log analysis

Discussion in 'adware, spyware & hijack cleaning' started by jils, Feb 22, 2004.

Thread Status:
Not open for further replies.
  1. jils

    jils Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    4
    this log is from a win2k machine. not mine, i'm trying to help a friend. we haven't run adaware or spybot, i was helping over the phone and the friend has dialup, so everything's pretty slow. her computer has slowed dramatically, she has no virus software (that's being rectified right now). want to see if anything can be picked up in this log in the meantime. thanks for any help. now that i've posted the log i can see that 'teekids.exe' is there, i'm pretty sure that's a worm... grrr

    Logfile of HijackThis v1.97.7
    Scan saved at 5:14:38 PM, on 22-Feb-04
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\msnmsgr.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\teekids.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Strooth1\Local Settings\Temporary Internet Files\Content.IE5\0UPPW42C\HijackThis (1).exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Windows Messenger] msnmsgr.exe
    O4 - HKLM\..\RunServices: [Windows Messenger] msnmsgr.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37995.0946527778
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
  3. jils

    jils Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    4
    thanks dan .. the grass doesn't grow under your feet does it!!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I think this looks awkward:
    C:\WINNT\system32\msnmsgr.exe

    O4 - HKLM\..\Run: [Windows Messenger] msnmsgr.exe
    O4 - HKLM\..\RunServices: [Windows Messenger] msnmsgr.exe

    In the wrong directory, starting as a service as well. :doubt:
    Could you send that file to the address in my profile please?

    Regards,

    Pieter
     
  5. jils

    jils Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    4
    you mean the msnmsgr.exe file pieter?

    it's a bit difficult .. the friend i'm helping is hundreds of miles away and not computer savvy. what do you think might be the problem with the file?

    she's cleaned up the virus infections, is now having a problem with disconnecting from the net, gets this message:

    svchost.exe has generated errors and will be closed by windows
    You will need to restart the program.
    An error log is being created, OK

    any ideas on this one?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Never seen it before, but I think that would be a virus or trojan. Or one of the more aggressive spyware/hijackers.

    If he is not computersavvy as you said, I can't imagine he moved the messenger file himself.

    Have him Fix the two O4 entries and reboot into safe mode Once in safe mode rename msnmsgr.exe to msnmsgr.bak
    Then attach a copy of that file to a mail to my address.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.