Hijjack logs

Gillian · 11 dec 2004

een vriend van me weet zich geen raad hij heeft een rare hijack en wist van deze site
dus vroeg hij mij of ik hem wilde helpen
hij heeft enkele logfiles gestuurd
en vraagt dus om julie raad (spreekt geen NL )

Logfile 1
Logfile of HijackThis v1.97.7
Scan saved at 22:29:28, on 10/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Documents and Settings\Administrator\Desktop\NewsLeecher\newsLee cher.exe
C:\Documents and Settings\Administrator\Desktop\NewsLeecher\newsLee cher.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mIRC2\mirc.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\FlashFXP\flashfxp.exe
C:\Program Files\DVD Decrypter\DVDDecrypter.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKLM\..\RunOnce: [qappsrvc32.exe] qappsrvc32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\opense lectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google .htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093910907781
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Ok u see the ip above in trusted zone - it aint an ip i put in and i keep going to internet setting and removing it but no sooner than i do than it comes back.
Also i have removed 3 running proceses and one that came up as dangerous was called OPENCONF.EXE but u wont see it above as its removed till next time i reboot then it will appear so my problem aint solved but stopping this process has stopped all them popup ads appearing when IE aint even loaded.

Logfile 2

ok just rebooted and guess what using secuirty system manager got another process that turns up 100% dodgy

also here is new log

Logfile of HijackThis v1.97.7
Scan saved at 23:05:28, on 10/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PHP Home Edition 2\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\PHP Home Edition 2\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\PHPHOM~1\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\opense lectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google .htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093910907781
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

buffy · 11 dec 2004

Hallo Gillian,

Dit is een gemene hijacker waar speciale maatregelen voor nodig zijn. Doe het volgende, wees echt heel zorgvuldig:

1. Download rem.zip: http://users.pandora.be/bluepatchy/www/rem.zip

Dit zip-bestand bevat 2 bestanden: rem.bat en zip.exe.
Unzip de bestanden naar de volgende map: C:\Windows\System32

(NB: het is bijzonder belangrijk dat je rem.bat en zip.exe in System32 plaatst; anders gaat het niet werken)

2. Start de pc in veilige modus: http://www.virushelp.nl/veilige_modus.htm

Ga naar Start -> Uitvoeren -> en type in de balk:

C:\WINDOWS\System32\rem.bat

Klik "OK" of druk op "Enter".

(Dit MOET in veilige modus, anders werkt het niet.)

3. Herstart de pc in 'normale modus'.

4. Zoek via Windows Verkenner naar het bestand C:\log.txt.

Open dat bestand, kopieer de volledige inhoud ervan en plak dat hier in je volgende bericht.

5. Maak een nieuw HijackThis-log en plaats ook dat in je volgende bericht. Gebruik dan wel de nieuwste versie van HijackThis, dat is versie 1.98.2: http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Gillian · 12 dec 2004

Hier zoals gevraagd het vervolg op deze
http://helpmij.nl/forum/showthread.php?s=&threadid=192196

nothing found and am in safe mode - here is output

Microsoft Windows XP [Version 5.1.2600]
C:\WINDOWS\system32
"Files found"
---------------------------------------------------------------------

Zipping files............
---------------------------------------------------------

deleting files........
---------------------------------------------------------

"Files Not Deleted"
---------------------------------------------------------------------

Checking for version 2 files..........
Files Found
------------------------------------------------------------

Zipping files............
---------------------------------------------------------

deleting files........
---------------------------------------------------------

Files Not deleted
------------------------------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

-----------------------------------------------------------------

Done

now when i go back to normal computer and check my processes i have 3 which are listed as 100% and i fi dont stop em i get ads etc and popsup related to spyware.If i remove em i dont get the popups so can use comp freely.
Yet this way in safe mode it dont seem to be picking anything up

HIJACK LOG

Logfile of HijackThis v1.97.7
Scan saved at 16:54:17, on 11/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PHP Home Edition 2\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\PHPHOM~1\mysql\bin\mysqld-nt.exe
C:\Program Files\PHP Home Edition 2\Apache2\bin\Apache.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\unlodctl.exe
C:\WINDOWS\System32\nlsfuncs.exe
C:\WINDOWS\System32\openconf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.google.co.uk/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\opense lectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google .htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093910907781
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

buffy · 12 dec 2004

This is really weird. Although rem.bat didn't find anything, the 015-items have disappeared from the HJT-log. But the infection is still there. I notice these three running processes, but the HJT-log unfortunately does not show what makes these processes run.

Let's try and figure it out.

Download this file and unzip it to a folder: http://www.thespykiller.co.uk/files/ms4hd.zip
You'll find three files inside. One of these is called runme.bat. Run runme.bat by doubleclicking on it. Some log-files will be produced. One of these is called look.log. Post the look.log file back here.

Gillian · 12 dec 2004

Het is een hele hap wat men maatje stuurde ik hoop dat je er wijs uit kan

bit late Gillian i had to quaritine the stuff but here is what the file made

will post another one when i reset and unleash the little gits

An Ms4Hd_look by IMM (v0.003)
Version Info: 5.1000 = Windows XP Pro SP1 (Build 2600)
The volume containing the system directory is C: (NTFS)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVers ion\Ms4Hd
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVers ion\Ms4Hd\Files
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVers ion\Ms4Hd\Processes
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVers ion\Ms4Hd\RegKeys
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVers ion\Ms4Hd\RegValues
Error: Unable to open key (Return Code was 2)

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
(1 subkey(s) and 5 values) last modified 12:23 12/12/2004 (UTC)
[NvCplDaemon] "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" (SZ)
[AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" (SZ)
[PinnacleDriverCheck] "C:\WINDOWS\System32\PSDrvCheck.exe" (SZ)
[SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" (SZ)
[MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" (SZ)

======================================
right just reset comp and they deffo running can see the processess in action

here is what that zip file created

An Ms4Hd_look by IMM (v0.003)
Version Info: 5.1000 = Windows XP Pro SP1 (Build 2600)
The volume containing the system directory is C: (NTFS)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVers ion\Ms4Hd
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVers ion\Ms4Hd\Files
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVers ion\Ms4Hd\Processes
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVers ion\Ms4Hd\RegKeys
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVers ion\Ms4Hd\RegValues
Error: Unable to open key (Return Code was 2)

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
(1 subkey(s) and 4 values) last modified 18:05 12/12/2004 (UTC)
[NvCplDaemon] "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" (SZ)
[AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" (SZ)
[PinnacleDriverCheck] "C:\WINDOWS\System32\PSDrvCheck.exe" (SZ)
[SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" (SZ)

Now logfile in hijack

Logfile of HijackThis v1.97.7
Scan saved at 18:08:13, on 12/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\unlodctl.exe
C:\WINDOWS\System32\nlsfuncs.exe
C:\WINDOWS\System32\openconf.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.google.co.uk/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {6ECA54A4-C07A-4174-A724-29D777460F78} - C:\WINDOWS\System32\mscd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F 2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKLM\..\RunOnce: [qappsrvc32.exe] qappsrvc32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\opense lectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google .htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093910907781
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

and in my bottom tasktray a balloon is appearing which is telling me im under attack from spyware (in fact its sayin Spyware Activity Detected Click this balloon to fix the problem)
======================================
here finally got a log of the processes in action make sure they see this

