0

Have you all solved your computer problems?

If not please post a fresh log in here and i will tell you what you have been infected with and what to remove and do to solve ALL your problems

I am not sure if there is a Hyjackthis log specialist here? but there is now .

:rolleyes: :rolleyes:

Hello in response to your post i wanted to post my log i recently cleaned out a seriously infected system somehow my cousin managed to do tons of damage to before he left - dialers, BHO'S, Hijackers, Spyware, Adware u name it. i cleaned out just about everything using a combo of tools: Adaware 6.0, Spybot S&D, SpySweeper, and Giant AntiSpyware (a new one i found seems to be very thorough and effective) and CWShredder only problem is i cant seem to get rid of some parasite that creates foreign hidden exe files in my system32 folder and runs processes that when i stop they recreate as a different name -C:\WINDOWS\system32\Xyd74.exe
C:\WINDOWS\system32\Ovu2.exe thats what they are now...Please tell me how do i get rid of this pest? Your help is greatly appreciated :confused:

Logfile of HijackThis v1.97.7
Scan saved at 4:35:30 PM, on 10/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
E:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spy Sweeper\SpySweeper.exe
E:\America Online 9.0\aoltray.exe
C:\Program Files\BHODemon 2\BHODemon.exe
e:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
e:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Xyd74.exe
C:\WINDOWS\system32\Ovu2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Shagz\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Shagz
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "e:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [2CY9M3P4Z@@27M] C:\WINDOWS\SYSTEM32\XKWA.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "e:\Program Files\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = E:\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

3
Contributors
5
Replies
6
Views
12 Years
Discussion Span
Last Post by caperjack
0

While you are waiting to hear from one of the security experts, update hijackthis to version 1.98.2. Be sure to save it in its own permanent folder, not in a temp one or on your desktop, that way it can make backups in case you need them. Then with all other browser windows closed, scan with the updated version and post your new log here. :)

0

heres my updated hijack this log w/ v1.98.2
everything is good except for these polymorphic processes and .exes that keep loading in my system32 folder :confused:

Logfile of HijackThis v1.98.2
Scan saved at 2:45:07 PM, on 10/31/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
e:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
E:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spy Sweeper\SpySweeper.exe
E:\America Online 9.0\aoltray.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\Xyd74.exe
C:\WINDOWS\system32\Icb2cRVe.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\giant antispyware\gcasDtServ.exe
E:\Program Files\giant antispyware\gcasServ.exe
C:\Documents and Settings\Shagz\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Shagz
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "e:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [2CY9M3P4Z@@27M] C:\WINDOWS\system32\Yfwz.exe
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "e:\Program Files\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = E:\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

0

I am a little rusty reading logs but i do believe this is reference to the peper trojan .O4 - HKLM\..\Run: [2CY9M3P4Z@@27M] C:\WINDOWS\system32\Yfwz.exe
There is a perper fix tool in the link ,Removal Tools Removal Tools .in my signatue ,I think you need to be connecte to the internet when you run the tool if my memory serves me right !

0

I am a little rusty reading logs but i do believe this is reference to the peper trojan .O4 - HKLM\..\Run: [2CY9M3P4Z@@27M] C:\WINDOWS\system32\Yfwz.exe
There is a perper fix tool in the link ,Removal Tools Removal Tools .in my signatue ,I think you need to be connecte to the internet when you run the tool if my memory serves me right !

Hey thanks for your assistance i really appreciate it. Everything worked out and i got the pesky peper trojan off the pc..the final clean up...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.