Can somebody analyze this Hijackthis log, please?

Discussion in 'Computer Support' started by Zeke129, Mar 14, 2007.

  1. Zeke129

    Zeke129 Guest

    Hello all. I understand this is a good place to get help, so I hope
    somebody here can help me.
    Recently, AVG Free indicated that a trojan had been found. The
    problematic files were quarantined, I ran Spybot and Adaware (in safe
    mode where applicable) and everything seems to have been cleared up.
    However, my computer is still running slow and I'm getting the
    occasional popup.

    I was wondering if somebody could analyze the following Hijackthis log
    and tell me if I missed something:

    --------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 10:34:24 PM, on 13/03/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Documents and Settings\Gibney\Desktop\Utilities\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
    =
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /
    STARTUP
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE
    \cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS
    \system32\fiyptrda.dll",setvm
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
    AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
    - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
    d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic
    \xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
    BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
    - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files
    \Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS
    \system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
    - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
    \PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:
    \PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO
    EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI
    \SAgent2.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead
    \InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin
    \iPodService.exe
     
    Zeke129, Mar 14, 2007
    #1
    1. Advertisements

  2. Zeke129

    Zeke129 Guest

    Okay, I realized I should be running Hijack this from the C drive, and
    did some of my own homework into the issue. I removed some more
    problematic files, and here is the updated log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:01:26 AM, on 14/03/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
    =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-
    B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat
    \ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2129336E-5918-49FA-A43E-EE81DD6DDEE2} - C:
    \WINDOWS\system32\ddaya.dll (file missing)
    O2 - BHO: (no name) - {6D797CF1-3D5E-4436-B891-0F12DEFBACA9} - C:
    \WINDOWS\system32\khfdede.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:
    \Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /
    STARTUP
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE
    \cli.exe" runtime -Delay
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
    AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
    - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
    d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic
    \xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
    BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
    - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files
    \Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS
    \system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
    - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
    \PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:
    \PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO
    EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI
    \SAgent2.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead
    \InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin
    \iPodService.exe
     
    Zeke129, Mar 14, 2007
    #2
    1. Advertisements

  3. Zeke129

    Evan Platt Guest

    You use IE right?
    Go to http://www.hijackthis.de/ .
     
    Evan Platt, Mar 14, 2007
    #3
  4. Zeke129

    pcbutts1 Guest

    Have HJT fix the following lines by placing a check in the box next to each
    line then clicking on the fix checked button on the botom.

    O2 - BHO: (no name) - {2129336E-5918-49FA-A43E-EE81DD6DDEE2} - C:
    \WINDOWS\system32\ddaya.dll (file missing)
    O2 - BHO: (no name) - {6D797CF1-3D5E-4436-B891-0F12DEFBACA9} - C:
    \WINDOWS\system32\khfdede.dll (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
    - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
    d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic
    \xpnetdiag.exe (file missing)

    Your log shows remnants of Winfixer/vundo trojan. Email me directly for the
    location of my free removal tool or use this
    http://www.pcbutts1.com/downloads then
    http://www.pcbutts1.com/downloads/spyerasesetup.zip



    --

    Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
    The list grows. Leythos the stalker http://www.leythosthestalker.com, David
    H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
    Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell






    ----== Posted via Newsgroups.com - Usenet Access to over 100,000 Newsgroups ==----
    Get Anonymous, Uncensored, Access to West and East Coast Server Farms at!
    ----== Highest Retention and Completion Rates! HTTP://WWW.NEWSGROUPS.COM ==----
     
    pcbutts1, Mar 14, 2007
    #4
  5. Zeke129

    Leythos Guest

    Before you email him and before you use his pirated fix, check out what
    he's really like in HIS LINKS shown below:


    --
    Want to know what PCBUTTS1 is really about?
    *** WARNING - these links contain foul/pornographic content of an
    abusive nature created by PCBUTTS1 and still hosted on his public
    website ***
    http://www.pcbutts1.com/rlk/rlk.htm ,
    http://www.pcbutts1.com/license.htm ,
    http://leythosthestalker.com/downloads/license.htm ,
    http://www.pcbutts1.com/downloads/max.htm ,
    http://leythosthestalker.com/downloads/max.htm ,
    http://www.pcbutts1.com/downloads/mpv.htm ,
    http://www.pcbutts1.com/downloads/wtcpcb.htm ,
    http://leythosthestalker.com/downloads/wtcpcb.htm ,
    http://www.pcbutts1.com/cracks.htm ,
    http://www.pcbutts1.com/Loutheasshole.htm
    All while spamming his company website at: http://www.seedsv.com
     
    Leythos, Mar 15, 2007
    #5
  6. Zeke129

    Zeke129 Guest

    Interesting. I don't know who to believe anymore.

    I doubt I need his fix anyway, the files he told me to remove using
    HJT cleared up the problem. (I removed some registry keys pertaining
    to the trojan as well)
     
    Zeke129, Mar 15, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.