - HKCU\..\Run: [A9497E63] C:\WINDOWS\sys652.exe
O4 - HKCU\..\Run: [BA596666] C:\WINDOWS\sys535.exe
O4 - HKCU\..\Run: [99597E66] C:\WINDOWS\sys754.exe
O4 - HKCU\..\Run: [D9597E66] C:\WINDOWS\sys756.exe
O4 - HKCU\..\Run: [BC497266] C:\WINDOWS\sys845.exe
O4 - HKCU\..\Run: [DC497266] C:\WINDOWS\sys846.exe
O4 - HKCU\..\Run: [1C49726E] C:\WINDOWS\sys848.exe
O4 - HKCU\..\Run: [8C597A6B] C:\WINDOWS\sys929.exe
O4 - HKCU\..\Run: [CC597263] C:\WINDOWS\sys943.exe
O4 - HKCU\..\Run: [9D13D9D3] C:\WINDOWS\sys1013.exe
O4 - HKCU\..\Run: [DDB0B9D3] C:\WINDOWS\sys1121.exe
O4 - HKCU\..\Run: [9DB0BDD3] C:\WINDOWS\sys1133.exe
O4 - HKCU\..\Run: [DC13D9D3] C:\WINDOWS\sys1211.exe
O4 - HKCU\..\Run: [91597A63] C:\WINDOWS\sys123.exe
O4 - HKCU\..\Run: [8C13C9D6] C:\WINDOWS\sys1256.exe
O4 - HKCU\..\Run: [9CB1C5D3] C:\WINDOWS\sys1343.exe
O4 - HKCU\..\Run: [F1596663] C:\WINDOWS\sys132.exe
O4 - HKCU\..\Run: [4159726E] C:\WINDOWS\sys148.exe
O4 - HKCU\..\Run: [CFB1C9D6] C:\WINDOWS\sys1554.exe
O4 - HKCU\..\Run: [DF13C9DB] C:\WINDOWS\sys1459.exe
O4 - HKCU\..\Run: [AF12B9D6] C:\WINDOWS\sys1427.exe
O4 - HKCU\..\Run: [EFB1C9D6] C:\WINDOWS\sys1555.exe
O4 - HKCU\..\Run: [AEB1D9D6] C:\WINDOWS\sys1717.exe
O4 - HKCU\..\Run: [8913D9D6] C:\WINDOWS\sys1816.exe
O4 - HKCU\..\Run: [4912BDDE] C:\WINDOWS\sys1838.exe
O4 - HKCU\..\Run: [E9B0B9D6] C:\WINDOWS\sys1925.exe
O4 - HKCU\..\Run: [D913C5DB] C:\WINDOWS\sys1849.exe
O4 - HKCU\..\Run: [A0496266] C:\WINDOWS\sys207.exe
O4 - HKCU\..\Run: [D9B1D9DB] C:\WINDOWS\sys1919.exe
O4 - HKCU\..\Run: [4D13F356] C:\WINDOWS\sys2010.exe
O4 - HKCU\..\Run: [4D13EF56] C:\WINDOWS\sys2040.exe
O4 - HKCU\..\Run: [FD13EF53] C:\WINDOWS\sys2042.exe
O4 - HKCU\..\Run: [ACB079D6] C:\WINDOWS\sys5327.exe
Fix those entries then find and delete the following files:
C:\WINDOWS\sys****.exe
C:\WINDOWS\sys***.exe
C:\WINDOWS\sys**.exe
C:\DOCUME~1\ANARIT~1\APPLIC~1\DRAWEG~1\Cdrom mapi style.exe
Where * represents a random digit.
Then reboot your computer and post a new log.
Fixed all those entries from the HJT log.
Deleted all the WINDOWS\sys****.exe files (there were lots of!)
Deleted:
C:\DOCUME~1\ANARIT~1\APPLIC~1\DRAWEG~1\Cdrom mapi style.exe
Then I went look inside «C:\DOCUME~1\ANARIT~1\APPLIC~1\» and found that folder «DrawEggsBalm» and it has there 10 more exe files, one of them called «Acid Trust Joy» and the 9 others with suspicious names as «ghkvkvtp» and similar.
Should I delete them as well?
(The user in questions is 14 year old Rita which was allowed to have an administrators account for some minutes to install a game)
The new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:03:21, on 14-07-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmngr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Alves da Costa\Os meus documentos\FICH_INSTAL\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AF5198F8-1145-49A4-8873-5D9C989BEE46} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AF5198F8-1145-49A4-8873-5D9C989BEE46} - (no file) (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114350603011
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HttpsV2 - Unknown owner - C:\WINDOWS\System32\wdfmngr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Fix these two entries:
O9 - Extra button: Microsoft AntiSpyware helper - {AF5198F8-1145-49A4-8873-5D9C989BEE46} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AF5198F8-1145-49A4-8873-5D9C989BEE46} - (no file) (HKCU)
Once you have removed them, run Panda's free online virus scan. There may be some items it cannot remove. Post a log of those items here.
http://www.pandasoftware.com/activescan/
Ran Panda Active scan and it found items it couldn't remove.
Here's the report:
Incident Status Location
Adware:Adware/Tubby No disinfected C:\WINDOWS\System32\t.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\new.exe
Adware:Adware/Msnagent No disinfected C:\WINDOWS\System32\dosxpd.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\new.exe
Adware:Adware/Msnagent No disinfected C:\WINDOWS\system32\dosxpd.exe
Adware:Adware/Tubby No disinfected C:\WINDOWS\system32\t.exe
Adware:Adware/Lop No disinfected C:\Programas\axis wma camp\dart ante.exe
thanks for all your help
C:\WINDOWS\System32\t.exe
C:\new.exe
C:\WINDOWS\System32\dosxpd.exe
C:\Programas\axis wma camp\dart ante.exe
Then boot back into Normal Mode and post a new log.
C:\WINDOWS\System32\t.exe
C:\WINDOWS\System32\dosxpd.exe
C:\Programas\axis wma camp\dart ante.exe
But I could NOT find:
C:\new.exe
I looked for it in every users account.
I boot back into Normal Mode and ran Panda Active Scan again.
It found 1 infected item. Here's the report:
Incident Status Location
Adware:Adware/CWS.Searchmeup No disinfected C:\new.exe
And here's the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 21:15:14, on 14-07-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programas\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wdfmngr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Alves da Costa\Os meus documentos\FICH_INSTAL\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114350603011
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69549A9C-122D-4E4E-9686-41FAEF5C200D}: NameServer = 69.50.188.180 85.255.112.5
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programas\ewido\security suite\ewidoguard.exe
O23 - Service: HttpsV2 - Unknown owner - C:\WINDOWS\System32\wdfmngr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
A question...
While looking for «new.exe» I found these 4 suspicious exe files in C:\ and they had the ionsta dataes of 4/July/2005 which is suspicious too.
Lax.exe
ygcs.exe
ymta.exe
yss.exe
Do you think I should remove these as well?
Thanks you for the help!!
It still reports that new.exe at C:\
Incident Status Location
Adware:Adware/CWS.Searchmeup No disinfected C:\new.exe
And I still can't "see" it there
(and I do have it set to show hidden files)
I did search for "searchmeup" and I found a html file at temprary internet files, which I deleted
I must tell you that the browser is not beeing hijacked anymore - it goes to the chosen start page - but I sure would feel better if I could get rid of this pest
Please, what else can I do now?
Thanks!!!