567082836
asked on
Need Hijack Help Log
Have a machine that has been scanned
1) Trendmicro online scanner
2) malewarebytes found some stuff
3) Scheduler had batch files (virus)
4) host file redirects.. cleaned
etc..
Once the machine was relatively cleaned - got windows updates to the latest pack.
Can someone look at this log file to see if they see anything else.. it seems once the machine is on for 1-2 hours somethings pops up... 8n5lfhk5.exe ... like random filenames and starts to fill task manager...
Here is the Hijack log for this morning:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:57:26 AM, on 2/24/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\svchos
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\system32\Search
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.ex
C:\WINDOWS\system32\dllhos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Search
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Trend Micro\HiJackThis\HiJackThi
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\vssvc.
C:\WINDOWS\system32\dllhos
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\Search
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O16 - DPF: {00134F72-5284-44F7-95A8-5
O16 - DPF: {0067DBFC-A752-458C-AE6E-B
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.ex
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\l
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
O23 - Service: Trend Micro Client/Server Security Agent Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
--
End of file - 6134 bytes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did clean the host file, ran various scanners, and was able to clean out the machine before I posted.. but wanted to make sure the hijack log was clean.
ASKER
I did run malwarebytes & TDSkiller before I posted this. Yesterday and today the machine has been running clean per user.. I will follow the above if there is an issue. There were 2 entries I manually deleted before I posted this..