?
Solved

Hijackthis logfile analysis

Posted on 2007-10-20
8
Medium Priority
?
1,069 Views
Last Modified: 2016-08-29
Please suggest what needs to be fixed here.

Logfile of HijackThis v1.99.1
Scan saved at 09:19:25, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Angela\Desktop\HijackThis 1.99.0001.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.co.uk/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\System32\wswjssey.dll
O2 - BHO: (no name) - {90E7082F-C27C-48DE-A707-D72DF8E51DC8} - C:\WINDOWS\System32\mljij.dll (file missing)
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\System32\gebcaaa.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB003" /M "Stylus D68"
O4 - HKLM\..\Run: [MS Task Manager 32] C:\WINDOWS\System32\mstskmgr.exe
O4 - HKLM\..\Run: [Microsoft Windows Firewall] firewall.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\clelwqui.dll",sitypnow
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\RunServices: [Microsoft Windows Firewall] firewall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [EPSON Stylus DX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU "C:\WINDOWS\TEMP\E_SA8.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Microsoft Windows Firewall] firewall.exe
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123181172314
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: awtuvst - awtuvst.dll (file missing)
O20 - Winlogon Notify: byxxwts - byxxwts.dll (file missing)
O20 - Winlogon Notify: ddcdcyv - ddcdcyv.dll (file missing)
O20 - Winlogon Notify: efcdeed - efcdeed.dll (file missing)
O20 - Winlogon Notify: fccccyw - fccccyw.dll (file missing)
O20 - Winlogon Notify: gebcaaa - C:\WINDOWS\SYSTEM32\gebcaaa.dll
O20 - Winlogon Notify: gebcyvw - gebcyvw.dll (file missing)
O20 - Winlogon Notify: iifecca - iifecca.dll (file missing)
O20 - Winlogon Notify: jkkiheb - jkkiheb.dll (file missing)
O20 - Winlogon Notify: khfgfec - khfgfec.dll (file missing)
O20 - Winlogon Notify: mljjjjj - mljjjjj.dll (file missing)
O20 - Winlogon Notify: opnopmn - opnopmn.dll (file missing)
O20 - Winlogon Notify: pmnopno - pmnopno.dll (file missing)
O20 - Winlogon Notify: qommjge - qommjge.dll (file missing)
O20 - Winlogon Notify: urqrool - urqrool.dll (file missing)
O20 - Winlogon Notify: urqrpml - urqrpml.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\kaowfmic.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service (file missing)

0
Comment
Question by:EugeneGardner
  • 4
  • 3
8 Comments
 
LVL 26

Accepted Solution

by:
souseran earned 800 total points
ID: 20115936
From the look of these, I'd say you got yourself a bit of malware.

O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\System32\wswjssey.dll
O2 - BHO: (no name) - {90E7082F-C27C-48DE-A707-D72DF8E51DC8} - C:\WINDOWS\System32\mljij.dll (file missing)
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\System32\gebcaaa.dll
O4 - HKLM\..\Run: [MS Task Manager 32] C:\WINDOWS\System32\mstskmgr.exe
O20 - Winlogon Notify: awtuvst - awtuvst.dll (file missing)
O20 - Winlogon Notify: byxxwts - byxxwts.dll (file missing)
O20 - Winlogon Notify: ddcdcyv - ddcdcyv.dll (file missing)
O20 - Winlogon Notify: efcdeed - efcdeed.dll (file missing)
O20 - Winlogon Notify: fccccyw - fccccyw.dll (file missing)
O20 - Winlogon Notify: gebcaaa - C:\WINDOWS\SYSTEM32\gebcaaa.dll
O20 - Winlogon Notify: gebcyvw - gebcyvw.dll (file missing)
O20 - Winlogon Notify: iifecca - iifecca.dll (file missing)
O20 - Winlogon Notify: jkkiheb - jkkiheb.dll (file missing)
O20 - Winlogon Notify: khfgfec - khfgfec.dll (file missing)
O20 - Winlogon Notify: mljjjjj - mljjjjj.dll (file missing)
O20 - Winlogon Notify: opnopmn - opnopmn.dll (file missing)
O20 - Winlogon Notify: pmnopno - pmnopno.dll (file missing)
O20 - Winlogon Notify: qommjge - qommjge.dll (file missing)
O20 - Winlogon Notify: urqrool - urqrool.dll (file missing)
O20 - Winlogon Notify: urqrpml - urqrpml.dll (file missing)
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)

