Re: HijackThisLog Analysis - Rod
Tuesday, 06 July, 2004 10:42 AM
Looks like there is alot of third party software in the system. Also there is the HTML.MHTMLRedir.exploit trojan found - ms-its:mhtml:file: c:\MAIN.MHT. You should try to update your Anti-Virus Software. If that is not possible, try downloading one of these "Cleaner" and run them. See links at the bottom of this page for some detailed description of each of the adware/spyware/malware found.
End the below suspicious process :
C:\documents and settings\user.machine1\local settings\temp\1LQ2Gdot.exe
C:\WINNT\msreg.exe
C:\WINNT\hrtcm.exe
C:\Documents and Settings\user.MACHINE1\Application Data\erct.exe
C:\WINNT\system32\NDrv.exe
Remove these unauthorized search keys (using Hijack-This tool):
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:??69.31.79.100/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http:??oldsuki.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:??oldsuki.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:??69.31.79.100/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http:??oldsuki.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:??oldsuki.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:??69.31.79.100/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http:??www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http:??69.31.79.100/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http:??69.31.79.100/search.php
R3 - Default URLSearchHook is missing
Remove this Browser (O2,O3, O8,O10) Objects and Autoloading Program (O4):
O2 - BHO: (no name) - {DA6E41BD-8B4D-4A7D-82A7-F52239FB361F} - C:\WINNT\system32\iecj.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [1LQ2Gdot] C:\documents and settings\user.machine1\local settings\temp\1LQ2Gdot.exe
O4 - HKLM\..\Run: [cxqxyqcris] C:\WINNT\system32\qvoxjm.exe
O4 - HKLM\..\Run: [Online Service] C:\WINNT\msreg.exe
O4 - HKLM\..\Run: [hrtcm] C:\WINNT\hrtcm.exe
O4 - HKLM\..\Run: [3F9N4W95GAPEP7] C:\WINNT\system32\Juv0Y69j.exe
O4 - HKCU\..\Run: [Taai] C:\Documents and Settings\user.MACHINE1\Application Data\erct.exe
O4 - HKCU\..\Run: [NDrv] C:\WINNT\system32\NDrv.exe
Remove these ActiveX Components:
O16 - DPF: ConferenceRoom Java Client - http:??chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file:??C:\Program Files\Internet Explorer\Iesearch.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file:??c:\MAIN.MHT!http:??213.159.117.235/buka.chm::/x.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http:??www.mt-download.com/MediaTicketsInstaller.cab
Reboot the computer but put it to safe mode. Then delete these files from your C: drive.
C:\Program Files\Xupiter\XupiterStartup2003.exe
C:\Program Files\E2G\IeBHOs.dll
Original log but with private information removed.
Logfile of HijackThis v1.97.7
Scan saved at 11:22:21 AM, on 7/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\System32\PDesk.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\documents and settings\user.machine1\local settings\temp\1LQ2Gdot.exe
C:\WINNT\msreg.exe
C:\WINNT\hrtcm.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\user.MACHINE1\Application Data\erct.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\WINNT\system32\NDrv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:??69.31.79.100/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http:??oldsuki.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:??oldsuki.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:??69.31.79.100/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http:??oldsuki.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:??oldsuki.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:??69.31.79.100/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file:??C:\DOCUME~1\USER~1.MAC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http:??www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http:??69.31.79.100/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http:??69.31.79.100/search.php
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {DA6E41BD-8B4D-4A7D-82A7-F52239FB361F} - C:\WINNT\system32\iecj.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [1LQ2Gdot] C:\documents and settings\user.machine1\local settings\temp\1LQ2Gdot.exe
O4 - HKLM\..\Run: [cxqxyqcris] C:\WINNT\system32\qvoxjm.exe
O4 - HKLM\..\Run: [Online Service] C:\WINNT\msreg.exe
O4 - HKLM\..\Run: [hrtcm] C:\WINNT\hrtcm.exe
O4 - HKLM\..\Run: [3F9N4W95GAPEP7] C:\WINNT\system32\Juv0Y69j.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Taai] C:\Documents and Settings\user.MACHINE1\Application Data\erct.exe
O4 - HKCU\..\Run: [NDrv] C:\WINNT\system32\NDrv.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res:??C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: ConferenceRoom Java Client - http:??chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file:??C:\Program Files\Internet Explorer\Iesearch.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file:??c:\MAIN.MHT!http:??213.159.117.235/buka.chm::/x.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http:??download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http:??www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http:??v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38002.8311111111
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http:??security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http:??download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http:??ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
Malware Detected:
IESEARCH.EXE
NDrv.exe
HTML.MHTMLRedir.exploit trojan
|
Post your comment