Thread: HijackThis log for non-working cmd, regeidt, msconfig, taskmanager
View Single Post
Old 04-15-2006, 11:43 PM   #3 (permalink)
sgu
Registered User
 
Join Date: Apr 2006
Posts: 13
OS: XP Pro


Hello,


In essential steps, what I did:

1) Ran Bit Defender from: http://www.bitdefender.com/scan/licence.php

It reported the following:

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
Infected with: Generic.Qhost
Disinfection failed
Deleted

C:\WINDOWS\SYSTEM32\explorer.exe
Infected with: Backdoor.RBot.3B340EF4
Disinfection failed
Delete failed

C:\WINDOWS\SYSTEM32\tt
Infected with: Backdoor.BotGet.FtpB.Gen
Deleted

Found and removed bad stuff in
C:\System Volume Information\_restore...

2) In Windows Explorer, renamed C:\WINDOWS\SYSTEM32\explorer.exe and
deleted it.

3) Ran HijackThis and tried to get rid of the four "04 - HKLM\..\Run..."
references to explorer.exe. But it could only get rid of two of
the four references.

4) Rebooted (two Windows Explorers opened up); ran msconfig;
unchecked two boxes that wanted explorer.exe to run.

5) Rebooted. Ran HijackThis and removed the remaining
two "04 - HKLM\..\Run..." references to explorer.exe.
While in HijackThis, also removed a few other benign entries.

6) I deleted C:\WINDOWS\System32\wuauclt.exe
and C:\WINDOWS\System32\wuauclt1.exe.
After rebooting, there was a C:\WINDOWS\System32\wuauclt.exe of
size roughly 122 KBytes and with creation date Friday,
March 19, 2004, 3:45:14 PM and modified date Thursday,
May 26, 2005, 5:16:30 AM.

Attached below is the latest HijackThis

I can now run cmd, msconfig, regedit, and Alt-Ctrl-Del->Task Manager.

Thanks,

--SGU

Logfile of HijackThis v1.99.1
Scan saved at 8:25:09 PM, on 4/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\opt\Java\j2re1.4.2_06\bin\javaw.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\OfficeScan NT\pccntmon.exe
C:\opt\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\admin\tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-blv-proxy.boeing.com:31060
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iTunesHelper] C:\opt\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\opt\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://qp.mc.com/qp2.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://btconferencing.webex.com/cli...ex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://anywhere.mc.com/dana-cached/...niperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.mc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ad.mc.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Desk Manager (rdm) - AT&T Research Labs Cambridge - C:\WINDOWS\WinVNC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
Last edited by sUBs; 04-16-2006 at 01:18 AM.
sgu is offline