Forum Home
Press F1
Thread ID: 101270	2009-07-07 11:34:00	Help Please	Wardog (6821)	Press F1

Post ID	Timestamp	Content	User
789884	2009-07-07 11:34:00	Hi, Ive got a lot of virus so i downloaded hijackthis and got the log can somebody please tell me what to do next . Logfile of HijackThis v1 . 99 . 1 Scan saved at 10:19:23 PM, on 7/07/2009 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v7 . 00 (7 . 00 . 6000 . 16827) Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\Ati2evxx . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\system32\Ati2evxx . exe C:\Program Files\NetScreen\NetScreen-Remote\IreIKE . exe C:\WINDOWS\system32\spoolsv . exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc . exe C:\Program Files\Cisco Systems\VPN Client\cvpnd . exe C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1 . EXE C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon . exe C:\Program Files\Manson\liser . exe C:\Program Files\Common Files\LightScribe\LSSrvc . exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm . exe C:\Program Files\PDF Complete\pdfsvc . exe C:\Program Files\CyberLink\Shared files\RichVideo . exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService . exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT . exe C:\Program Files\Sophos\AutoUpdate\ALsvc . exe C:\Program Files\Sophos\Remote Management System\RouterNT . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\Explorer . EXE C:\WINDOWS\RTHDCPL . EXE C:\WINDOWS\system32\ctfmon . exe C:\Program Files\HP\HP Software Update\HPwuSchd2 . exe C:\Program Files\Common Files\Real\Update_OB\realsched . exe C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch . exe C:\Program Files\PDF Complete\pdfsty . exe C:\Program Files\Java\jre1 . 6 . 0_07\bin\jusched . exe c:\windows\system\hpsysdrv . exe C:\WINDOWS\system32\rundll32 . exe C:\Program Files\MSN Messenger\MsnMsgr . Exe C:\Program Files\DAEMON Tools Lite\daemon . exe C:\games\steam . exe C:\program Files\Manson\liser . exe C:\Program Files\Sophos\AutoUpdate\ALMon . exe C:\Program Files\iTunes\iTunesHelper . exe C:\WINDOWS\HPLiteSaver . exe C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg . exe C:\Program Files\iPod\bin\iPodService . exe C:\MSSQL7\Binn\sqlmangr . exe C:\Program Files\MSN Messenger\usnsvc . exe C:\Program Files\Java\jre1 . 6 . 0_07\bin\jucheck . exe C:\Program Files\Mozilla Firefox\firefox . exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy . exe K:\LEES STUFF!!\Random\HijackThis . exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . redirect . hp . com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop" target="_blank">ie . redirect . hp . com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = . redirect . hp . com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop" target="_blank">ie . redirect . hp . com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = . redirect . hp . com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop" target="_blank">ie . redirect . hp . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = . redirect . hp . com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop" target="_blank">ie . redirect . hp . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = . redirect . hp . com/svs/rdr?TYPE=3&tp=iehome&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop" target="_blank">ie . redirect . hp . com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = . redirect . hp . com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop" target="_blank">ie . redirect . hp . com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = * . local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7 . 0\ActiveX\AcroIEHelper . dll O2 - BHO: (no name) - {0BA68980-48D6-471C-887F-B0D4BB77EDD9} - C:\WINDOWS\system32\qoMgdDSk . dll O2 - BHO: {a68d17e7-a9f3-d8da-22f4-92b1bcbd5c72} - {27c5dbcb-1b29-4f22-ad8d-3f9a7e71d86a} - C:\WINDOWS\system32\cwkmfc . dll O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\fccaYpNG . dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1 . 6 . 0_07\bin\ssv . dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin . dll O2 - BHO: (no name) - {a2a05a15-053b-40f5-9d25-9df35b558ed1} - C:\WINDOWS\system32\dutuhabe . dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page . dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page . dll O4 - HKLM\ . . \Run: [IMJPMIG8 . 