Jump to content
Sign in to follow this  
annelore

annelore hijackthis log

Recommended Posts

hi! thanks for the usefull support. I cleaned my computer with your antimalware package, but i still have some problems. When i connect to the internet, (i use firefox) an internet explorer window opens automatically and goes to this site (which doesn't open): "http://www.funbangladesh.com/blehx.html". Also there is a tool/searchbar that i don't want with buttons like 'online casino' 'ringtones', etc. If i try to click the 'uninstall' thing, i come to this site: "http://yupsearch.com/uninstall.php?ver=75&acc=r1chj4pqr" and i get pop-ups of this site.

Can you help me?

thanks,

annelore from Belgium.

here's my hijack this log:

Logfile of HijackThis v1.99.1

Scan saved at 16:12:53, on 7/10/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32csrss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:WINDOWSSystem32alg.exe

C:PROGRA~1GrisoftAVG7avgamsvr.exe

C:PROGRA~1GrisoftAVG7avgupsvc.exe

C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSExplorer.EXE

C:Program FilesCommon FilesRealUpdate_OBrealsched.exe

C:WINDOWSSystem32wuauclt.exe

C:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exe

C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe

C:Program FilesJavajre1.5.0_01binjusched.exe

C:Program FilesQuickTimeqttask.exe

C:Program FilesiTunesiTunesHelper.exe

C:Program FilesThomsonSpeedTouch USBDragdiag.exe

C:Program FilesSupport.combintgcmd.exe

C:pichx.exe

C:PROGRA~1GrisoftAVG7avgcc.exe

C:PROGRA~1GrisoftAVG7avgemc.exe

C:WINDOWSetbpokapoka75.exe

C:WINDOWSSystem32ctfmon.exe

C:Program FilesSkypePhoneSkype.exe

C:Program Filesipttotsr.exe

C:WINDOWSSystem32d?xplore.exe

C:Program FilesSpyware Doctorswdoctor.exe

C:Program FilesMicrosoft AntiSpywaregcasDtServ.exe

C:Program FilesiPodbiniPodService.exe

C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnf.exe

C:Program FilesMozilla Firefoxfirefox.exe

C:Documents and SettingsanneloreBureaubladHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.easysearch4you.com/sp2.php

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.easysearch4you.com/sp2.php

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.radio1.be/

R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.easysearch4you.com/sp2.php

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Koppelingen

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx

O4 - HKLM..Run: [NeroCheck] C:WINDOWSSystem32NeroCheck.exe

O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot

O4 - HKLM..Run: [CamMonitor] C:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exe

O4 - HKLM..Run: [share-to-Web Namespace Daemon] C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe

O4 - HKLM..Run: [sunJavaUpdateSched] C:Program FilesJavajre1.5.0_01binjusched.exe

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime

O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe

O4 - HKLM..Run: [speedTouch USB Diagnostics] "C:Program FilesThomsonSpeedTouch USBDragdiag.exe" /icon

O4 - HKLM..Run: [tgcmd] "C:Program FilesSupport.combintgcmd.exe" /server /startmonitor

O4 - HKLM..Run: [FireWire Service] nvscv32.exe

O4 - HKLM..Run: [Windows Process Manager] winproc.exe

O4 - HKLM..Run: [REGWIN32] C:pichx.exe

O4 - HKLM..Run: [dGTJw] C:WINDOWSjtplkt.exe

O4 - HKLM..Run: [bO²ùð×y-¯Œ] C:WINDOWSjtplkt.exe

O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP

O4 - HKLM..Run: [AVG7_EMC] C:PROGRA~1GrisoftAVG7avgemc.exe

O4 - HKLM..Run: [gcasServ] "C:Program FilesMicrosoft AntiSpywaregcasServ.exe"

O4 - HKLM..Run: [system service75] C:WINDOWSetbpokapoka75.exe

O4 - HKLM..RunServices: [FireWire Service] nvscv32.exe

O4 - HKLM..RunServices: [Windows Process Manager] winproc.exe

O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe

O4 - HKCU..Run: [skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized

O4 - HKCU..Run: [Toat] "C:Program Filesipttotsr.exe" -vt mt

O4 - HKCU..Run: [Otj] C:WINDOWSSystem32d?xplore.exe

O4 - HKCU..Run: [spyware Doctor] "C:Program FilesSpyware Doctorswdoctor.exe" /Q

O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4Office10EXCEL.EXE/3000

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:PROGRA~1SPYWAR~1toolsiesdpb.dll

