Results 1 to 3 of 3

Thread: help - hijacks

  1. #1
    Junior Member
    Join Date
    Feb 2007
    Posts
    13

    Default help - hijacks

    is here my logfile
    thanks for helping

    Logfile of HijackThis v1.99.1
    Scan saved at 9:03:17, on 19-02-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
    c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
    c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
    c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
    c:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
    c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Programas\Apoint2K\Apoint.exe
    C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
    C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
    C:\Programas\HP\QuickPlay\QPService.exe
    C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Programas\HP\hpcoretech\hpcmpmgr.exe
    C:\Programas\DU Meter\DUMeter.exe
    C:\WINDOWS\system32\v6.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
    C:\DOCUME~1\MIGUEL~1\APPLIC~1\YSTEM3~1\rundll32.exe
    C:\Programas\F?nts\u?erinit.exe
    C:\Programas\Microsoft ActiveSync\wcescomm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\MICROS~4\rapimgr.exe
    C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Programas\Apoint2K\Apntex.exe
    C:\Programas\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\Programas\Internet Explorer\iexplore.exe
    C:\Programas\Messenger\msmsgs.exe
    C:\Programas\WinRAR\WinRAR.exe
    C:\DOCUME~1\MIGUEL~1\DEFINI~1\Temp\Rar$EX00.797\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.metacrawl.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.143:80
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Programas\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar4.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Programas\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QPService] "C:\Programas\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
    O4 - HKLM\..\Run: [DU Meter] C:\Programas\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
    O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvjig.dll,startup
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ccqnkahy.dll",setvm
    O4 - HKLM\..\Run: [KIT3] C:\WINDOWS\system32\spool\hpprintqueue.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Eadr] "C:\DOCUME~1\MIGUEL~1\APPLIC~1\YSTEM3~1\rundll32.exe" -vt yazb
    O4 - HKCU\..\Run: [Qdjeiehm] C:\Programas\F?nts\u?erinit.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
    O4 - Startup: .protected
    O4 - Startup: XFX Game Controller.lnk = ?
    O4 - Global Startup: .protected
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Inicialização rápida do HP Photosmart Premier.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Netcall Phone.lnk = ?
    O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: Agendador do LiveUpdate automático - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Programas\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Programas\Norton Internet Security\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programas\HPQ\Shared\hpqwmi.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: Serviço do Norton Protection Center (NSCService) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome back to the forum, this MIGUEL? You have a mess here at least partially caused by these folks: http://www.outerinfo.com/ and http://research.sunbelt-software.com...threatid=10115
    The bad thing is backdoor trojans came along with the infection, here is one:
    O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
    http://www.castlecops.com/s13849-hpcmd.html
    O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
    and one I can't even identify:
    O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
    some information you should read to help you make your decisions:
    http://www.symantec.com/security_res...062614-1754-99
    http://www.geocities.com/siliconvall...52/trojan.html

    Some of them we know more about than others, but they are all dangerous in that they severely compromise your security, which is why I must post this information for you.
    You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
    http://www.dslreports.com/faq/10451
    Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
    http://www.dslreports.com/faq/10063
    I may be able to help you clean the computer but you will never be able to be sure it is secure, please post to let me know what you would like to do.

    Thanks
    Last edited by pskelley; 2007-02-21 at 14:48. Reason: add information
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    This topic has been archived.

    If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •