Help with a virus (hijackthis log file)

its_me123 · 03-29-2006, 09:16 AM

Hey

This is a followup on my other post, I got told to run a Hijackthis and post the log file, I see in there that iexplorer.exe which is intenret explorer i think is opened as soon as i start my comp up whch is odd because I don't see it opened, and the xpupdate.exe looks suspicious because when I close that the popup you comp is in danger goes away...

logfile:

Logfile of HijackThis v1.99.1
Scan saved at 6:13:09 PM, on 29/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\savedump.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Oleansoft\Hc\Hce.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\xpupdate.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\WINDOWS\system32\sistray.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Jamie\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HCEmployee] D:\Program Files\Oleansoft\Hc\Hce.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yaemu.exe] D:\WINDOWS\system32\yaemu.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Piracy] "D:\DOCUME~1\Jamie\LOCALS~1\Temp\SysUtil.exe" /PIRACY
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Utility Tray.lnk = D:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136506377170
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5E52A6-1258-4B1A-91D0-C2AB27F8ABB4}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{97163CA2-2409-4263-B98C-B6369BB91FFF}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3ED65A6-7541-4380-B6E3-FDEFF60809AC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7F59573-AB64-4FFE-848E-42AC2FBE3D1E}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE583EAF-8825-4FB6-BC4C-BCE034D451B4}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RegCompact - D:\WINDOWS\SYSTEM32\RegCompact.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe

03-29-2006, 09:16 AM	#1 (permalink)
its_me123 Bronze Member Join Date: Mar 2006 Posts: 29	Help with a virus (hijackthis log file) Hey This is a followup on my other post, I got told to run a Hijackthis and post the log file, I see in there that iexplorer.exe which is intenret explorer i think is opened as soon as i start my comp up whch is odd because I don't see it opened, and the xpupdate.exe looks suspicious because when I close that the popup you comp is in danger goes away... logfile: Logfile of HijackThis v1.99.1 Scan saved at 6:13:09 PM, on 29/03/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\savedump.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Ahead\InCD\InCDsrv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe D:\Program Files\Oleansoft\Hc\Hce.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\AIM95\aim.exe D:\Program Files\MSN Messenger\MsnMsgr.Exe D:\Program Files\Internet Explorer\iexplore.exe C:\Windows\xpupdate.exe D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe D:\WINDOWS\system32\sistray.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Documents and Settings\Jamie\Desktop\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [HCEmployee] D:\Program Files\Oleansoft\Hc\Hce.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [yaemu.exe] D:\WINDOWS\system32\yaemu.exe O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU\..\Run: [Piracy] "D:\DOCUME~1\Jamie\LOCALS~1\Temp\SysUtil.exe" /PIRACY O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O4 - Global Startup: Utility Tray.lnk = D:\WINDOWS\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136506377170 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} - O17 - HKLM\System\CCS\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5E52A6-1258-4B1A-91D0-C2AB27F8ABB4}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{97163CA2-2409-4263-B98C-B6369BB91FFF}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{B3ED65A6-7541-4380-B6E3-FDEFF60809AC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{D7F59573-AB64-4FFE-848E-42AC2FBE3D1E}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\..\{FE583EAF-8825-4FB6-BC4C-BCE034D451B4}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O17 - HKLM\System\CS1\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O17 - HKLM\System\CS2\Services\Tcpip\..\{08E3B69C-95C7-41FC-A43A-CCA2D84A42BC}: NameServer = 85.255.116.148,85.255.112.10 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: RegCompact - D:\WINDOWS\SYSTEM32\RegCompact.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode