Re: HijackThisLog Analysis - Pinkcookie

Date: Thursday, 07 October, 2004 2:15 AM

Here is what you should do.

End the below suspicious process :

C: \ Program Files \ Ares \ Ares.exe

Remove these search keys:

R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: mupekvhjfqbldanngiuaipip.biz / 1Zf..  XL1.html

Remove these additional browser plug-in keys (O2...O4):

O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DBFC-ED1CA787AD2D} - C: \ PROGRA~1 \ POWERS~1 \ Toolbar \ pwrs0rbi.dll (file missing)
O4 - HKLM \ .. \ Run: [websx] C: \ Program Files \ websx \ int339890.exe -auto
O4 - HKLM \ .. \ Run: [mail dale] C: \ PROGRA~1 \ CDROMU~1 \ ReadmeBags.exe
O4 - HKLM \ .. \ Run: [winactive] C: \ Program Files \ Window Active \ winactive.exe
O4 - HKLM \ .. \ Run: [SecondBindDefaultMeet] C: \ Documents and Settings \ All Users \ Application Data \ FreeBlehSecondBind \ Browse Dog.exe
O4 - HKCU \ .. \ Run: [ares] "C: \ Program Files \ Ares \ Ares.exe" -h

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {A1CD9B9F-6FCF-4A4A-B5B2-E6949340C57C} - website: myfreecursors.com / cursors / dog_pant.cab
O16 - DPF: {02607DF4-D40B-4FFB-B054-1CAC03468E28} (DNLCertificate Control) - website: fmn-media.com / campaigns / winpl / sites / pops / A001 / DNLCertificate.ocx

Reboot the computer and put it to safe mode.  Then delete these files from your C: drive.

C: \ Program Files \ Ares \ Ares.exe

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 2:15:01 AM, on 10 / 7 / 2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ System32 \ S24EvMon.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Avsynmgr.exe
C: \ Program Files \ ISS \ issSensors \ DesktopProtection \ blackd.exe
C: \ Program Files \ National University of Singapore \ NUS-VPN Client \ cvpnd.exe
C: \ WINDOWS \ System32 \ DVDRAMSV.exe
C: \ WINDOWS \ System32 \ RegSrvc.exe
C: \ WINDOWS \ System32 \ RoamMgr.exe
C: \ Program Files \ Analog Devices \ SoundMAX \ SMAgent.exe
C: \ Program Files \ TOSHIBA \ TME3 \ Tmesbs32.exe
C: \ Program Files \ TOSHIBA \ TME3 \ Tmesrv31.exe
C: \ WINDOWS \ System32 \ urtclsvc.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ VsStat.exe
C: \ WINDOWS \ system32 \ ZCfgSvc.exe
C: \ WINDOWS \ Explorer.EXE
C: \ Program Files \ McAfee \ McAfee VirusScan \ Vshwin32.exe
C: \ Program Files \ Common Files \ Network Associates \ McShield \ Mcshield.exe
C: \ WINDOWS \ System32 \ 1XConfig.exe
C: \ Program Files \ McAfee \ McAfee VirusScan \ Avconsol.exe
C: \ WINDOWS \ System32 \ igfxtray.exe
C: \ WINDOWS \ System32 \ hkcmd.exe
C: \ WINDOWS \ System32 \ 00THotkey.exe
C: \ WINDOWS \ System32 \ TFNF5.exe
C: \ WINDOWS \ System32 \ TPWRTRAY.EXE
C: \ Program Files \ TOSHIBA \ TOSHIBA Controls \ TFncKy.exe
C: \ Program Files \ TOSHIBA \ Wireless Hotkey \ TosHKCW.exe
C: \ WINDOWS \ System32 \ ezSP_Px.exe
C: \ Program Files \ TOSHIBA \ TME3 \ TMERzCtl.EXE
C: \ Program Files \ TOSHIBA \ TME3 \ TMEEJME.EXE
C: \ Program Files \ TOSHIBA \ TME3 \ TMESBS32.EXE
C: \ Program Files \ Intel \ NCS \ PROSet \ PRONoMgr.exe
C: \ WINDOWS \ LTSMMSG.exe
C: \ Program Files \ Efficient Networks \ SpeedStream DSL \ SPDSTRM.EXE
C: \ Program Files \ QuickTime \ qttask.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
c: \ progra~1 \ intern~1 \ iexplore.exe
C: \ Program Files \ Hello \ Hello.exe
C: \ Program Files \ McAfee \ QuickClean \ Plguni.exe
C: \ Program Files \ Messenger Plus! 3 \ MsgPlus.exe
C: \ Program Files \ Ares \ Ares.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Messenger \ msmsgs.exe
C: \ Program Files \ McAfee \ McAfee Shared Components \ Instant Updater \ RuLaunch.exe
C: \ Program Files \ MSN Messenger \ msnmsgr.exe
C: \ WINDOWS \ system32 \ RAMASST.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Microsoft Office \ Office10 \ WINWORD.EXE
C: \ WINDOWS \ system32 \ NOTEPAD.EXE
C: \ WINDOWS \ msagent \ AgentSvr.exe
C: \ Program Files \ McAfee \ McAfee Firewall \ CPD.EXE
C: \ Program Files \ McAfee \ McAfee Firewall \ CPD.EXE
C: \ Documents and Settings \ Administrator \ My Documents \ hijack this \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: red.clientapps.yahoo.com / customize / ycomp / defaults / sp / *website: yahoo.com
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: yahoo.com /
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: mupekvhjfqbldanngiuaipip.biz / 1Zf..  XL1.html
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ SearchURL,(Default) = website: red.clientapps.yahoo.com / customize / ycomp / defaults / su / *website: yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C: \ Program Files \ Yahoo! \ Companion \ Installs \ cpn \ ycomp5_5_5_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C: \ PROGRA~1 \ SPYBOT~1 \ SDHelper.dll
O2 - BHO: (no name) - {B4D64C16-738E-93FA-86F1-CFF013C80896} - C: \ PROGRA~1 \ ABOUTB~1 \ savefast.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ System32 \ msdxm.ocx
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DBFC-ED1CA787AD2D} - C: \ PROGRA~1 \ POWERS~1 \ Toolbar \ pwrs0rbi.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C: \ Program Files \ MSN Toolbar \ 01.01.1601.0 \ zh-sg \ msntb.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C: \ Program Files \ McAfee \ McAfee VirusScan \ VSCShellExtension.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C: \ Program Files \ Yahoo! \ Companion \ Installs \ cpn \ ycomp5_5_5_0.dll
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ System32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ System32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [00THotkey] C: \ WINDOWS \ System32 \ 00THotkey.exe
O4 - HKLM \ .. \ Run: [000StTHK] 000StTHK.exe
O4 - HKLM \ .. \ Run: [TFNF5] TFNF5.exe
O4 - HKLM \ .. \ Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM \ .. \ Run: [TFncKy] TFncKy.exe
O4 - HKLM \ .. \ Run: [TosHKCW.exe] "C: \ Program Files \ TOSHIBA \ Wireless Hotkey \ TosHKCW.exe"
O4 - HKLM \ .. \ Run: [ezShieldProtector for Px] C: \ WINDOWS \ System32 \ ezSP_Px.exe
O4 - HKLM \ .. \ Run: [TMESRV.EXE] C: \ Program Files \ TOSHIBA \ TME3 \ TMESRV31.EXE / Logon
