Can someone have a look at this log?

Discussion in 'adware, spyware & hijack cleaning' started by agentgraves, May 2, 2004.

Thread Status:
Not open for further replies.
  1. agentgraves

    agentgraves Registered Member

    Joined:
    May 2, 2004
    Posts:
    1
    I'm having problems with popup ads coming from nowhere and
    I think I've been hijacked. Can someone have a look and help me out?

    Logfile of HijackThis v1.97.7
    Scan saved at 6:04:34 PM, on 5/2/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\soundman.exe
    C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
    C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\WINDOWS\System32\wnscpsv.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Documents and Settings\Pablo\Application Data\aasa.exe
    C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\LXBRPSWX.EXE
    C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\LXBRJSWX.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCMAIN.EXE
    C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\WINDOWS\System32\netapi32.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Pablo\LOCALS~1\Temp\Rar$EX00.322\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Pablo\Application Data\Mozilla\Profiles\default\0g4fy0uo.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pablo\Application Data\Mozilla\Profiles\default\0g4fy0uo.slt\prefs.js)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
    O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
    O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [hdvowcj] "C:\WINDOWS\System32\hdvowcj.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [netapi32] C:\WINDOWS\System32\netapi32.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi agentgraves,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:


    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

    O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
    O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
    O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>

    O4 - HKLM\..\Run: [hdvowcj] "C:\WINDOWS\System32\hdvowcj.exe"

    O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe

    O4 - HKCU\..\Run: [netapi32] C:\WINDOWS\System32\netapi32.exe
    O4 - Startup: PowerReg SchedulerV2.exe

    O9 - Extra button: Sidesearch (HKLM)

    Reboot into safe mode and delete:
    C:\Program Files\Common files\updater <= entire folder
    C:\WINDOWS\System32\hdvowcj.exe
    C:\WINDOWS\System32\wnscpsv.exe
    C:\WINDOWS\System32\netapi32.exe

    Then reboot, run HijackThis again and post a new log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.