PDA

View Full Version : help - hijacks



amobilepp
2007-02-19, 11:16
is here my logfile
thanks for helping

Logfile of HijackThis v1.99.1
Scan saved at 9:03:17, on 19-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
c:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\HP\QuickPlay\QPService.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\Programas\DU Meter\DUMeter.exe
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\DOCUME~1\MIGUEL~1\APPLIC~1\YSTEM3~1\rundll32.exe
C:\Programas\F?nts\u?erinit.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programas\Apoint2K\Apntex.exe
C:\Programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\WinRAR\WinRAR.exe
C:\DOCUME~1\MIGUEL~1\DEFINI~1\Temp\Rar$EX00.797\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.metacrawl.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.143:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Programas\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programas\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Programas\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O4 - HKLM\..\Run: [DU Meter] C:\Programas\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvjig.dll,startup
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ccqnkahy.dll",setvm
O4 - HKLM\..\Run: [KIT3] C:\WINDOWS\system32\spool\hpprintqueue.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eadr] "C:\DOCUME~1\MIGUEL~1\APPLIC~1\YSTEM3~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Qdjeiehm] C:\Programas\F?nts\u?erinit.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: .protected
O4 - Startup: XFX Game Controller.lnk = ?
O4 - Global Startup: .protected
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicialização rápida do HP Photosmart Premier.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Netcall Phone.lnk = ?
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Agendador do LiveUpdate automático - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Programas\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Programas\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programas\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Serviço do Norton Protection Center (NSCService) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Programas\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

pskelley
2007-02-21, 14:31
Welcome back to the forum, this MIGUEL? You have a mess here at least partially caused by these folks: http://www.outerinfo.com/ and http://research.sunbelt-software.com/threatdisplay.aspx?name=ClickSpring.PuritySCAN&threatid=10115
The bad thing is backdoor trojans came along with the infection, here is one:
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
http://www.castlecops.com/s13849-hpcmd.html
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
and one I can't even identify:
O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
some information you should read to help you make your decisions:
http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99
http://www.geocities.com/siliconvalley/heights/3652/trojan.html

Some of them we know more about than others, but they are all dangerous in that they severely compromise your security, which is why I must post this information for you.
You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
http://www.dslreports.com/faq/10451
Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
http://www.dslreports.com/faq/10063
I may be able to help you clean the computer but you will never be able to be sure it is secure, please post to let me know what you would like to do.

Thanks

tashi
2007-02-28, 08:46
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.