gpratt1 Posted July 27, 2009 Share Posted July 27, 2009 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:52:18 PM, on 7/27/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Colonial Life\Time Zone Settings\TimeZoneTool.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.coloniallife.com/Services/Applications/MemberServices/Login.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.coloniallife.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (disabled by BHODemon) O4 - HKLM\..\Run: [unum Time Zone Settings] "c:\Program Files\Colonial Life\Time Zone Settings\TimeZoneTool.exe" /StartMinimized O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://producermail2.coloniallife.com/iNotes6W.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189529448875 O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O18 - Protocol: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\PROGRA~1\QlikView\QVPROT~1\Qvp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Afaria Client Service - iAnywhere Solutions, Inc. - C:\Apps\Afaria\Bin\XeService.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: B's Recorder GOLD Service (bgsvc) - B.H.A Corporation - C:\Program Files\B's Recorder GOLD8\bgsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DPAgent - BeCrypt Ltd - C:\Program Files\Afaria\Disk Protect\DPAgent.exe O23 - Service: DVD-RAM_Service - Matsus***a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: ERRJ - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\ERRJ.exe (file missing) O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FGDQBT - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\FGDQBT.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: KC - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\KC.exe (file missing) O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: SQL Server (HARMONYV7) (MSSQL$HARMONYV7) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\secservr.exe O23 - Service: NP - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\NP.exe (file missing) O23 - Service: Panasonic PC Information Viewer Service 2 (PcInfoPi) - Matsus***a Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe O23 - Service: Panasonic PC Information Viewer (PcInfoSV) - Matsus***a Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe O23 - Service: PGGNU - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\PGGNU.exe (file missing) O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SKR - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\SKR.exe (file missing) O23 - Service: TILANHP - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\TILANHP.exe (file missing) -- End of file - 7764 bytes Link to comment Share on other sites More sharing options...
Administrator Tarun Posted July 27, 2009 Administrator Share Posted July 27, 2009 Welcome to Lunarsoft, gpratt1. Are you still experiencing symptoms? Windows has built in time updating, so you may want to uninstall the following: [unum Time Zone Settings] "c:\Program Files\Colonial Life\Time Zone Settings\TimeZoneTool.exe" /StartMinimized Generated by Tarun of Lunarsoft's HijackThis Converter v0.53 Beta. Default-color items are optional, red are known to be malicious. Created registry value R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 Changed registry value R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.colonial...ices/Login.aspx Created registry value R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 Changed registry value R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = Created registry value R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.coloniallife.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local Enumeration of existing IE's BHO's O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (disabled by BHODemon) Enumeration of suspicious auto-loading registry entries O4 - HKLM\..\Run: [unum Time Zone Settings] "c:\Program Files\Colonial Life\Time Zone Settings\TimeZoneTool.exe" /StartMinimized O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler Extra "Tools" menu items and buttons O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file) Downloaded Program Files item O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://producermail...om/iNotes6W.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.s...abs/tgctlsr.cab O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.co...ic/SimCityX.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab Enumeration of NT Services O23 - Service: ERRJ - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\ERRJ.exe (file missing) O23 - Service: FGDQBT - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\FGDQBT.exe (file missing) O23 - Service: KC - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\KC.exe (file missing) O23 - Service: NP - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\NP.exe (file missing) O23 - Service: PGGNU - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\PGGNU.exe (file missing) O23 - Service: SKR - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\SKR.exe (file missing) O23 - Service: TILANHP - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\TILANHP.exe (file missing) Link to comment Share on other sites More sharing options...
Recommended Posts