O4 - HKLM \ .. \ Run: [TMERzCtl.EXE] C: \ Program Files \ TOSHIBA \ TME3 \ TMERzCtl.EXE / Service
O4 - HKLM \ .. \ Run: [TMEEJME.EXE] C: \ Program Files \ TOSHIBA \ TME3 \ TMEEJME.EXE
O4 - HKLM \ .. \ Run: [TMESBS.EXE] C: \ Program Files \ TOSHIBA \ TME3 \ TMESBS32.EXE / Client
O4 - HKLM \ .. \ Run: [PRONoMgr.exe] C: \ Program Files \ Intel \ NCS \ PROSet \ PRONoMgr.exe
O4 - HKLM \ .. \ Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM \ .. \ Run: [DSL Monitor] C: \ Program Files \ Efficient Networks \ SpeedStream DSL \ SPDSTRM.EXE
O4 - HKLM \ .. \ Run: [websx] C: \ Program Files \ websx \ int339890.exe -auto
O4 - HKLM \ .. \ Run: [mail dale] C: \ PROGRA~1 \ CDROMU~1 \ ReadmeBags.exe
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe" -atboottime
O4 - HKLM \ .. \ Run: [winactive] C: \ Program Files \ Window Active \ winactive.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" -osboot
O4 - HKLM \ .. \ Run: [PicasaNet] "C: \ Program Files \ Hello \ Hello.exe" -b
O4 - HKLM \ .. \ Run: [Imonitor] "C: \ Program Files \ McAfee \ QuickClean \ Plguni.exe" / START
O4 - HKLM \ .. \ Run: [MessengerPlus3] "C: \ Program Files \ Messenger Plus! 3 \ MsgPlus.exe"
O4 - HKLM \ .. \ Run: [SecondBindDefaultMeet] C: \ Documents and Settings \ All Users \ Application Data \ FreeBlehSecondBind \ Browse Dog.exe
O4 - HKCU \ .. \ Run: [ares] "C: \ Program Files \ Ares \ Ares.exe" -h
O4 - HKCU \ .. \ Run: [MSMSGS] "C: \ Program Files \ Messenger \ msmsgs.exe" / background
O4 - HKCU \ .. \ Run: [McAfee.InstantUpdate.Monitor] "C: \ Program Files \ McAfee \ McAfee Shared Components \ Instant Updater \ RuLaunch.exe" / STARTMONITOR
O4 - HKCU \ .. \ Run: [MessengerPlus3] "C: \ Program Files \ Messenger Plus! 3 \ MsgPlus.exe" / WinStart
O4 - HKCU \ .. \ Run: [msnmsgr] "C: \ Program Files \ MSN Messenger \ msnmsgr.exe" / background
O4 - Global Startup: Microsoft Office.lnk = C: \ Program Files \ Microsoft Office \ Office10 \ OSA.EXE
O4 - Global Startup: National University of Singapore NUS-VPN Client.lnk = C: \ Program Files \ National University of Singapore \ NUS-VPN Client \ ipsecdialer.exe
O4 - Global Startup: RAMASST.lnk = C: \ WINDOWS \ system32 \ RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~2 \ Office10 \ EXCEL.EXE / 3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C: \ Program Files \ ICQ \ ICQ.exe
O9 - Extra ´Tools´ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C: \ Program Files \ ICQ \ ICQ.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C: \ Program Files \ Hello \ PicasaCapture.dll
O9 - Extra ´Tools´ menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C: \ Program Files \ Hello \ PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O16 - DPF: Yahoo! Literati - website: download.games.yahoo.com / games / clients / y / tt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - website: messenger.zone.msn.com / binary / msgrchkr.cab
O16 - DPF: {02607DF4-D40B-4FFB-B054-1CAC03468E28} (DNLCertificate Control) - website: fmn-media.com / campaigns / winpl / sites / pops / A001 / DNLCertificate.ocx
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - website: musicnotes.com / download / mnviewer.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - website: messenger.zone.msn.com / binary / MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - website: us.dl1.yimg.com / download.yahoo.com / dl / installs / yinst20040510.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - website: updates.lifescapeinc.com / installers / pinstall / pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - website: a840.g.akamai.net / 7 / 840 / 537 / 2003120501 / housecall.antivirus.com / housecall / xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - website: bitdefender.com / scan / Msie / bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - website: messenger.zone.msn.com / binary / MessengerStatsClient.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - website: community.webshots.com / html / WSPhotoUploader.CAB
O16 - DPF: {A1CD9B9F-6FCF-4A4A-B5B2-E6949340C57C} - website: myfreecursors.com / cursors / dog_pant.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ Parameters: Domain = stu.nus.edu.sg
O17 - HKLM \ Software \ .. \ Telephony: DomainName = stu.nus.edu.sg
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ {9148D4AC-7A3E-465B-B0FE-E91D3E6B0B8A}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM \ System \ CS1 \ Services \ Tcpip \ Parameters: Domain = stu.nus.edu.sg
O17 - HKLM \ System \ CS2 \ Services \ Tcpip \ Parameters: Domain = stu.nus.edu.sg

00THotKey.exe 10-Oct-2004

S24EvMon.exe 10-Oct-2004

Hello.exe 10-Oct-2004

Ares.exe 10-Oct-2004