PDA

View Full Version : Possible problems


Joshen
2008-04-11, 16:33
Hello there.

My little friend is not working as usual and seams a little too occupied when unused. Could some one of you please take a look and see if I have received some crap.
:banghead:

Thanks
//Johan
Joshen
2008-04-11, 16:34
Logfile of HijackThis v1.99.1
Scan saved at 16:33:25, on 2008-04-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\AntiVir PersonalEdition Classic\sched.exe
C:\Program\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
c:\egna program\UGS180\plot\ugiipqd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\Program\Microsoft IntelliType Pro\type32.exe
C:\Program\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Windows Defender\MSASCui.exe
C:\Program\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Skype\Phone\Skype.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Egna Program\Miranda\miranda32.exe
C:\Program\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Johan\Application Data\U3\0000185E2575C03F\LaunchPad.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Johan\Skrivbord\hijackthis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\EGNAPR~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [type32] "C:\Program\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Genväg till egenskapssida för High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Miranda IM.lnk = C:\Egna Program\Miranda\miranda32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Miranda IM (2).lnk = C:\Egna Program\Miranda\miranda32.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/default/mjolauncher.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/UnSkin/gf.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://www.gesab.se/dwa7W.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\PROGRAM\NORMAN\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unigraphics Solutions Inc. - c:\egna program\UGS180\plot\ugiipqd.exe
Joshen
2008-04-11, 16:34
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 11, 2008 5:43:30 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/04/2008
Kaspersky Anti-Virus database records: 696209
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
L:\

Scan Statistics:
Total number of scanned objects: 270725
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 02:49:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\b38eac7d694663aece965879438866fe_a261229b-df16-441b-8d54-57fda7aa023f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01192007-171226.log Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Miranda\profile.dat Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\call256.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\chat512.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\index2.dat Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\message256.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\user1024.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\user16384.dbb Object is locked skipped
C:\Documents and Settings\Johan\Application Data\Skype\johanlundberg1974\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Johan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Johan\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Johan\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Johan\Lokala inställningar\Application Data\Microsoft\Windows Defender\FileTracker\{44BC2BF2-3165-4E47-B17F-10E6E519C530} Object is locked skipped
C:\Documents and Settings\Johan\Lokala inställningar\Temp\~DF743C.tmp Object is locked skipped
C:\Documents and Settings\Johan\Lokala inställningar\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Johan\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Johan\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Johan\ntuser.dat Object is locked skipped
C:\Documents and Settings\Johan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Egna Program\AutoIt3\SciTE\AutoItMacroGenerator\TheHook.dll Infected: not-a-virus:Monitor.Win32.Hooker.s skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{41C00CB4-0AD5-4B19-A97E-1FD8FD63F58E}\RP1230\change.log Object is locked skipped
C:\Temp\ugs32.tmp Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6BD0D9F3-77EC-43C1-8ADD-777EBE1FCEC0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ugiipqd.exe1622d100.syslog Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
L:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
L:\System Volume Information\_restore{41C00CB4-0AD5-4B19-A97E-1FD8FD63F58E}\RP1230\change.log Object is locked skipped

Scan process completed.
pskelley
2008-04-21, 15:48
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I apologize that you have been overlooked, you should read the directions pinned to the top of this forum, you would see this also:
The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37

Your KOS is showing this is a problem?
C:\Egna Program\AutoIt3\SciTE\AutoItMacroGenerator\TheHook.dll ------> Monitor.Win32.Hooker.s skipped
http://www.google.com/search?hl=en&q=Monitor.Win32.Hooker.s&btnG=Google+Search

HJT is not showing a lot, I can not comment on it because the version is so out of date. You have not provided us with much information, "possible problems" means nothing to me. If you still believe you have issues, describe them in some detail and post the correct HJT log, and I will take another look.

Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks
pskelley
2008-04-29, 13:46
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.