Name Rating PID CPU Memory Active File Type Start Title, Description Manufacturer : product
AVG Alert Manager 42% 1912 6.3 MB C:\Program Files\Grisoft\AVG7\avgamsvr.exe Program 17:55:20 from Services and Controller app GRISOFT, s.r.o. : AVG Anti-Virus System
AVG Control Center 16% 1308 5.5 MB 0:01 C:\Program Files\Grisoft\AVG7\avgcc.exe Taskicon 18:05:51 when Windows starts - Registry: Machine\Run AVG 7.0 Professional - Control Center GRISOFT, s.r.o. : AVG Anti-Virus System
AVG Update Service 42% 1944 2.1 MB C:\Program Files\Grisoft\AVG7\avgupsvc.exe Program 17:55:20 from Services and Controller app GRISOFT, s.r.o. : AVG 7.0 Anti-Virus System
Client Server Runtime Process 3% 724 3.3 MB 0:01 C:\WINDOWS\system32\csrss.exe Program 17:55:10 from Windows NT Session Manager Microsoft Corporation : Microsoft® Windows® Operating System
CTF Loader 10% 1460 2.0 MB C:\WINDOWS\System32\ctfmon.exe Program 18:05:52 when Windows starts - Registry: User\Run Microsoft Corporation : Microsoft® Windows® Operating System
DevLdr32 4% 1576 2.7 MB C:\WINDOWS\System32\devldr32.exe Program 18:05:57 from Windows Explorer DEVLDR Creative Technology Ltd. : Creative Ring3 NT Inteface
EPSON Printer Status Agent 60% 1972 3.0 MB C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe Program 17:55:20 from Services and Controller app SEIKO EPSON CORPORATION : EPSON Bidirectional Printer
EPSON Status Monitor 3 21% 1476 2.3 MB C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE Taskicon 18:05:52 when Windows starts - Registry: User\Run STM3 TrayIcon, EPSON Stylus Photo R300 Series SEIKO EPSON CORPORATION : EPSON Status Monitor 3
Generic Host Process for Win32 Services 6% 952 3.4 MB C:\WINDOWS\system32\svchost.exe Program 17:55:14 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Generic Host Process for Win32 Services 6% 1072 13.1 MB C:\WINDOWS\System32\svchost.exe Program 17:55:15 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Generic Host Process for Win32 Services 6% 1292 2.2 MB C:\WINDOWS\System32\svchost.exe Program 17:55:18 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Generic Host Process for Win32 Services 3% 1312 3.0 MB C:\WINDOWS\System32\svchost.exe Program 17:55:18 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Internet Explorer 0% 1364 28.3 MB 0:06 C:\Program Files\Internet Explorer\IEXPLORE.EXE Program 18:06:26 from Windows Explorer Unity - Was hijacked this afternoon (IE) - Microsoft Internet Explorer Microsoft Corporation : Microsoft® Windows® Operating System
LSA Shell (Export Version) 6% 800 2.5 MB C:\WINDOWS\system32\lsass.exe Program 17:55:13 from Windows NT Logon Application Microsoft Corporation : Microsoft® Windows® Operating System
mIRC 29% 1864 9.9 MB 0:01 C:\Program Files\mIRC2\mirc.exe Program 18:09:45 from Windows Explorer mIRC 6.16 :: NN 3.81 :: 18:10:10 :: XentoniX, NoNameScript 3.81 mIRC Co. Ltd. : mIRC
mscd.dll 92% C:\WINDOWS\System32\mscd.dll Internet when Internet Explorer starts (Browser Extension) -
nlsfuncs.exe 72% 208 1.4 MB C:\WINDOWS\System32\nlsfuncs.exe Program 18:06:32 from Internet Explorer -
Norton Ghost Start 27% 2032 2.3 MB C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe Program 17:55:21 from Services and Controller app Symantec Corporation : Norton Ghost Start Service
NVIDIA Driver Helper Service, Version 61.77 52% 136 2.2 MB C:\WINDOWS\System32\nvsvc32.exe Program 17:55:21 from Services and Controller app NVSVCPMMWindowClass NVIDIA Corporation : NVIDIA Driver Helper Service, Version 61.77
openconf.exe 72% 504 1.7 MB C:\WINDOWS\System32\openconf.exe Program 18:06:33 from Internet Explorer -
ScsiAccess.exe 47% 172 1.0 MB C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe Program 17:55:21 from Services and Controller app : ProShow Gold
Security Task Manager 0% 1760 1% 10.9 MB 0:02 C:\Program Files\Security Task Manager\TaskMan.exe Program 18:06:43 from Windows Explorer Security Task Manager Alexander Neuber und Matthias Neuber : Security Task Manager
Services and Controller app 3% 788 2.7 MB 0:01 C:\WINDOWS\system32\services.exe Program 17:55:12 from Windows NT Logon Application Microsoft Corporation : Microsoft® Windows® Operating System
Spooler SubSystem App 3% 1432 4.2 MB C:\WINDOWS\system32\spoolsv.exe Program 17:55:19 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Sygate Agent Firewall 38% 1160 10.3 MB 0:01 C:\Program Files\Sygate\SPF\smc.exe Taskicon 17:55:15 when Windows starts - Registry: Machine\Run from Services and Controller app Log Viewer, Sygate Personal Firewall Pro - Normal Sygate Technologies, Inc. : Sygate® Security Agent and Personal Firewall
System 2% 4 0.2 MB 0:08 System Program Windows system process Microsoft : Windows
System idle 2% System idle Program Windows idle process Microsoft : Windows
The Proxomitron 11% 1236 3.8 MB C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe Taskicon 18:06:24 from Windows Explorer The Proxomitron - default, The Proxomitron Groom-A-Zebu (tm) : Proxomitron
unlodctl.exe 72% 1828 2.7 MB C:\WINDOWS\System32\unlodctl.exe Program 18:06:32 from Internet Explorer MCI command handling window -
Windows Explorer 0% 1052 19.0 MB 0:03 C:\WINDOWS\Explorer.EXE Program 18:05:48 Program Manager, Volume Microsoft Corporation : Microsoft® Windows® Operating System
Windows NT Logon Application 3% 744 2.6 MB 0:01 C:\WINDOWS\system32\winlogon.exe Program 17:55:11 from Windows NT Session Manager NetDDE Agent Microsoft Corporation : Microsoft® Windows® Operating System
Windows NT Session Manager 3% 644 0.5 MB C:\WINDOWS\System32\smss.exe Program 17:55:08 from System Microsoft Corporation : Microsoft® Windows® Operating System
Windows User Mode Driver Manager 16% 244 2.3 MB C:\WINDOWS\System32\wdfmgr.exe Program 17:55:22 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
AVG 7.0 21% C:\Program Files\Grisoft\AVG7\avgw.exe Program when Windows starts - Registry: Def\Run AVG7_Run (not active) GRISOFT, s.r.o. : AVG Anti-Virus System
NVIDIA Display Properties Extension 21% C:\WINDOWS\System32\NvCpl.dll Program when Windows starts - Registry: Machine\Run NvCplDaemon (not active) NVIDIA Corporation : NVIDIA Compatible Windows 2000 Display driver, Version 61.77
PSDrvCheck.exe 22% C:\WINDOWS\System32\PSDrvCheck.exe Program when Windows starts - Registry: Machine\Run PinnacleDriverCheck (not active) Pinnacle Systems GmbH : InstantCopy
qappsrvc32.exe 36% C:\WINDOWS\System32\qappsrvc32.exe Program when Windows starts - Registry: Machine\RunOnce qappsrvc32.exe (not active) -

