Help from a pro?

Discussion in 'malware problems & news' started by Robert Andersson, Feb 5, 2005.

Thread Status:
Not open for further replies.
  1. Robert Andersson

    Robert Andersson Registered Member

    Joined:
    Feb 5, 2005
    Posts:
    1
    Hi all!

    I've been trying to solve all this problems for 4 days. I enclosure the hijackthis log from before my action and after. I tried spybot, good but it didnt solve all problems.

    So if anyone can tell me:

    - What do i have in here?
    - What shall i do to solve this now?
    - How to protect better in future?

    Thanx in advance!

    /Robert Andersson

    --------------------------------------------------------------------------

    ***Before***

    Logfile of HijackThis v1.99.0
    Scan saved at 09:12:39, on 2005-02-05
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    C:\Program\F-Secure Anti-Virus\backweb\4476822\Program\fspex.exe
    C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
    C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FSMB32.EXE
    C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program\F-Secure Anti-Virus\Common\FCH32.EXE
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program\F-Secure Anti-Virus\Common\FAMEH32.EXE
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
    C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program\Logitech\ImageStudio\LogiTray.exe
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program\D-Tools\daemon.exe
    C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE
    C:\WINDOWS\isrvs\desktop.exe
    C:\Program\Spyware Doctor\swdoctor.exe
    C:\Program\F-Secure Anti-Virus\FSGUI\fsguiexe.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\SYSTEM32\cidaemon.exe
    C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program\F-Secure Anti-Virus\Anti-Spyware\Anti-Spyware.exe
    C:\Program\WinRAR\WinRAR.exe
    C:\DOCUME~1\ROBERT~1.KAT\LOKALA~1\Temp\Rar$EX01.938\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web-res.biz/homepage.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: BHO Class - {575A5AE9-B68E-4BEB-BACB-FE430448C654} - C:\WINDOWS\system32\WinSuck.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll
    O2 - BHO: (no name) - {E1732A5F-EB56-3C72-B2B2-173489E5DCB4} - C:\WINDOWS\crue.dll (file missing)
    O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINDOWS\system32\WinTitle.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program\ladbrokesMPP\MPPoker.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {2C4502A6-3240-11D4-AC49-00A024F149C0} (IAO5.Toolbar) - http://idefix.choicehotels.no/intranet/applications/APPLAUNCHER/iao5.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll
    O23 - Service: F-Secure Anti-Virus 2005 - Unknown - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown - C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - Unknown - C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    O23 - Service: FSMA - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE

    -------------------------------------------------------------------

    **After**

    Logfile of HijackThis v1.99.0
    Scan saved at 19:35:23, on 2005-02-05
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program\Logitech\ImageStudio\LogiTray.exe
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program\D-Tools\daemon.exe
    C:\Program\PestPatrol\PPControl.exe
    C:\Program\PestPatrol\PPMemCheck.exe
    C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program\PestPatrol\CookiePatrol.exe
    C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    C:\Program\Spyware Doctor\swdoctor.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
    C:\Program\F-Secure Anti-Virus\backweb\4476822\Program\fspex.exe
    C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
    C:\Program\F-Secure Anti-Virus\Common\FSMB32.EXE
    C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program\F-Secure Anti-Virus\Common\FCH32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FAMEH32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
    C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program\F-Secure Anti-Virus\FSGUI\fsguiexe.exe
    C:\WINDOWS\SYSTEM32\cidaemon.exe
    C:\Program\PestPatrol\PestPatrol.exe
    C:\Program\WinRAR\WinRAR.exe
    C:\DOCUME~1\ROBERT~1.KAT\LOKALA~1\Temp\Rar$EX01.516\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web-res.biz/homepage.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: BHO Class - {575A5AE9-B68E-4BEB-BACB-FE430448C654} - C:\WINDOWS\system32\WinSuck.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {E1732A5F-EB56-3C72-B2B2-173489E5DCB4} - C:\WINDOWS\crue.dll (file missing)
    O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINDOWS\system32\WinTitle.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\Program\PestPatrol\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\Program\PestPatrol\CookiePatrol.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program\ladbrokesMPP\MPPoker.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {2C4502A6-3240-11D4-AC49-00A024F149C0} (IAO5.Toolbar) - http://idefix.choicehotels.no/intranet/applications/APPLAUNCHER/iao5.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PPInstaller.exe
    O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
    O23 - Service: F-Secure Anti-Virus 2005 - Unknown - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown - C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - Unknown - C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    O23 - Service: FSMA - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I'm afraid we have discontinued the HijackThis log analysis service here at Wilders. See the following announcement regarding this change:

    https://www.wilderssecurity.com/showthread.php?t=42148

    Within that post is an image linking over to a site that lists a number of other security forums, some of which still provide that service. If you want your log reviewed, you'll need to pick a site and read their spyware scanning and cleaning (HijackThis posting) guidelines, following all their required steps carefully, and then posting as directed.

    Two of the bigger forums for HijackThis log processing, (meaning they process more log threads each day than many others) are: SpywareInfo.com and CastleCops.com.
     
Loading...
Thread Status:
Not open for further replies.