O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:Program FilesCommon FilesMicrosoft SharedReference 2001EROProj.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE

O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int12.exe

O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/bel_ver32b.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128610703608

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128610598167

O17 - HKLMSystemCCSServicesTcpip..{4E21BD91-2422-4EA6-9EDC-9441DE74406C}: NameServer = 195.238.2.22 195.238.2.21

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe

O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe

O23 - Service: sdktemp - Unknown owner - C:WINDOWSsdktemp.exe (file missing)

Share this post


Link to post
Share on other sites

You still have several infections. But we'll get them all cleaned up. :D

Generated by Tarun's HijackThis Converter v0.43 Beta.

Created registry value. Safe to remove:

R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.easysearch4you.com/sp2.php

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.easysearch4you.com/sp2.php

Changed registry value. Safe to remove:

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.radio1.be/

Created registry value. Safe to remove:

R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.easysearch4you.com/sp2.php

Changed registry value. Safe to remove:

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Koppelingen

Enumeration of suspicious auto-loading registry entries. Safe to remove:

O4 - HKLM..Run: [NeroCheck] C:WINDOWSSystem32NeroCheck.exe

O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot

O4 - HKLM..Run: [share-to-Web Namespace Daemon] C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe

O4 - HKLM..Run: [sunJavaUpdateSched] C:Program FilesJavajre1.5.0_01binjusched.exe

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime

O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe

O4 - HKLM..Run: [tgcmd] "C:Program FilesSupport.combintgcmd.exe" /server /startmonitor

O4 - HKLM..Run: [FireWire Service] nvscv32.exe

O4 - HKLM..Run: [Windows Process Manager] winproc.exe

O4 - HKLM..Run: [REGWIN32] C:pichx.exe

O4 - HKLM..Run: [dGTJw] C:WINDOWSjtplkt.exe

O4 - HKLM..Run: [bO²ùð×y-¯Œ] C:WINDOWSjtplkt.exe

O4 - HKLM..Run: [system service75] C:WINDOWSetbpokapoka75.exe

O4 - HKLM..RunServices: [FireWire Service] nvscv32.exe

O4 - HKLM..RunServices: [Windows Process Manager] winproc.exe

O4 - HKCU..Run: [Toat] "C:Program Filesipttotsr.exe" -vt mt

O4 - HKCU..Run: [Otj] C:WINDOWSSystem32d?xplore.exe

O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE

Extra IE context menu items. Safe to remove:

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4Office10EXCEL.EXE/3000

Downloaded Program Files item. Safe to remove:

O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int12.exe

O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/bel_ver32b.CAB

Enumeration of NT Services. Safe to remove:

O23 - Service: sdktemp - Unknown owner - C:WINDOWSsdktemp.exe (file missing)

Use HijackThis to do the following:

Config...

Delete a file on reboot.

C:Windowsetbnt_hide32.dll

C:Windowsetbpokapoka75.exe

You also have several viruses starting on bootup. I recommend getting ewido to clean out and remove some more malware and trojans. After that, please repost a log here.

Share this post


Link to post
Share on other sites

Use HijackThis to do the following:

Config...

Delete a file on reboot.

C:Windowsetbnt_hide32.dll

C:Windowsetbpokapoka75.exe

ok, I only find the C:Windowsetbpokapoka75.exe in the log (the other one i can't find) and when i tried to check the box of the C:Windowsetbpokapoka75.exe and i want to do config and delete a file on reboot, i get an hourglass and the program freezes.

In the mean time i'll have a look at te ewido.com

...

Share this post


Link to post
Share on other sites

Ok this is what i did:

- i scanned with ewido

- i tried to find C:Windowsetbnt_hide32.dll and C:Windowsetbpokapoka75.exe, but didn't find them so i couldn't delete after reboot...

still, here's my log after the ewido scan

Logfile of HijackThis v1.99.1

Scan saved at 19:53:22, on 7/10/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32csrss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:WINDOWSSystem32alg.exe