Gillian · 12 dec 2004

ondanks dat ik hem vertelde niks te deleten denk ik dat ie dat toch gedaan heeft
hij stuurde me een tweede log
en dit bericht

19:25:34) (@Yer69) last HARD one i got was the LOP fuker... and that was like almost 2 years ago...
(19:25:37) (firstpira) (19:24:04) (firstpira) openconf.exe
(19:25:37) (firstpira) (19:24:07) (firstpira) mscd.dll
(19:25:37) (firstpira) (19:24:22) (firstpira) nlsfuncs.exe
(19:25:37) (firstpira) (19:24:53) (firstpira) unlodctl.exe
(19:25:43) (firstpira) was a website that infected me
(19:25:47) (firstpira) even know how and when

the above files i deleted from computer and reset then did a search for them and they not turned back up.

Will let u know in few hours if everything ok as dont wanna push my luck

=======================================
ok after messing about in reg edit here is new spy log

the files i have been complaining about all time in this thread we found them in one reg setting but there was 6 in all not 3

not sure if got rid of just yet.
======================================
Security Task Manager
--------------------------------------------------------------------------------
Computer DEFAULT, Benutzer Administrator, 12/12/2004 19:10:36
Name Rating PID CPU Memory Active File Type Start Title, Description Manufacturer : product
AVG Alert Manager 42% 1924 6.2 MB C:\Program Files\Grisoft\AVG7\avgamsvr.exe Program 19:06:45 from Services and Controller app GRISOFT, s.r.o. : AVG Anti-Virus System
AVG Control Center 16% 1536 5.5 MB 0:01 C:\Program Files\Grisoft\AVG7\avgcc.exe Taskicon 19:08:05 when Windows starts - Registry: Machine\Run AVG 7.0 Professional - Control Center GRISOFT, s.r.o. : AVG Anti-Virus System
AVG Update Service 42% 1944 2.1 MB C:\Program Files\Grisoft\AVG7\avgupsvc.exe Program 19:06:45 from Services and Controller app GRISOFT, s.r.o. : AVG 7.0 Anti-Virus System
Client Server Runtime Process 4% 724 3.0 MB 0:01 C:\WINDOWS\system32\csrss.exe Program 19:06:36 from Windows NT Session Manager Microsoft Corporation : Microsoft® Windows® Operating System
CTF Loader 10% 1576 2.0 MB C:\WINDOWS\System32\ctfmon.exe Program 19:08:06 when Windows starts - Registry: User\Run Microsoft Corporation : Microsoft® Windows® Operating System
DevLdr32 4% 1892 2.7 MB C:\WINDOWS\System32\devldr32.exe Program 19:08:10 from Windows Explorer DEVLDR Creative Technology Ltd. : Creative Ring3 NT Inteface
EPSON Printer Status Agent 60% 1972 3.0 MB C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe Program 19:06:46 from Services and Controller app SEIKO EPSON CORPORATION : EPSON Bidirectional Printer
EPSON Status Monitor 3 21% 1584 2.3 MB C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE Taskicon 19:08:06 when Windows starts - Registry: User\Run STM3 TrayIcon, EPSON Stylus Photo R300 Series SEIKO EPSON CORPORATION : EPSON Status Monitor 3
Generic Host Process for Win32 Services 6% 944 4.1 MB C:\WINDOWS\system32\svchost.exe Program 19:06:40 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Generic Host Process for Win32 Services 6% 1060 13.8 MB 0:01 C:\WINDOWS\System32\svchost.exe Program 19:06:40 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Generic Host Process for Win32 Services 6% 1296 2.9 MB C:\WINDOWS\System32\svchost.exe Program 19:06:43 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Generic Host Process for Win32 Services 3% 1328 3.8 MB C:\WINDOWS\System32\svchost.exe Program 19:06:43 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Internet Explorer 0% 1292 25.8 MB 0:04 C:\Program Files\Internet Explorer\IEXPLORE.EXE Program 19:08:23 from Windows Explorer Unity - Was hijacked this afternoon (IE) - Microsoft Internet Explorer Microsoft Corporation : Microsoft® Windows® Operating System
