|
Re: HijackThisLog Analysis - John
Date: Friday, 15 October, 2004 7:05 AM
The present of wintcp.exe in the registry may have indicated you have Agobot virus.
Try downloading & running Stinger to clear the virus from you computer and then update you Anti-Virus and perform a complete scan of your disk. Rerun hijackthis.exe again and check that the following entries is removed.
O4 - HKLM \ .. \ RunServices: [Windows TCP / IP] wintcp.exe
Remember DO NOT run hijackthis.exe inside the zip file. Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).
Here is what you should do.
End the below suspicious process :
C: \ WINDOWS \ System32 \ EXPLORERZ.EXE
C: \ WINDOWS \ kdx \ KHost.exe
Remove these search keys:
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
Remove these additional browser plug-in keys (O2...O4):
O4 - HKLM \ .. \ Run: [Windows Explorer] EXPLORERZ.EXE
O4 - HKLM \ .. \ Run: [kdx] C: \ WINDOWS \ kdx \ KHost.exe
O4 - HKLM \ .. \ RunServices: [Windows TCP / IP] wintcp.exe
O4 - HKCU \ .. \ RunOnce: [Windows Explorer] EXPLORERZ.EXEPaste_it
Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: public.windupdates.com / get_file.php?bt=ie&p=07.. bb1c
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file: / / C: \ Documents and Settings \ John \ Local Settings \ Temp \ EI40_ \ msxml4.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - website: gamespot.com / KDX22 / download / kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - website: cdn.digitalcity.com / _media / dalaillama / ampx.cab
Reboot the computer and put it to safe mode. Then delete these files from your C: drive.
C: \ WINDOWS \ System32 \ EXPLORERZ.EXE
C: \ WINDOWS \ kdx \ KHost.exe
Original log but with private information removed.
Logfile of HijackThis v1.98.2
Scan saved at 6:56:33 PM, on 10 / 14 / 2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ System32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ WINDOWS \ System32 \ inetsrv \ inetinfo.exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7Debug \ mdm.exe
C: \ WINDOWS \ System32 \ msdtc.exe
C: \ Program Files \ Norton AntiVirus \ navapsvc.exe
C: \ WINDOWS \ System32 \ snmp.exe
C: \ Program Files \ Analog Devices \ SoundMAX \ SMAgent.exe
C: \ WINDOWS \ System32 \ mqsvc.exe
C: \ WINDOWS \ System32 \ mqtgsvc.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ Explorer.EXE
C: \ Program Files \ Analog Devices \ SoundMAX \ SMax4PNP.exe
C: \ Program Files \ Analog Devices \ SoundMAX \ Smax4.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ Program Files \ ATI Technologies \ ATI Control Panel \ atiptaxx.exe
C: \ Program Files \ Microsoft Hardware \ Keyboard \ type32.exe
C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
C: \ Program Files \ Viewpoint \ Viewpoint Manager \ ViewMgr_.exe
C: \ Program Files \ QuickTime \ qttask.exe
C: \ WINDOWS \ System32 \ EXPLORERZ.EXE
C: \ WINDOWS \ kdx \ KHost.exe
C: \ WINDOWS \ System32 \ ctfmon.exe
C: \ QUICKENW \ QWDLLS.EXE
C: \ Program Files \ Common Files \ Real \ Update_OB \ rnathchk.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ WINDOWS \ system32 \ NOTEPAD.EXE
C: \ Program Files \ HJT \ HijackThis.exe
C: \ Program Files \ Messenger \ msmsgs.exe
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C: \ PROGRA~1 \ SPYBOT~1 \ SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C: \ WINDOWS \ system32 \ dla \ tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c: \ program files \ google \ googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C: \ Program Files \ Norton AntiVirus \ NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ System32 \ msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C: \ Program Files \ Norton AntiVirus \ NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c: \ program files \ google \ googletoolbar1.dll
O4 - HKLM \ .. \ Run: [SoundMAXPnP] C: \ Program Files \ Analog Devices \ SoundMAX \ SMax4PNP.exe
O4 - HKLM \ .. \ Run: [SoundMAX] "C: \ Program Files \ Analog Devices \ SoundMAX \ Smax4.exe" / tray
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" -osboot