One or two of these files look like the SDBot backdoor trojan. This miscreant steals credit card, username, and password information and can open your computer up to Denial-of-Service attacks.

I'd recommend SUPERAntiSpyware from http://www.superantispyware.com as a start. Will do a bit of research and be back to you.

0
 
LVL 26

Expert Comment

by:souseran
ID: 20115950
It also looks like your Bit Defender got thrashed. Can you do an online scan with IE at

http://usa.kaspersky.com/products_services/free-virus-scanner.php
0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 200 total points
ID: 20116303
I would throw Combofix into this also...it will clean up quite a bit of that in one shot. And may expose other vulnerabilities.

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Please upload the log to the following link and let us know once it's there, providing a link to it. Also post a new HJT log.

http://www.ee-stuff.com

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:EugeneGardner
ID: 20117782
Thanks for the comments.

I have run multiple online virus cleaners, Spyware Dr., SUPERAntiSpyware and run BitDefender off the C: drive.  I then ran ComboFix then HijackThis and put the log files at
https://filedb.experts-exchange.com/incoming/ee-stuff/5114-hijackthis-2-log.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/5115-ComboFix-log.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5119-hijackthis-3-log.txt


I think there may still be a problem but I'm not sure.
0
 
LVL 26

Assisted Solution

by:souseran
souseran earned 800 total points
ID: 20118175
Better. Still have these:

O4 - HKLM\..\Run: [MS Task Manager 32] C:\WINDOWS\System32\mstskmgr.exe
O4 - HKLM\..\Run: [Microsoft Windows Firewall] firewall.exe

To remove these, download Autoruns from http://download.sysinternals.com/Files/Autoruns.zip

Boot into Safe Mode. Run the Autoruns program. Go into the Options  menu and enable these

   1. Include empty locations

   2. Verify Code Signatures

   3. Hide Signed Microsoft Entries

Refresh the listing by pressing F5. Check the Image Path column on each tab for the two programs listed above. Delete the entries for them. Close Autoruns.

Double-click on My Computer. Select the Tools menu and click Folder Options. Go to the View tab. Select Display the contents of system folders. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. Uncheck Hide file extensions for known file types. Uncheck Hide protected operating system files. Accept the warning and save your changes.

Go to C:\WINDOWS\System32\ and delete the file mstskmgr.exe

Do a search for the file firewall.exe, and when you find it, delete it. Reboot your computer into normal mode, and run another scan. If everything comes up clean you can undo the changes made above that allowed you to see hidden files and folders.


0
 
LVL 1

Author Comment

by:EugeneGardner
ID: 20118417
I have done the above and I think I am clean now.  What would HijackThis do if I had tried to 'fix' the problem items ?  Just academically curious.
Latest |HijackThis log file is at https://filedb.experts-exchange.com/incoming/ee-stuff/5119-hijackthis-3-log.txt
Thanks.
0
 
LVL 26

Expert Comment

by:souseran
ID: 20118455
For any item in a HJT log, you can click on the "Info on selected item..." button to find out what is involved with the item. HJT will also indicate what action was taken. With the two you had here, I believe HJT would have deleted the registry entries. However, the files would still have been present on your computer and would have needed to be removed manually. Even a good tool can only do so much. :-)

An excellent tutorial on HJT can be found here:

HijackThis Tutorial & Guide: http://www.bleepingcomputer.com/tutorials/tutorial42.html

From the latest log, I'd say the system looks good.
0
 
LVL 1

Author Comment

by:EugeneGardner
ID: 20118664
Many thanks
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question