LSA Shell (Export Version) 6% 800 6.2 MB C:\WINDOWS\system32\lsass.exe Program 19:06:38 from Windows NT Logon Application Microsoft Corporation : Microsoft® Windows® Operating System
mIRC 31% 1312 9.9 MB 0:01 C:\Program Files\mIRC2\mirc.exe Taskicon 19:08:31 from Windows Explorer {4F19F9EE-D526-4ffe-BEE2-C471C6B5A154}, mIRC 6.16 :: NN 3.81 :: 19:08:40 :: XentoniX mIRC Co. Ltd. : mIRC
Norton Ghost Start 27% 2036 2.2 MB C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe Program 19:06:46 from Services and Controller app Symantec Corporation : Norton Ghost Start Service
NVIDIA Driver Helper Service, Version 61.77 52% 140 2.3 MB C:\WINDOWS\System32\nvsvc32.exe Program 19:06:46 from Services and Controller app NVSVCPMMWindowClass NVIDIA Corporation : NVIDIA Driver Helper Service, Version 61.77
ScsiAccess.exe 47% 212 1.0 MB C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe Program 19:06:46 from Services and Controller app : ProShow Gold
Security Task Manager 0% 396 7.4 MB 0:02 C:\Program Files\Security Task Manager\TaskMan.exe Program 19:08:43 from Windows Explorer Security Task Manager Alexander Neuber und Matthias Neuber : Security Task Manager
Services and Controller app 3% 788 3.3 MB 0:01 C:\WINDOWS\system32\services.exe Program 19:06:38 from Windows NT Logon Application Microsoft Corporation : Microsoft® Windows® Operating System
Spooler SubSystem App 3% 1436 4.9 MB C:\WINDOWS\system32\spoolsv.exe Program 19:06:44 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Sygate Agent Firewall 38% 1148 9.9 MB 0:02 C:\Program Files\Sygate\SPF\smc.exe Taskicon 19:06:41 when Windows starts - Registry: Machine\Run from Services and Controller app Log Viewer, Sygate Personal Firewall Pro - Normal Sygate Technologies, Inc. : Sygate® Security Agent and Personal Firewall
System 2% 4 0.2 MB 0:08 System Program Windows system process Microsoft : Windows
System idle 2% System idle Program Windows idle process Microsoft : Windows
The Proxomitron 11% 124 3.8 MB C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe Taskicon 19:08:18 from Windows Explorer The Proxomitron - default, The Proxomitron Groom-A-Zebu (tm) : Proxomitron
Windows Explorer 0% 1248 16.7 MB 0:01 C:\WINDOWS\Explorer.EXE Program 19:08:02 Program Manager, Volume Microsoft Corporation : Microsoft® Windows® Operating System
Windows NT Logon Application 3% 744 4.3 MB 0:01 C:\WINDOWS\system32\winlogon.exe Program 19:06:37 from Windows NT Session Manager NetDDE Agent Microsoft Corporation : Microsoft® Windows® Operating System
Windows NT Session Manager 3% 644 0.5 MB C:\WINDOWS\System32\smss.exe Program 19:06:34 from System Microsoft Corporation : Microsoft® Windows® Operating System
Windows User Mode Driver Manager 16% 244 2.3 MB C:\WINDOWS\System32\wdfmgr.exe Program 19:06:47 from Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
AVG 7.0 21% C:\Program Files\Grisoft\AVG7\avgw.exe Program when Windows starts - Registry: Def\Run AVG7_Run (not active) GRISOFT, s.r.o. : AVG Anti-Virus System
NVIDIA Display Properties Extension 22% C:\WINDOWS\System32\NvCpl.dll Program when Windows starts - Registry: Machine\Run NvCplDaemon (not active) NVIDIA Corporation : NVIDIA Compatible Windows 2000 Display driver, Version 61.77
PSDrvCheck.exe 22% C:\WINDOWS\System32\PSDrvCheck.exe Program when Windows starts - Registry: Machine\Run PinnacleDriverCheck (not active) Pinnacle Systems GmbH : InstantCopy

