Help - Search - Members - Calendar
Full Version: Log file for review
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Houptee
Feb 8 2005, 01:48 AM
Thanks for your help!!!!

Logfile of HijackThis v1.99.0
Scan saved at 8:37:00 PM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mssetup.exe
C:\WINDOWS\System32\dllman.exe
C:\WINDOWS\system32\mobsync.exe
C:\WINDOWS\System32\dnsserv.exe
C:\mcvsftsn.exe
C:\PROGRA~1\WIC465~1\WinStat.exe
C:\PROGRA~1\MICROS~3\gcasServ.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\PROGRA~1\PayPal\PAYMEN~1\OUTLOO~1\OEHook.exe
C:\PROGRA~1\WIC465~1\WinStatKeep.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\180sol~1\sais.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\MICROS~3\GIANTA~1.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
C:\DOCUME~1\willie\MYDOCU~1\MYPICT~1\HIJACK~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=155214
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=155214
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Msi Setup] mssetup.exe
O4 - HKLM\..\Run: [Win32 USB2.0 Driver] 386.exe
O4 - HKLM\..\Run: [window2] homo.exe
O4 - HKLM\..\Run: [fij] C:\WINDOWS\fij.exe
O4 - HKLM\..\Run: [Microsoft Services] C:\WINDOWS\System32\bsc32.exe
O4 - HKLM\..\Run: [Spool Sc] spoolsc
O4 - HKLM\..\Run: [iJsoVOkUO] C:\WINDOWS\wrogcrhq.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [Device] C:\sop.exe
O4 - HKLM\..\Run: [sais] c:\progra~1\180sol~1\sais.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [idQ88YA] C:\WINDOWS\uluxdys.exe
O4 - HKLM\..\Run: [x7mj37W] phqksie.exe
O4 - HKLM\..\Run: [NAV Auto Protect] dnsserv.exe
O4 - HKLM\..\Run: [update] adaware.exe
O4 - HKLM\..\Run: [Task Manager Settings] TASKMA~1.EXE
O4 - HKLM\..\Run: [Defragmenter] "C:\mcvsftsn.exe"
O4 - HKLM\..\Run: [Windows AdStatus] C:\PROGRA~1\WIC465~1\WinStat.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [rozszsn] C:\WINDOWS\rozszsn.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKLM\..\RunServices: [update service] winu32.exe
O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] 386.exe
O4 - HKLM\..\RunServices: [window2] homo.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [msdev] msdev.exe
O4 - HKLM\..\RunServices: [Auto updat] crsrs.exe
O4 - HKLM\..\RunServices: [Microsoft Services] C:\WINDOWS\System32\bsc32.exe
O4 - HKLM\..\RunServices: [Spool Sc] spoolsc
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] dnsserv.exe
O4 - HKLM\..\RunServices: [update] adaware.exe
O4 - HKLM\..\RunServices: [Task Manager Settings] TASKMA~1.EXE
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Msi Setup] mssetup.exe
O4 - HKCU\..\Run: [Win32 USB2.0 Driver] 386.exe
O4 - HKCU\..\Run: [window2] homo.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Auto updat] crsrs.exe
O4 - HKCU\..\Run: [msdev] msdev.exe
O4 - HKCU\..\Run: [Notepad] notepad.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\PROGRA~1\3BSOFT~1\WINDOW~1\REGIST~1.EXE 4
O4 - HKCU\..\Run: [NAV Auto Protect] dnsserv.exe
O4 - HKCU\..\Run: [Task Manager Settings] TASKMA~1.EXE
O4 - HKCU\..\RunServices: [Msi Setup] mssetup.exe
O4 - Global Startup: PayPal Plug-In for Outlook Express.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094604115862
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O21 - SSODL: mtkle - {D0C9C9AD-B61B-4346-4DBA-CE667D8C9080} - C:\WINDOWS\System32\mgix32.dll
O21 - SSODL: mtklef - {1E32E460-BD3B-4480-8291-3F44658513C2} - C:\WINDOWS\System32\qnyijz32.dll
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: starter - Unknown - C:\WINDOWS\System32\C:\WINDOWS\System32\C:\WINDOWS\System32\scvhosting.exe (file missing)
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: xadz - Unknown - C:\WINDOWS\cqhikb.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
LoPhatPhuud
Feb 8 2005, 10:35 PM
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=155214
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=155214
R3 - Default URLSearchHook is missing

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll

O4 - HKLM\..\Run: [Msi Setup] mssetup.exe
O4 - HKLM\..\Run: [Win32 USB2.0 Driver] 386.exe
O4 - HKLM\..\Run: [window2] homo.exe
O4 - HKLM\..\Run: [fij] C:\WINDOWS\fij.exe
O4 - HKLM\..\Run: [Microsoft Services] C:\WINDOWS\System32\bsc32.exe
O4 - HKLM\..\Run: [Spool Sc] spoolsc
O4 - HKLM\..\Run: [iJsoVOkUO] C:\WINDOWS\wrogcrhq.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [Device] C:\sop.exe
O4 - HKLM\..\Run: [sais] c:\progra~1\180sol~1\sais.exe
O4 - HKLM\..\Run: [idQ88YA] C:\WINDOWS\uluxdys.exe
O4 - HKLM\..\Run: [x7mj37W] phqksie.exe
O4 - HKLM\..\Run: [NAV Auto Protect] dnsserv.exe
O4 - HKLM\..\Run: [update] adaware.exe
O4 - HKLM\..\Run: [Task Manager Settings] TASKMA~1.EXE
O4 - HKLM\..\Run: [Defragmenter] "C:\mcvsftsn.exe"
O4 - HKLM\..\Run: [Windows AdStatus] C:\PROGRA~1\WIC465~1\WinStat.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [rozszsn] C:\WINDOWS\rozszsn.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\RunServices: [Msi Setup] mssetup.exe
O4 - HKLM\..\RunServices: [update service] winu32.exe
O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] 386.exe
O4 - HKLM\..\RunServices: [window2] homo.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [msdev] msdev.exe
O4 - HKLM\..\RunServices: [Auto updat] crsrs.exe
O4 - HKLM\..\RunServices: [Microsoft Services] C:\WINDOWS\System32\bsc32.exe
O4 - HKLM\..\RunServices: [Spool Sc] spoolsc
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] dnsserv.exe
O4 - HKLM\..\RunServices: [update] adaware.exe
O4 - HKLM\..\RunServices: [Task Manager Settings] TASKMA~1.EXE
O4 - HKCU\..\Run: [Msi Setup] mssetup.exe
O4 - HKCU\..\Run: [Win32 USB2.0 Driver] 386.exe
O4 - HKCU\..\Run: [window2] homo.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Auto updat] crsrs.exe
O4 - HKCU\..\Run: [msdev] msdev.exe
O4 - HKCU\..\Run: [Notepad] notepad.exe
O4 - HKCU\..\Run: [NAV Auto Protect] dnsserv.exe
O4 - HKCU\..\Run: [Task Manager Settings] TASKMA~1.EXE
O4 - HKCU\..\RunServices: [Msi Setup] mssetup.exe

O21 - SSODL: mtkle - {D0C9C9AD-B61B-4346-4DBA-CE667D8C9080} - C:\WINDOWS\System32\mgix32.dll
O21 - SSODL: mtklef - {1E32E460-BD3B-4480-8291-3F44658513C2} - C:\WINDOWS\System32\qnyijz32.dll

O23 - Service: starter - Unknown - C:\WINDOWS\System32\C:\WINDOWS\System32\C:\WINDOWS\System32\scvhosting.exe (file missing)
O23 - Service: xadz - Unknown - C:\WINDOWS\cqhikb.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)


Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(File specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
mssetup.exe
386.exe
homo.exe
C:\WINDOWS\fij.exe
C:\WINDOWS\System32\bsc32.exe
spoolsc
C:\WINDOWS\wrogcrhq.exe
dllman.exe
C:\sop.exe
c:\program files\180solutions\ <-- delete entire folder
C:\WINDOWS\uluxdys.exe
phqksie.exe
C:\mcvsftsn.exe
C:\PROGRA~1\WIC465~1\ <-- delete entire folder
C:\Program Files\Internet Optimizer\ <-- delete entire folder
C:\WINDOWS\rozszsn.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
winu32.exe
msdev.exe
crsrs.exe
C:\WINDOWS\System32\mgix32.dll
C:\WINDOWS\System32\qnyijz32.dll
C:\WINDOWS\System32\scvhosting.exe
C:\WINDOWS\cqhikb.exe
C:\WINDOWS\zeta.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

HiJackThis version 199.0 is now available.
If you do not already have it installed, download it from here:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Run HiJackThis again and post a new log in this thread.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.