Can someone have a look at this log?

Discussion in 'adware, spyware & hijack cleaning' started by agentgraves, May 2, 2004.

Thread Status:
Not open for further replies.
  1. agentgraves

    agentgraves Registered Member

    Joined:
    May 2, 2004
    Posts:
    1
    I'm having problems with popup ads coming from nowhere and
    I think I've been hijacked. Can someone have a look and help me out?

    Logfile of HijackThis v1.97.7
    Scan saved at 6:04:34 PM, on 5/2/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\soundman.exe
    C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
    C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\WINDOWS\System32\wnscpsv.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Documents and Settings\Pablo\Application Data\aasa.exe
    C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\LXBRPSWX.EXE
    C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\LXBRJSWX.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCMAIN.EXE
    C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\WINDOWS\System32\netapi32.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Pablo\LOCALS~1\Temp\Rar$EX00.322\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Pablo\Application Data\Mozilla\Profiles\default\0g4fy0uo.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pablo\Application Data\Mozilla\Profiles\default\0g4fy0uo.slt\prefs.js)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
    O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
    O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [hdvowcj] "C:\WINDOWS\System32\hdvowcj.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [netapi32] C:\WINDOWS\System32\netapi32.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi agentgraves,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:


    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

    O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
    O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
    O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>

    O4 - HKLM\..\Run: [hdvowcj] "C:\WINDOWS\System32\hdvowcj.exe"

    O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe

    O4 - HKCU\..\Run: [netapi32] C:\WINDOWS\System32\netapi32.exe
    O4 - Startup: PowerReg SchedulerV2.exe

    O9 - Extra button: Sidesearch (HKLM)

    Reboot into safe mode and delete:
    C:\Program Files\Common files\updater <= entire folder
    C:\WINDOWS\System32\hdvowcj.exe
    C:\WINDOWS\System32\wnscpsv.exe
    C:\WINDOWS\System32\netapi32.exe

    Then reboot, run HijackThis again and post a new log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.