Hijackthis logfile analysis

Please suggest what needs to be fixed here.

Logfile of HijackThis v1.99.1
Scan saved at 09:19:25, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Angela\Desktop\HijackThis 1.99.0001.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tiscali.co.uk/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\System32\wswjssey.dll
O2 - BHO: (no name) - {90E7082F-C27C-48DE-A707-D72DF8E51DC8} - C:\WINDOWS\System32\mljij.dll (file missing)
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\System32\gebcaaa.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB003" /M "Stylus D68"
O4 - HKLM\..\Run: [MS Task Manager 32] C:\WINDOWS\System32\mstskmgr.exe
O4 - HKLM\..\Run: [Microsoft Windows Firewall] firewall.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\clelwqui.dll",sitypnow
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\RunServices: [Microsoft Windows Firewall] firewall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [EPSON Stylus DX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU "C:\WINDOWS\TEMP\E_SA8.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Microsoft Windows Firewall] firewall.exe
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123181172314
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: awtuvst - awtuvst.dll (file missing)
O20 - Winlogon Notify: byxxwts - byxxwts.dll (file missing)
O20 - Winlogon Notify: ddcdcyv - ddcdcyv.dll (file missing)
O20 - Winlogon Notify: efcdeed - efcdeed.dll (file missing)
O20 - Winlogon Notify: fccccyw - fccccyw.dll (file missing)
O20 - Winlogon Notify: gebcaaa - C:\WINDOWS\SYSTEM32\gebcaaa.dll
O20 - Winlogon Notify: gebcyvw - gebcyvw.dll (file missing)
O20 - Winlogon Notify: iifecca - iifecca.dll (file missing)
O20 - Winlogon Notify: jkkiheb - jkkiheb.dll (file missing)
O20 - Winlogon Notify: khfgfec - khfgfec.dll (file missing)
O20 - Winlogon Notify: mljjjjj - mljjjjj.dll (file missing)
O20 - Winlogon Notify: opnopmn - opnopmn.dll (file missing)
O20 - Winlogon Notify: pmnopno - pmnopno.dll (file missing)
O20 - Winlogon Notify: qommjge - qommjge.dll (file missing)
O20 - Winlogon Notify: urqrool - urqrool.dll (file missing)
O20 - Winlogon Notify: urqrpml - urqrpml.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\kaowfmic.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service (file missing)

LVL 1
EugeneGardnerAsked:
Who is Participating?
 
souseranConnect With a Mentor Commented:
From the look of these, I'd say you got yourself a bit of malware.

O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\System32\wswjssey.dll
O2 - BHO: (no name) - {90E7082F-C27C-48DE-A707-D72DF8E51DC8} - C:\WINDOWS\System32\mljij.dll (file missing)
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\System32\gebcaaa.dll
O4 - HKLM\..\Run: [MS Task Manager 32] C:\WINDOWS\System32\mstskmgr.exe
O20 - Winlogon Notify: awtuvst - awtuvst.dll (file missing)
O20 - Winlogon Notify: byxxwts - byxxwts.dll (file missing)
O20 - Winlogon Notify: ddcdcyv - ddcdcyv.dll (file missing)
O20 - Winlogon Notify: efcdeed - efcdeed.dll (file missing)
O20 - Winlogon Notify: fccccyw - fccccyw.dll (file missing)
O20 - Winlogon Notify: gebcaaa - C:\WINDOWS\SYSTEM32\gebcaaa.dll
O20 - Winlogon Notify: gebcyvw - gebcyvw.dll (file missing)
O20 - Winlogon Notify: iifecca - iifecca.dll (file missing)
O20 - Winlogon Notify: jkkiheb - jkkiheb.dll (file missing)
O20 - Winlogon Notify: khfgfec - khfgfec.dll (file missing)
O20 - Winlogon Notify: mljjjjj - mljjjjj.dll (file missing)
O20 - Winlogon Notify: opnopmn - opnopmn.dll (file missing)
O20 - Winlogon Notify: pmnopno - pmnopno.dll (file missing)
O20 - Winlogon Notify: qommjge - qommjge.dll (file missing)
O20 - Winlogon Notify: urqrool - urqrool.dll (file missing)
O20 - Winlogon Notify: urqrpml - urqrpml.dll (file missing)
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)

One or two of these files look like the SDBot backdoor trojan. This miscreant steals credit card, username, and password information and can open your computer up to Denial-of-Service attacks.

I'd recommend SUPERAntiSpyware from http://www.superantispyware.com as a start. Will do a bit of research and be back to you.

0
 
souseranCommented:
It also looks like your Bit Defender got thrashed. Can you do an online scan with IE at

http://usa.kaspersky.com/products_services/free-virus-scanner.php
0
 
IndiGenusConnect With a Mentor Commented:
I would throw Combofix into this also...it will clean up quite a bit of that in one shot. And may expose other vulnerabilities.

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Please upload the log to the following link and let us know once it's there, providing a link to it. Also post a new HJT log.

http://www.ee-stuff.com

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
EugeneGardnerAuthor Commented:
Thanks for the comments.

I have run multiple online virus cleaners, Spyware Dr., SUPERAntiSpyware and run BitDefender off the C: drive.  I then ran ComboFix then HijackThis and put the log files at
https://filedb.experts-exchange.com/incoming/ee-stuff/5114-hijackthis-2-log.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/5115-ComboFix-log.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5119-hijackthis-3-log.txt


I think there may still be a problem but I'm not sure.
0
 
souseranConnect With a Mentor Commented:
Better. Still have these:

O4 - HKLM\..\Run: [MS Task Manager 32] C:\WINDOWS\System32\mstskmgr.exe
O4 - HKLM\..\Run: [Microsoft Windows Firewall] firewall.exe

To remove these, download Autoruns from http://download.sysinternals.com/Files/Autoruns.zip

Boot into Safe Mode. Run the Autoruns program. Go into the Options  menu and enable these

   1. Include empty locations

   2. Verify Code Signatures

   3. Hide Signed Microsoft Entries

Refresh the listing by pressing F5. Check the Image Path column on each tab for the two programs listed above. Delete the entries for them. Close Autoruns.

Double-click on My Computer. Select the Tools menu and click Folder Options. Go to the View tab. Select Display the contents of system folders. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. Uncheck Hide file extensions for known file types. Uncheck Hide protected operating system files. Accept the warning and save your changes.

Go to C:\WINDOWS\System32\ and delete the file mstskmgr.exe

Do a search for the file firewall.exe, and when you find it, delete it. Reboot your computer into normal mode, and run another scan. If everything comes up clean you can undo the changes made above that allowed you to see hidden files and folders.


0
 
EugeneGardnerAuthor Commented:
I have done the above and I think I am clean now.  What would HijackThis do if I had tried to 'fix' the problem items ?  Just academically curious.
Latest |HijackThis log file is at https://filedb.experts-exchange.com/incoming/ee-stuff/5119-hijackthis-3-log.txt
Thanks.
0
 
souseranCommented:
For any item in a HJT log, you can click on the "Info on selected item..." button to find out what is involved with the item. HJT will also indicate what action was taken. With the two you had here, I believe HJT would have deleted the registry entries. However, the files would still have been present on your computer and would have needed to be removed manually. Even a good tool can only do so much. :-)

An excellent tutorial on HJT can be found here:

HijackThis Tutorial & Guide: http://www.bleepingcomputer.com/tutorials/tutorial42.html

From the latest log, I'd say the system looks good.
0
 
EugeneGardnerAuthor Commented:
Many thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.