C:PROGRA~1GrisoftAVG7avgamsvr.exe

C:PROGRA~1GrisoftAVG7avgupsvc.exe

C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSExplorer.EXE

C:Program FilesCommon FilesRealUpdate_OBrealsched.exe

C:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exe

C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe

C:Program FilesJavajre1.5.0_01binjusched.exe

C:Program FilesQuickTimeqttask.exe

C:Program FilesiTunesiTunesHelper.exe

C:Program FilesThomsonSpeedTouch USBDragdiag.exe

C:Program FilesSupport.combintgcmd.exe

C:PROGRA~1GrisoftAVG7avgcc.exe

C:PROGRA~1GrisoftAVG7avgemc.exe

C:WINDOWSetbpokapoka75.exe

C:WINDOWSSystem32ctfmon.exe

C:Program FilesSkypePhoneSkype.exe

C:Program Filesipttotsr.exe

C:WINDOWSSystem32d?xplore.exe

C:Program FilesSpyware Doctorswdoctor.exe

C:WINDOWSSystem32wuauclt.exe

C:Program FilesMicrosoft AntiSpywaregcasDtServ.exe

C:Program FilesiPodbiniPodService.exe

C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnf.exe

C:Program Filesewidosecurity suiteewidoguard.exe

C:Program Filesewidosecurity suiteewidoctrl.exe

C:Documents and SettingsanneloreBureaubladHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.easysearch4you.com/sp2.php

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.easysearch4you.com/sp2.php

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.radio1.be/

R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.easysearch4you.com/sp2.php

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Koppelingen

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:PROGRA~1SPYWAR~1toolsiesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:PROGRA~1SPYWAR~1toolsiesdpb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx

O4 - HKLM..Run: [NeroCheck] C:WINDOWSSystem32NeroCheck.exe

O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot

O4 - HKLM..Run: [CamMonitor] C:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exe

O4 - HKLM..Run: [share-to-Web Namespace Daemon] C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe

O4 - HKLM..Run: [sunJavaUpdateSched] C:Program FilesJavajre1.5.0_01binjusched.exe

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime

O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe

O4 - HKLM..Run: [speedTouch USB Diagnostics] "C:Program FilesThomsonSpeedTouch USBDragdiag.exe" /icon

O4 - HKLM..Run: [tgcmd] "C:Program FilesSupport.combintgcmd.exe" /server /startmonitor

O4 - HKLM..Run: [FireWire Service] nvscv32.exe

O4 - HKLM..Run: [Windows Process Manager] winproc.exe

O4 - HKLM..Run: [dGTJw] C:WINDOWSjtplkt.exe

O4 - HKLM..Run: [bO²ùð×y-¯Œ] C:WINDOWSjtplkt.exe

O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP

O4 - HKLM..Run: [AVG7_EMC] C:PROGRA~1GrisoftAVG7avgemc.exe

O4 - HKLM..Run: [gcasServ] "C:Program FilesMicrosoft AntiSpywaregcasServ.exe"

O4 - HKLM..Run: [system service75] C:WINDOWSetbpokapoka75.exe

O4 - HKLM..RunServices: [FireWire Service] nvscv32.exe

O4 - HKLM..RunServices: [Windows Process Manager] winproc.exe

O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe

O4 - HKCU..Run: [skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized

O4 - HKCU..Run: [Toat] "C:Program Filesipttotsr.exe" -vt mt

O4 - HKCU..Run: [Otj] C:WINDOWSSystem32d?xplore.exe

O4 - HKCU..Run: [spyware Doctor] "C:Program FilesSpyware Doctorswdoctor.exe" /Q

O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4Office10EXCEL.EXE/3000

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:PROGRA~1SPYWAR~1toolsiesdpb.dll

O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:Program FilesCommon FilesMicrosoft SharedReference 2001EROProj.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE

O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int12.exe

O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/bel_ver32b.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128610703608

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128610598167

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe

O23 - Service: ewido security suite control - ewido networks - C:Program Filesewidosecurity suiteewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:Program Filesewidosecurity suiteewidoguard.exe

O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe

O23 - Service: sdktemp - Unknown owner - C:WINDOWSsdktemp.exe (file missing)

THANKS!!

Share this post


Link to post
Share on other sites

Use HijackThis to do the following:

Press the Config... button.

Delete a file on reboot.

In the box that pops up enter these two:

C:Windowsetbnt_hide32.dll

C:Windowsetbpokapoka75.exe

Share this post


Link to post
Share on other sites

Does that happen for both, or just the one?

Cause your HijackThis log even says C:WINDOWSetbpokapoka75.exe and the nthide dll is in that folder.

Share this post


Link to post
Share on other sites

It's due to the nthide.dll.

If you go to Start, Run, cmd

cd C:Windowsetb

dir /w

You'll see there are even folders inside of it. Deleting nthide.dll and pokapoka75.exe can then happen.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×