PDA

View Full Version : hijack this logfile help

Lathum
09-25-2006, 01:38 PM
can anyone make sense of this and make some recomendations.


Logfile of HijackThis v1.99.1
Scan saved at 2:31:05 PM, on 9/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msjava.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe msjava.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,msjava.exe
O2 - BHO: Zelda - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\System32\pfumc37.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Alogserv] "C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1139782678\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_18.exe
O4 - HKLM\..\Run: [sys02059432375] C:\WINDOWS\sys02059432375.exe
O4 - HKLM\..\Run: [ovqwnmwA] C:\WINDOWS\ovqwnmwA.exe
O4 - HKLM\..\Run: [jjt4f72b] "RUNDLL32.EXE" w0c33709.dll,n 0044f727000000030c33709
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinnpex.exe GEN001
O4 - HKLM\..\Run: [loaddr] C:\qlobvy.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\wpkmmd.exe
O4 - HKLM\..\Run: [Upnp] c:\qdgkp.exe
O4 - HKLM\..\Run: [vepwvc] C:\WINDOWS\System32\wnlgve.exe reg_run
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSN Messanger] msnmsgsm.exe
O4 - HKLM\..\RunServices: [Ms Java for Windows NT] msjava.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [MSN Messanger] msnmsgsm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msjava.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - [url]http://www.comcast.net/[/url] (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - [url]http://www.comcastsupport.com/[/url] (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - [url]http://online.comcast.net/help/[/url] (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O20 - Winlogon Notify: Zelda - C:\WINDOWS\System32\pfumc37.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Pumpy Tudors
09-25-2006, 01:40 PM
Just to note, I'm at work for the next 3 hours, but I'd be happy to look it over when I get home. I'm not an expert on this sort of thing, but maybe I can be of some help. I'll try to look at it before 7pm ET tonight.

Edit to add: You may want to try posting that log in the Malware Removal forum at forums.spywareinfo.com. The folks over there are very helpful, although it could take them 3 or 4 days to respond. If you're going to post the log over there, I recommend unzipping HijackThis into its own directory and then re-running the scan. The helpers over there will not look at your log until you do that.
Lathum
09-25-2006, 01:42 PM
thanks pumpy. I drove through greensburg yesterday.
Pumpy Tudors
09-25-2006, 01:43 PM
I drove through greensburg yesterday.
I'm sorry.
cartman
09-25-2006, 03:48 PM
can anyone make sense of this and make some recomendations.


Logfile of HijackThis v1.99.1
Scan saved at 2:31:05 PM, on 9/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msjava.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe msjava.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,msjava.exe
O2 - BHO: Zelda - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\System32\pfumc37.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Alogserv] "C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1139782678\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
[B]O4 - HKLM\..\Run: [defender] C:\\dfndrff_e.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_18.exe[/B]
O4 - HKLM\..\Run: [sys02059432375] C:\WINDOWS\sys02059432375.exe
O4 - HKLM\..\Run: [ovqwnmwA] C:\WINDOWS\ovqwnmwA.exe
O4 - HKLM\..\Run: [jjt4f72b] "RUNDLL32.EXE" w0c33709.dll,n 0044f727000000030c33709
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinnpex.exe GEN001
[B]O4 - HKLM\..\Run: [loaddr] C:\qlobvy.exe[/B]
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\wpkmmd.exe
[B]O4 - HKLM\..\Run: [Upnp] c:\qdgkp.exe[/B]
O4 - HKLM\..\Run: [vepwvc] C:\WINDOWS\System32\wnlgve.exe reg_run
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSN Messanger] msnmsgsm.exe
O4 - HKLM\..\RunServices: [Ms Java for Windows NT] msjava.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [MSN Messanger] msnmsgsm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msjava.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - [url]http://www.comcast.net/[/url] (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - [url]http://www.comcastsupport.com/[/url] (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - [url]http://online.comcast.net/help/[/url] (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O20 - Winlogon Notify: Zelda - C:\WINDOWS\System32\pfumc37.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


The things I highlighted in bold are definitely tied to viruses/malware. If you Google just the file name (ie. qdgkp.exe) you can get more info on what they are and how to remove them.
saldana
09-25-2006, 11:20 PM
dude, just reformat the computer and reinstall windows at this point.
Pumpy Tudors
09-26-2006, 02:28 PM
Sorry, I completely forgot about this. I'll try to remember to look at this tonight.
Pumpy Tudors
09-26-2006, 09:24 PM
I'm looking this over right now.
Pumpy Tudors
09-26-2006, 09:37 PM
Agh. I'm afraid this is going to take me longer than I have tonight. Sorry. I do highly recommend posting a fresh log at forums.spywareinfo.com, though, because they could give you much more thorough help than I could anyway. cartman is right on with his assessment, though. You do need to get those items removed (the ones he bolded).
Lathum
09-26-2006, 09:38 PM
thanks pumpy. don't go to alot of trouble, i am getting it worked out.