Forum Home
Press F1
Thread ID: 135539	2013-11-15 06:52:00	HJT ... if someone could be so kind ..	SP8's (9836)	Press F1

Post ID	Timestamp	Content	User
1359948	2013-11-15 06:52:00	Hi All I'd appreciate it if someone could have a look at this for me ... some strange things happening with comp, but nothing too serious as yet. TIA SP8's Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 7:49:22 p.m., on 15/11/2013 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Client\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\SUPERAntiSpyware\SASCORE.EXE C:\Program Files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlServi ce.exe C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CyberGhost 5\Service.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\David\My Documents\Downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MI1933~1\Office14\URLREDIR.DLL O3 - Toolbar: (no name) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - (no file) O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [HP Deskjet 3520 series (NET)] "C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN26J1G89905SY:NW" -scfn "HP Deskjet 3520 series (NET)" -AutoStart 1 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MI1933~1\Office14\ONBttnIE.dll/105 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpda teService.exe O23 - Service: ASUS System Control Service (AsSysCtrlService) - ASUSTeK Computer Inc. - C:\Program Files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlServi ce.exe O23 - Service: CyberGhost VPN 5 Client Service (CGVPNCliService) - CyberGhost S.R.L - C:\Program Files\CyberGhost 5\Service.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe -- End of file - 8706 bytes	SP8's (9836)
1359949	2013-11-15 07:14:00	O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c That shouldn't be there. There shouldn't be anything running on startup from the C:\Documents and Settings Download and run Roguekiller (www.bleepingcomputer.com) - Click on the link "Download Link @ Authors site". When first opened, it will do a self scan, Then click Scan top right, once finished work through the list under scan and remove anything it finds. Last few computers I've seen with that Googleupdate in the Doc's and settings was actually Malware. "IF" its what the others had all the antimalware you have wont detect it, neither will MSSE --- Then again it could be harmless. Note: you'll end up with several reports.	wainuitech (129)
1359950	2013-11-15 10:16:00	Thanks Wainui ... found a couple of things in the registry and a long list of rubbish under the "Hosts" and "Driver" tab ... I've copied a piece of the report below ¤¤¤ Driver : [LOADED] ¤¤¤ [Inline] EAT @explorer.exe (@Classes@TFiler@) : rtl150.bpl -> HOOKED (Unknown @ 0x3059296C) [Inline] EAT @explorer.exe (@Classes@TReader@) : rtl150.bpl -> HOOKED (Unknown @ 0xB45933BC) [Inline] EAT @explorer.exe (@Classes@TStreamWriter@) : rtl150.bpl -> HOOKED (Unknown @ 0x54599FB5) [Inline] EAT @explorer.exe (@Comobj@TAutoObjectEvent@) : rtl150.bpl -> HOOKED (Unknown @ 0xDC5BB8A4) [Inline] EAT @explorer.exe (@Ioutils@TPath@FInvalidFileNameChars) : rtl150.bpl -> HOOKED (Unknown @ 0xE01E73B3) [Inline] EAT @explorer.exe (@Msxml@IID_ISAXEntityResolver) : rtl150.bpl -> HOOKED (Unknown @ 0x1FB8BAB5) [Inline] EAT @explorer.exe (@Oledb@DBOBJECT_DOMAIN) : rtl150.bpl -> HOOKED (Unknown @ 0x43E12FD7) [Inline] EAT @explorer.exe (@Oledb@DBOBJECT_SCHEMA) : rtl150.bpl -> HOOKED (Unknown @ 0x43E12FC7) [Inline] EAT @explorer.exe (@System@ExceptionClass) : rtl150.bpl -> HOOKED (Unknown @ 0xDD6A1039) [Inline] EAT @explorer.exe (@Wincodec@CATID_WICFormatConverters) : rtl150.bpl -> HOOKED (Unknown @ 0x6490FC7F) [Inline] EAT @explorer.exe (@Controls@TCustomTouchManager@) : vcl150.bpl -> HOOKED (Unknown @ 0x34772A44) [Inline] EAT @explorer.exe (@Controls@TDockTree@) : vcl150.bpl -> HOOKED (Unknown @ 0xC0779121) 127.0.0.1 localhost 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com There are a lot more and by some of the names, they're porn sites and have no idea how they got there ... really ! the HD this system is on seems to be working overtime but don't see anything unusual in task manager and CPU usage is minimal when browsing. Any further info you can give me would be appreciated .... especially the 'host' column because that has got me a little concerned. Can send the complete list by PM if needed, just don't want to post them in the public forum.	SP8's (9836)
1359951	2013-11-15 15:49:00	Have you run the usual scans with Malewarebytes,Hitman Pro,. AdwCleaner, Junkware Removal Tool and more here www.bleepingcomputer.com Another clean up Tool to run is PrivaZer malwaretips.com for more in depth cleaning compared with C-Cleaner ,been using a month and seems okay with good reviews	Lawrence (2987)
1