newblar
2008-04-11, 15:55
howdy. recently reinstalled windows 2000, updated it, etc. started noticing excessive popups where there shouldn't be any (practically every page) and processes that change filename, randomly on boot (the most recent being D:\DOCUME~1\ADMINI~1.SEB\LOCALS~1\Temp\6WMK5FAe.exe- I killed it already). If I type in keywords or visit various websites (eg the keywork 'hijackthis', 'bebo' or 'trojan') occasionally Internet Explorer will close without reason. I can't see anything out of the ordinary here (though I am rather suspicious of internat.exe, as I am unable to locate it at this point)... it would help if upx could unpack scrambled files :/ here is my HJT Log. Thankyou in advance for your time and consideration, I look forward to hearing from you.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:07:43 AM, on 12/04/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\SYSTEM32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\msdtc.exe
D:\Program Files\Deerfield.com\VisNetic Firewall\DFW.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\llssrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\Tablet.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\inetsrv\inetinfo.exe
D:\WINNT\system32\Dfssvc.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\FarStone\VirtualDrive\VDTask.exe
D:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe
D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINNT\system32\WTablet\TabUserW.exe
D:\WINNT\system32\wuauclt.exe
D:\PROGRA~1\WinZip\winzip32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINNT\regedit.exe
D:\WINNT\system32\taskmgr.exe
D:\WINNT\system32\NOTEPAD.EXE
D:\Documents and Settings\Administrator.SEB-9E13E89D98C\Desktop\HiJackThis_v2.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [VirtualDrive] "D:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [RAMDrive] "D:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = D:\WINNT\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207315504843
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINNT\system32\browseui.dll
O23 - Service: VisNetic Firewall (DeerfieldFirewall) - 8Signs Ltd. - D:\Program Files\Deerfield.com\VisNetic Firewall\DFW.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: NBService - Unknown owner - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINNT\system32\Tablet.exe
--
End of file - 5572 bytes
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:07:43 AM, on 12/04/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\SYSTEM32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\msdtc.exe
D:\Program Files\Deerfield.com\VisNetic Firewall\DFW.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\llssrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\Tablet.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\inetsrv\inetinfo.exe
D:\WINNT\system32\Dfssvc.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\FarStone\VirtualDrive\VDTask.exe
D:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe
D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINNT\system32\WTablet\TabUserW.exe
D:\WINNT\system32\wuauclt.exe
D:\PROGRA~1\WinZip\winzip32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINNT\regedit.exe
D:\WINNT\system32\taskmgr.exe
D:\WINNT\system32\NOTEPAD.EXE
D:\Documents and Settings\Administrator.SEB-9E13E89D98C\Desktop\HiJackThis_v2.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [VirtualDrive] "D:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [RAMDrive] "D:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = D:\WINNT\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207315504843
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINNT\system32\browseui.dll
O23 - Service: VisNetic Firewall (DeerfieldFirewall) - 8Signs Ltd. - D:\Program Files\Deerfield.com\VisNetic Firewall\DFW.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: NBService - Unknown owner - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINNT\system32\Tablet.exe
--
End of file - 5572 bytes