buffy · 12 dec 2004

I did NOT ask for logs from Security Task Manager, which are by the way completely useless in this case. And I most certainly did NOT advise you to mess about in the Windows Registry.

We're dealing with a new and very complicated problem here. I cannot help you solve it, unless you do exactly what I advise you to do and nothing else.

Gillian · 12 dec 2004

Geplaatst door buffy
I did NOT ask for logs from Security Task Manager, which are by the way completely useless in this case. And I most certainly did NOT advise you to mess about in the Windows Registry.

We're dealing with a new and very complicated problem here. I cannot help you solve it, unless you do exactly what I advise you to do and nothing else.

Sorry ik heb hem diverse malen verteld te doen wat jij zij
maar sommige mensen zijn nu eenmaal eigenwijs

ik hoop dat de hulp aan hem blijft
zoniet moet ie zen pc maar opnieuw instaleren

in iedere geval tot zovar al bedankt voor al je moeite

Hijjack logs

Gillian

Terugkerende gebruiker

buffy

Meubilair

Gillian

Terugkerende gebruiker

buffy

Meubilair

Gillian

Terugkerende gebruiker

Gillian

Terugkerende gebruiker

buffy

Meubilair

Gillian

Terugkerende gebruiker

Nieuwste berichten

Wij waarderen jouw privacy