1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG . EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\ . . \Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe /SYNC O4 - HKLM\ . . \Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE /SYNC O4 - HKLM\ . . \Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE /IMEName O4 - HKLM\ . . \Run: [RTHDCPL] RTHDCPL . EXE O4 - HKLM\ . . \Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD . EXE O4 - HKLM\ . . \Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp . exe" /run O4 - HKLM\ . . \Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2 . exe O4 - HKLM\ . . \Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched . exe" -osboot O4 - HKLM\ . . \Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM . exe -startup O4 - HKLM\ . . \Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch . exe" -start O4 - HKLM\ . . \Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty . exe" O4 - HKLM\ . . \Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt . exe O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime O4 - HKLM\ . . \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1 . 6 . 0_07\bin\jusched . exe" O4 - HKLM\ . . \Run: [UpdatePDRShortCut] "K:\CPoDiu . KnowN . KarmaLizma\PowerDirector\MUITransf er\MUIStartMenu . exe" "K:\CPoDiu . KnowN . KarmaLizma\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7 . 0" O4 - HKLM\ . . \Run: [13742504] C:\Documents and Settings\All Users\Application Data\13742504\13742504 . exe O4 - HKLM\ . . \Run: [fujidutano] Rundll32 . exe "C:\WINDOWS\system32\veseyusi . dll",s O4 - HKLM\ . . \Run: [CPM4bf7cf62] Rundll32 . exe "c:\windows\system32\domemaha . dll",a O4 - HKLM\ . . \Run: [48c4fcfe] rundll32 . exe "C:\WINDOWS\system32\zewobihu . dll",b O4 - HKCU\ . . \Run: [ctfmon . exe] C:\WINDOWS\system32\ctfmon . exe O4 - HKCU\ . . \Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr . Exe" /background O4 - HKCU\ . . \Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon . exe" -autorun O4 - HKCU\ . . \Run: [Steam] "c:\games\steam . exe" -silent O4 - HKCU\ . . \Run: [nvd32_r] rundll32 . exe "C:\Documents and Settings\Compaq_Owner\Application Data\unobi . dll" s O4 - HKCU\ . . \Run: [kell] C:\program Files\Manson\liser . exe O4 - Global Startup: AutoUpdate Monitor . lnk = C:\Program Files\Sophos\AutoUpdate\ALMon . exe O4 - Global Startup: Cisco Systems VPN Client . lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui . exe O4 - Global Startup: HP Display LiteSaver Startup . lnk = C:\WINDOWS\HPLiteSaver . exe O4 - Global Startup: Microsoft Office . lnk = C:\Program Files\Microsoft Office\Office\OSA9 . EXE O4 - Global Startup: NetScreen-Remote . lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg . exe O4 - Global Startup: Service Manager . lnk = C:\MSSQL7\Binn\sqlmangr . exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL . EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 6 . 0_07\bin\ssv . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 6 . 0_07\bin\ssv . dll O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support . htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support . htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag . exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res . dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag . exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp . dll O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - . g . akamai . net/7/1540/52/20070711/qtinstall . info . apple . com/qtactivex/qtplugin . cab" target="_blank">a1540 . g . akamai . net O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - . zone . msn . com/binary/msgrchkr . cab56986 . cab" target="_blank">messenger . zone . msn . com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . microsoft . com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site . cab?1169717301187" target="_blank">update . microsoft . com O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - . acclaim . com/cabs/acclaim_v4 . cab" target="_blank">www . acclaim . com O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - . zone . msn . com/binary/MessengerStatsPAClient . cab56907 . cab" target="_blank">messenger . zone . msn . com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - . macromedia . com/get/flashplayer/current/swflash . cab" target="_blank">fpdownload2 . macromedia . com O17 - HKLM\System\CCS\Services\Tcpip\ . . \{527D7583-6356-475C-85F6-16AA661602E5}: NameServer = 192 . 168 . 1 . 254,0 . 0 . 0 . 0 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1 . DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1 . DLL O20 - AppInit_DLLs: C c:\progra~1\Manson\liser . dll C:\WINDOWS\system32\jefiyuna . dll c:\windows\system32\domemaha . dll c:\windows\system32\pajohebu . dll O20 - Winlogon Notify: fccaYpNG - C:\WINDOWS\SYSTEM32\fccaYpNG . dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pajohebu . dll O23 - Service: Apple Mobile Device - Apple Inc . - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc . - C:\WINDOWS\system32\Ati2evxx . exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag . exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc . exe O23 - Service: Bonjour Service - Apple Inc . - C:\Program Files\Bonjour\mDNSResponder . exe O23 - Service: Cisco Systems, Inc . VPN Service (CVPND) - Cisco Systems, Inc . - C:\Program Files\Cisco Systems\VPN Client\cvpnd . exe O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1 . EXE O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd . - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService . exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT . exe O23 - Service: iPod Service - Apple Inc . - C:\Program Files\iPod\bin\iPodService . exe O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon . exe O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-Remote\IreIKE . exe O23 - Service: jryjdrtjj6sjjyh4rthgdf80 - Unknown owner - C:\WINDOWS\jryjdrtjj6sjjyh4rthgdf81 . exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc . exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1 . EXE O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc . exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo . exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService . exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService . exe O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT . exe" -service -name Agent (file missing) O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc . exe O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT . exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc . exe	Wardog (6821)
789885	2009-07-07 16:18:00	Automated analysis: hjt.networktechs.com Wait til the next morning for a proper analysis :)	Renmoo (66)
789886	2009-07-07 20:48:00	Disable system restore Tick these then tick fix checked Close browsers Uninstall this, its rogue software C:\Program Files\Manson\liser.exe Uninstall all versions of Java its out of date, then update it O2 - BHO: (no name) - {0BA68980-48D6-471C-887F-B0D4BB77EDD9} - C:\WINDOWS\system32\qoMgdDSk.dll O2 - BHO: {a68d17e7-a9f3-d8da-22f4-92b1bcbd5c72} - {27c5dbcb-1b29-4f22-ad8d-3f9a7e71d86a} - C:\WINDOWS\system32\cwkmfc.dll O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\fccaYpNG.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {a2a05a15-053b-40f5-9d25-9df35b558ed1} - C:\WINDOWS\system32\dutuhabe.dll O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch. exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [13742504] C:\Documents and Settings\All Users\Application Data\13742504\13742504.exe O4 - HKLM\..\Run: [fujidutano] Rundll32.exe "C:\WINDOWS\system32\veseyusi.dll",s O4 - HKLM\..\Run: [CPM4bf7cf62] Rundll32.exe "c:\windows\system32\domemaha.dll",a O4 - HKLM\..\Run: [48c4fcfe] rundll32.exe "C:\WINDOWS\system32\zewobihu.dll",b O4 - HKCU\..\Run: [kell] C:\program Files\Manson\liser.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O20 - AppInit_DLLs: C c:\progra~1\Manson\liser.dll C:\WINDOWS\system32\jefiyuna.dll c:\windows\system32\domemaha.dll c:\windows\system32\pajohebu.dll O20 - Winlogon Notify: fccaYpNG - C:\WINDOWS\SYSTEM32\fccaYpNG.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pajohebu.dll O23 - Service: jryjdrtjj6sjjyh4rthgdf80 - Unknown owner - C:\WINDOWS\jryjdrtjj6sjjyh4rthgdf81.exe Reboot, then uninstall Symantec and Sophos, then install something like Avast, update it then scan the system Get malwarebytes below, update it the scan. Then get an updated version of hijackthis (yours is out of date). Do another scan, then post another log	Speedy Gonzales (78)
789887	2009-07-08 05:23:00	Umm....bit of a mess.	Pancake (6359)
789888	2009-07-08 06:48:00	God, hope you didnt connect to your work VPN with viruses...it always and issue for admins....give staff the ability to connect to work, and they are unable to stop\monitor viruses on their systems...!!	SolMiester (139)
1