Jump to content

Glenn log 01

gpratt1

By gpratt1
in Resolved Logs

 Share

Recommended Posts

gpratt1 Newbie

gpratt1

Posted
Posted

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:52:18 PM, on 7/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe

C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Colonial Life\Time Zone Settings\TimeZoneTool.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.coloniallife.com/Services/Applications/MemberServices/Login.aspx

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.coloniallife.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (disabled by BHODemon)

O4 - HKLM\..\Run: [unum Time Zone Settings] "c:\Program Files\Colonial Life\Time Zone Settings\TimeZoneTool.exe" /StartMinimized

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://producermail2.coloniallife.com/iNotes6W.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189529448875

O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O18 - Protocol: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\PROGRA~1\QlikView\QVPROT~1\Qvp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Afaria Client Service - iAnywhere Solutions, Inc. - C:\Apps\Afaria\Bin\XeService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: B's Recorder GOLD Service (bgsvc) - B.H.A Corporation - C:\Program Files\B's Recorder GOLD8\bgsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DPAgent - BeCrypt Ltd - C:\Program Files\Afaria\Disk Protect\DPAgent.exe

O23 - Service: DVD-RAM_Service - Matsus***a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: ERRJ - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\ERRJ.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FGDQBT - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\FGDQBT.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: KC - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\KC.exe (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: SQL Server (HARMONYV7) (MSSQL$HARMONYV7) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\secservr.exe

O23 - Service: NP - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\NP.exe (file missing)

O23 - Service: Panasonic PC Information Viewer Service 2 (PcInfoPi) - Matsus***a Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe

O23 - Service: Panasonic PC Information Viewer (PcInfoSV) - Matsus***a Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe

O23 - Service: PGGNU - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\PGGNU.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SKR - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\SKR.exe (file missing)

O23 - Service: TILANHP - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\TILANHP.exe (file missing)

--

End of file - 7764 bytes

Link to comment
Share on other sites
  • Administrator
Tarun Grand Master

Tarun

Posted
  • Administrator
Posted

Welcome to Lunarsoft, gpratt1. Are you still experiencing symptoms?

Windows has built in time updating, so you may want to uninstall the following:

[unum Time Zone Settings] "c:\Program Files\Colonial Life\Time Zone Settings\TimeZoneTool.exe" /StartMinimized

Generated by Tarun of Lunarsoft's HijackThis Converter v0.53 Beta.

Default-color items are optional, red are known to be malicious.

Created registry value

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

Changed registry value

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.colonial...ices/Login.aspx

Created registry value

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

Changed registry value

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Created registry value

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.coloniallife.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

Enumeration of existing IE's BHO's

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (disabled by BHODemon)

Enumeration of suspicious auto-loading registry entries

O4 - HKLM\..\Run: [unum Time Zone Settings] "c:\Program Files\Colonial Life\Time Zone Settings\TimeZoneTool.exe" /StartMinimized

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

Extra "Tools" menu items and buttons

O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

Downloaded Program Files item

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://producermail...om/iNotes6W.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.s...abs/tgctlsr.cab

O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.co...ic/SimCityX.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab

Enumeration of NT Services

O23 - Service: ERRJ - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\ERRJ.exe (file missing)

O23 - Service: FGDQBT - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\FGDQBT.exe (file missing)

O23 - Service: KC - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\KC.exe (file missing)

O23 - Service: NP - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\NP.exe (file missing)

O23 - Service: PGGNU - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\PGGNU.exe (file missing)

O23 - Service: SKR - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\SKR.exe (file missing)

O23 - Service: TILANHP - Unknown owner - C:\DOCUME~1\Colonial\LOCALS~1\Temp\TILANHP.exe (file missing)

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...