O4 - HKLM \ .. \ Run: [MsmqIntCert] regsvr32 / s mqrt.dll
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [ccRegVfy] "C: \ Program Files \ Common Files \ Symantec Shared \ ccRegVfy.exe"
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [ATIPTA] C: \ Program Files \ ATI Technologies \ ATI Control Panel \ atiptaxx.exe
O4 - HKLM \ .. \ Run: [IntelliType] "C: \ Program Files \ Microsoft Hardware \ Keyboard \ type32.exe"
O4 - HKLM \ .. \ Run: [dla] C: \ WINDOWS \ system32 \ dla \ tfswctrl.exe
O4 - HKLM \ .. \ Run: [Windows TCP / IP] wintcp.exe
O4 - HKLM \ .. \ Run: [ViewMgr] C: \ Program Files \ Viewpoint \ Viewpoint Manager \ ViewMgr_.exe
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe" -atboottime
O4 - HKLM \ .. \ Run: [Windows Explorer] EXPLORERZ.EXE
O4 - HKLM \ .. \ Run: [kdx] C: \ WINDOWS \ kdx \ KHost.exe
O4 - HKLM \ .. \ Run: [THGuard] "C: \ Program Files \ TrojanHunter 4.0 \ THGuard.exe"
O4 - HKLM \ .. \ RunServices: [Windows TCP / IP] wintcp.exe
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ System32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [ATI Launchpad] "C: \ Program Files \ ATI Multimedia \ main \ launchpd.exe"
O4 - HKCU \ .. \ RunOnce: [Windows Explorer] EXPLORERZ.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Billminder.lnk = C: \ QUICKENW \ BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C: \ Program Files \ Microsoft Office \ Office10 \ OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C: \ QUICKENW \ QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res: / / c: \ program files \ google \ GoogleToolbar2.dll / cmsearch.html
O8 - Extra context menu item: Backward &Links - res: / / c: \ program files \ google \ GoogleToolbar2.dll / cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res: / / c: \ program files \ google \ GoogleToolbar2.dll / cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~2 \ Office10 \ EXCEL.EXE / 3000
O8 - Extra context menu item: Si&milar Pages - res: / / c: \ program files \ google \ GoogleToolbar2.dll / cmsimilar.html
O8 - Extra context menu item: Translate into English - res: / / c: \ program files \ google \ GoogleToolbar2.dll / cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C: \ Program Files \ AIM \ aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: public.windupdates.com / get_file.php?bt=ie&p=07.. bb1c
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - website: security.symantec.com / sscv6 / SharedContent / vc / bin / AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - website: security.symantec.com / sscv6 / SharedContent / common / bin / cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - website: a840.g.akamai.net / 7 / 840 / 537 / 2004061001 / housecall.trendmicro.com / housecall / xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file: / / C: \ Documents and Settings \ John \ Local Settings \ Temp \ EI40_ \ msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - website: pandasoftware.com / activescan / as5 / asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - website: ravantivirus.com / scan / ravonline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - website: zone.msn.com / binFramework / v10 / ZIntro.cab27513.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - website: 66.242.36.106 / view22 / View22RTE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https: / / www-secure.symantec.com / techsupp / activedata / SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - website: fdl.msn.com / zone / datafiles / heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https: / / www-secure.symantec.com / techsupp / activedata / ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - website: download.mcafee.com / molbin / iss-loc / vso / en-us / tools / mcfscan / 2,0,0,4394 / mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - website: gamespot.com / KDX22 / download / kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - website: cdn.digitalcity.com / _media / dalaillama / ampx.cab
|
Post your comment