TopAntiSpyware infected computer hijack this log - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > Viruses, Spyware and Malware > HijackThis Logs (finished)
Click Here to Login
 
 
Thread Tools Display Modes
 
Old 04-05-2005, 08:00 PM   #1 (permalink)
Newb Techie
 
Join Date: Apr 2005
Posts: 10
Default TopAntiSpyware infected computer hijack this log

I scanned and found 29 spyware things deleted em all and its till there someone please help!!! Here is my hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 9:00:35 PM, on 05/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\mcafee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {038A0246-40AD-42E9-AB47-8CE0D5B6047A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {038A0246-40AD-42E9-AB47-8CE0D5B6047A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {298359D2-F12D-4594-A996-BC1F776F6E74} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {298359D2-F12D-4594-A996-BC1F776F6E74} - (no file) (HKCU)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O15 - Trusted Zone: http://www.neopets.com
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
__________________

__________________
Opaque is offline  
Old 04-08-2005, 08:46 PM   #2 (permalink)
Newb Techie
 
Join Date: Apr 2005
Posts: 10
Default

Someone .. Please!!!
__________________

__________________
Opaque is offline  
Old 04-11-2005, 10:01 PM   #3 (permalink)
Monster Techie
 
Join Date: Oct 2002
Posts: 1,134
Default

Hi:

Please consider updating both XP and IE6 with the lastest service packs as this is a big part of your problem!!


Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Download and install CleanUp http://cleanup.stevengould.org/

Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"


Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following if listed.

WildTangent
Security iGuard


Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\Program Files\WildTangent\Apps\GameChannel.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {038A0246-40AD-42E9-AB47-8CE0D5B6047A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {038A0246-40AD-42E9-AB47-8CE0D5B6047A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {298359D2-F12D-4594-A996-BC1F776F6E74} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {298359D2-F12D-4594-A996-BC1F776F6E74} - (no file) (HKCU)
O15 - Trusted Zone: http://www.neopets.com



Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Security iGuard\Security iGuard.exe
C:\WINDOWS\System32\srvc32.exe
C:\WINDOWS\System32\spoolsrv32.exe


Now run the cleanup utility and reboot/logoff when prompted.

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!


Spyware/Adware Remover Downloads
Hijackthis
Ad-aware SE
Spybot Search&Destroy
SpywareBlaster
CWShredder
MicroBell is offline  
Old 04-13-2005, 10:13 PM   #4 (permalink)
Newb Techie
 
Join Date: Apr 2005
Posts: 10
Default Oh No!

Ok I did some of it untill I recignized a huge problem!!

Ok Afte I did cleanup I opened internet explorer to see your next Thoughts and I realized the top bar thing wa missing. I mean the thing with file and such on it. If i scrolled over it the options would come up but the words dissapeared!!! Help me please!!

And if it helps every once and a while my computer opens a file called Hi I cant find out what it does.
__________________
Opaque is offline  
Old 04-13-2005, 10:18 PM   #5 (permalink)
Newb Techie
 
Join Date: Apr 2005
Posts: 10
Default

Also It will not let me run my hijack this log's clean up messed up my comp!
__________________
Opaque is offline  
Old 04-13-2005, 10:42 PM   #6 (permalink)
Monster Techie
 
Join Date: Oct 2002
Posts: 1,134
Default

Did you delete ONLY the files I listed?? None of them were system critical files that could cause the issue your describing.

Cleanup only deletes files in the TEMP directorys..and there are no system critical files located in them.

Try downloading and install TDS-3 http://tds.diamondcs.com.au/ update it's database and do a FULL system scan. When it's finished delete any positive trojans fround in the bottom window.

Also click start...run...type in sfc /scannow This will scan for corrupt and/or missing windows files. You will need your XP CD if any are found.

Did the online virus scan find anything??

The HI message sounds like one of the MSN worms out there. I also want to look deeper. Download the following tools and post the logs...


Download: StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'Mark All'

UN-Check the 'NT-Services & NT-Kernel...' boxes only:
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread


Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!


Spyware/Adware Remover Downloads
Hijackthis
Ad-aware SE
Spybot Search&Destroy
SpywareBlaster
CWShredder
MicroBell is offline  
Old 04-14-2005, 09:49 PM   #7 (permalink)
Newb Techie
 
Join Date: Apr 2005
Posts: 10
Default Im good

BEcause the day after the symptoms i described caused my screen to go black even in safe mode I rebooted comp/ reinstalled windows. No more virus now
__________________
Opaque is offline  
Old 05-20-2005, 03:53 AM   #8 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Remove entries at your own risk


C:\HP\KBD\KBD.EXE This is a unknown process.

C:\Program Files\WildTangent\Apps\GameChannel.exe This is a unknown process.

C:\Program Files\hp center\137903\Program\BackWeb-137903.exe Based upon HPs own description from here - "With the My HP Center, consumers have access directly from the desktop to Internet sites featuring special offers for HP customers ranging from personal finance and shopping to digital imaging and music" I have classified this as adware. The number may change - if yours is different let me know This is a nasty process! You should fix it and try to delete it manually!

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE Unknown application.

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe Unknown application.

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe Unknown application.

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe Found in the HPSelectFrontend directory on a HP machine. What is its purpose and is it required?


O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe Based upon HP's own description from here - "With the My HP Center, consumers have access directly from the desktop to Internet sites featuring special offers for HP customers ranging from personal finance and shopping to digital imaging and music" I have classified this as adware. The number may change - if yours is different let me know Must be fixed!

O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe User Interface for HP Center Must be fixed!

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE Complete utter waste of space! Part of MS Office - searches disk drives for Office file types and creates an index to make opening them easier Must be fixed!

O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe Unknown application.

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe Unknown application.
__________________

__________________
Osiris is offline  
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 08:06 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.