Viruses, Spyware and...

shagz1181: Hijackthis log

•

Join Date: Oct 2004

Posts: 6

Reputation: shagz1181 is an unknown quantity at this point

Solved Threads: 0

shagz1181

Offline

Newbie Poster

Re: Help me get spyware!

Oct 30th, 2004

•

Originally Posted by L7JJB

Have you all solved your computer problems?

If not please post a fresh log in here and i will tell you what you have been infected with and what to remove and do to solve ALL your problems

I am not sure if there is a Hyjackthis log specialist here? but there is now .

:rolleyes: :rolleyes:

Hello in response to your post i wanted to post my log i recently cleaned out a seriously infected system somehow my cousin managed to do tons of damage to before he left - dialers, BHO'S, Hijackers, Spyware, Adware u name it. i cleaned out just about everything using a combo of tools: Adaware 6.0, Spybot S&D, SpySweeper, and Giant AntiSpyware (a new one i found seems to be very thorough and effective) and CWShredder only problem is i cant seem to get rid of some parasite that creates foreign hidden exe files in my system32 folder and runs processes that when i stop they recreate as a different name -C:\WINDOWS\system32\Xyd74.exe
C:\WINDOWS\system32\Ovu2.exe thats what they are now...Please tell me how do i get rid of this pest? Your help is greatly appreciated

Logfile of HijackThis v1.97.7
Scan saved at 4:35:30 PM, on 10/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
E:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spy Sweeper\SpySweeper.exe
E:\America Online 9.0\aoltray.exe
C:\Program Files\BHODemon 2\BHODemon.exe
e:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
e:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Xyd74.exe
C:\WINDOWS\system32\Ovu2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Shagz\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Shagz
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "e:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [2CY9M3P4Z@@27M] C:\WINDOWS\SYSTEM32\XKWA.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "e:\Program Files\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = E:\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

•

Join Date: Jun 2004

Posts: 253

Reputation: deonnanicole is an unknown quantity at this point

Solved Threads: 13

deonnanicole deonnanicole is offline

Offline

Posting Whiz in Training

Re: shagz1181: Hijackthis log

Oct 30th, 2004

While you are waiting to hear from one of the security experts, update hijackthis to version 1.98.2. Be sure to save it in its own permanent folder, not in a temp one or on your desktop, that way it can make backups in case you need them. Then with all other browser windows closed, scan with the updated version and post your new log here.

•

Join Date: Oct 2004

Posts: 6

Reputation: shagz1181 is an unknown quantity at this point

Solved Threads: 0

shagz1181

Offline

Newbie Poster

Re: shagz1181: Hijackthis log

Oct 31st, 2004

heres my updated hijack this log w/ v1.98.2
everything is good except for these polymorphic processes and .exes that keep loading in my system32 folder

Logfile of HijackThis v1.98.2
Scan saved at 2:45:07 PM, on 10/31/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
e:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
E:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spy Sweeper\SpySweeper.exe
E:\America Online 9.0\aoltray.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\Xyd74.exe
C:\WINDOWS\system32\Icb2cRVe.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\giant antispyware\gcasDtServ.exe
E:\Program Files\giant antispyware\gcasServ.exe
C:\Documents and Settings\Shagz\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Shagz
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "e:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [2CY9M3P4Z@@27M] C:\WINDOWS\system32\Yfwz.exe
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "e:\Program Files\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = E:\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

•

Join Date: Aug 2003

Posts: 9,770

Reputation: caperjack is a splendid one to behold

Solved Threads: 513

caperjack

Offline

Posting Prodigy

Re: shagz1181: Hijackthis log

Oct 31st, 2004

I am a little rusty reading logs but i do believe this is reference to the peper trojan .O4 - HKLM\..\Run: [2CY9M3P4Z@@27M] C:\WINDOWS\system32\Yfwz.exe
There is a perper fix tool in the link ,Removal Tools Removal Tools .in my signatue ,I think you need to be connecte to the internet when you run the tool if my memory serves me right !

Fallen Heroes Song ,
http://www.youtube.com/watch?v=-RfXBB0BRHY
Going with the Flow ,but the water is low and the rocks are big

•

Join Date: Oct 2004

Posts: 6

Reputation: shagz1181 is an unknown quantity at this point

Solved Threads: 0

shagz1181

Offline

Newbie Poster

Re: shagz1181: Hijackthis log

Nov 2nd, 2004

•

Originally Posted by caperjack

I am a little rusty reading logs but i do believe this is reference to the peper trojan .O4 - HKLM\..\Run: [2CY9M3P4Z@@27M] C:\WINDOWS\system32\Yfwz.exe
There is a perper fix tool in the link ,Removal Tools Removal Tools .in my signatue ,I think you need to be connecte to the internet when you run the tool if my memory serves me right !

Hey thanks for your assistance i really appreciate it. Everything worked out and i got the pesky peper trojan off the pc..the final clean up...