Unsolved
This post is more than 5 years old
4 Posts
0
731
Possible Malware Infection ?
My yahoo contacts apparently were hacked into over the weekend. I'm trying to make sure my comp. is clean. Please review this and let me know if you notice anything suspicious. Thanks.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:00:06 PM, on 6/22/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\mgabg.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\stickies.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Users\Dan\Programs\HeyJoe\HeyJoe.exe
C:\Program Files\Second Copy 97\sc97.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Users\Dan\Programs\Ditto\Ditto.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Users\Dan\Programs\KeePass\KeePass.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\MailWasher\MailWasher.exe
P:\PMAIL\Programs\winpm-32.exe
C:\Users\Dan\Programs\2xExplorer\2xExplorer.exe
C:\Users\Dan\Programs\HiJackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bing.com/?pc=AVBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=AVBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:81
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [stickies] C:\WINNT\stickies.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HelpCenter] C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P HelpCenter
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Hey, Joe!] C:\Users\Dan\Programs\HeyJoe\HeyJoe.exe
O4 - HKCU\..\Run: [Second Copy 97] C:\Program Files\Second Copy 97\sc97.exe /InitialWait=5
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe
O4 - HKCU\..\Run: [Mail Box Dispatcher] C:\Program Files\Mail Box Dispatcher 2\mboxd2.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [Ditto] C:\Users\Dan\Programs\Ditto\Ditto.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: Download using Download &Express - C:\Documents and Settings\A-Z\Desktop\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: pdaConverter - C:\Program Files\pdaConverter 1.3\convert_url.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O15 - Trusted Zone: admin.1and1.com
O15 - Trusted Zone: http://cafemail.aeccafe.com
O15 - Trusted Zone: http://www.aecvizpro.biz
O15 - Trusted Zone: http://*.aecvizpro.biz
O15 - Trusted Zone: *.aecvizpro.com
O15 - Trusted Zone: http://www.amazon.com
O15 - Trusted Zone: http://www.amsouth.com
O15 - Trusted Zone: *.amsouth.com
O15 - Trusted Zone: http://www.atmosenergy.com
O15 - Trusted Zone: *.atmosenergy.com
O15 - Trusted Zone: http://webmail.att.net
O15 - Trusted Zone: *.bellsouth.com
O15 - Trusted Zone: *.capitolone.com
O15 - Trusted Zone: resources.cardmemberservices.com
O15 - Trusted Zone: *.cardmemberservices.com
O15 - Trusted Zone: resources.chase.com
O15 - Trusted Zone: *.comast.com
O15 - Trusted Zone: http://www.comcast.com
O15 - Trusted Zone: http://www.corel.com
O15 - Trusted Zone: http://www.cudrc.com
O15 - Trusted Zone: *.discovercard.com
O15 - Trusted Zone: customersupport.dishnetwork.com
O15 - Trusted Zone: http://www.dishnetwork.com
O15 - Trusted Zone: http://www.dougurquhartmusic.com
O15 - Trusted Zone: http://www.e-thepeople.org
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.equifax.com
O15 - Trusted Zone: http://www.francey.org
O15 - Trusted Zone: service.geico.com
O15 - Trusted Zone: http://www.geico.com
O15 - Trusted Zone: ssl1.gmti.com
O15 - Trusted Zone: *.guru.com
O15 - Trusted Zone: http://www.hotbuy4u.com
O15 - Trusted Zone: http://www.kall8.com
O15 - Trusted Zone: http://www.linkedin.com
O15 - Trusted Zone: http://www.linkshare.com
O15 - Trusted Zone: *.mail.com
O15 - Trusted Zone: *.mtemc.com
O15 - Trusted Zone: *.mycheckfree.com
O15 - Trusted Zone: http://www.mydomain.com
O15 - Trusted Zone: onnet.ohionational.com
O15 - Trusted Zone: www.paypal.com
O15 - Trusted Zone: securebank.regions.com
O15 - Trusted Zone: http://www.regions.com
O15 - Trusted Zone: *.secure.registerapi.com
O15 - Trusted Zone: *.samsclub.com
O15 - Trusted Zone: http://www.sourceforge.net
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: www.spiritofamericacard.com
O15 - Trusted Zone: *.suntrust.com
O15 - Trusted Zone: my.t-mobile.com
O15 - Trusted Zone: http://www.t-mobile.com
O15 - Trusted Zone: www.*.t-mobile.com
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.usbank.com
O15 - Trusted Zone: http://www.webmd.com
O15 - Trusted Zone: http://www.wochurch.org
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
--
End of file - 9406 bytes
============================
This is the HJT log from a second computer, if you would look at it also.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:14:13 PM, on 6/22/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\users\Cathy\ProgramFiles\HeyJoe\HeyJoe.exe
C:\Program Files\Second Copy 97\sc97.exe
C:\users\Dan\ProgramFiles\Ditto\Ditto.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\svchost.exe
C:\users\Dan\ProgramFiles\2xExplorer\2xExplorer.exe
C:\users\Dan\ProgramFiles\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [Hey, Joe!] C:\users\Cathy\ProgramFiles\HeyJoe\HeyJoe.exe
O4 - HKCU\..\Run: [Second Copy 97] C:\Program Files\Second Copy 97\sc97.exe /InitialWait=5
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe
O4 - HKCU\..\Run: [Ditto] C:\users\Dan\ProgramFiles\Ditto\Ditto.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184049104031
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8E02B57-81A8-4CF0-A3F5-776EBC0CAB15}: NameServer = 4.2.2.2,4.2.2.3
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 5687 bytes
Gmanson
508 Posts
0
June 22nd, 2010 14:00
You are severly infected on the first log and the second log is not nearly as bad but download mbam and install from this link.
http://www.malwarebytes.org/mbam.php
Install on both machines and make sure it is updated and ran in full scan and make sure all hardrives are added when it asks and post the results of the scan log.
dalem29
2 Intern
2 Intern
•
2.2K Posts
0
June 22nd, 2010 15:00
aecvizspro:
Gmanson is not on the list of trained analysts on the Malware Removal forum and it cannot be determined that he is qualified to help you solve your problem. In fact, his suggestions could cause real harm to your computer. He has been interjecting himself into several threads here which goes against the established protocols. If need be start this as a new thread with the scans again.
aecvizpro
4 Posts
0
June 22nd, 2010 16:00
Thanks, I will re-post