PDA

View Full Version : What is this?


[P][RO][CE][SS][OR]
02-07-2006, 08:22 PM
I turned on my computer today in college, and I found this http://img137.imageshack.us/img137/7974/idunno0gd.jpg (http://imageshack.us)

I've changed my backround a few times, plus I've changed my theme through Windows Blinds.
Here is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:03:14 PM, on 2/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VPN MSCTC\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\GWHotKey.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\zHotkey.exe
D:\Program Files\WinLock\winlock.exe
C:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\hpsw.exe
C:\windows\winsysban4.exe
D:\Program Files\ZoneAlarm\zlclient.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\WallMaster\wallmast.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\Program Files\PeerGuardian2\pg2.exe
D:\Program Files\Tweak-XP Pro 4\Tweak-XP.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\VPN MSCTC\VPN Client\vpngui.exe
D:\Program Files\Trend Micro\Antivirus\tmproxy.exe
D:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
D:\Program Files\Trend Micro\Antivirus\PCClient.EXE
D:\Program Files\Trend Micro\Antivirus\PCCGUIDE.EXE
D:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Audacity\audacity.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Backups\Rar$EX00.343\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C085ED38-10E7-C670-D0A3-A30D8464F5D9} - C:\DOCUME~1\Zachary\APPLIC~1\CORNSE~1\ViewBin.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [XpDis0Conf] D:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe 979899a48a75987f6b9d86a9aa798c73837198ae83a6a498b878837b768a788c84 /d
O4 - HKLM\..\Run: [XpOpenAuto] "D:\Program Files\Belkin\Belkin 54Mbps Wireless Utility\TOOL\OpenXpAuto.exe" 979899a48a75987f6b9d86a9aa798c73837198ae83a6a498b878837b768a788c84
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "D:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "D:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [appload] C:\cabs\gtwupd\gwmeinst\brcdset.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [0wl] D:\Program Files\WinLock\winlock.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd4.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban4.exe
O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Msn Plus] D:\Program Files\MessengerPlus! 3\MsgPlus.exe
O4 - HKCU\..\Run: [Daemon Tools] D:\Program Files\D-Tools\daemon.exe
O4 - HKCU\..\Run: [Wall Master] D:\Program Files\WallMaster\wallmast.exe
O4 - HKCU\..\Run: [Tweak-XP Pro] "D:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &NeoTrace It! - D:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - D:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136663414167
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9D1988D-8171-4104-85BD-898B618F4DE2}: NameServer = 199.17.241.241,204.77.58.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = minnesota.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = minnesota.edu
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: wbsys.dll MsgPlusLoader.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\VPN MSCTC\VPN Client\cvpnd.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: ScsiAccess - Unknown owner - D:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - D:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - D:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Help Please and Thank You.
Regaurds,
Zach
tesco
02-07-2006, 08:34 PM
Wow you expect us to be able to tell from a 320*200 pic? :blink:
Skiz
02-07-2006, 08:35 PM
*2 inches from screen squinting* :pinch:

Try this (http://www.hijackthis.de/index.php?langselect=english).
[P][RO][CE][SS][OR]
02-07-2006, 09:04 PM
Sorry, image shack did that :P, I'll get a better hoster, found one, http://img.photobucket.com/albums/v219/l.I.l.I.l/idunno.jpg
Virtualbody1234
02-07-2006, 09:35 PM
ImageShack didn't do that. When using ImageShack copy and paste the last link at the bottom. It's marked: "Direct link to image".

See this one is hosted at ImageShack:
http://img202.imageshack.us/img202/9632/idunno1li.jpg
{I}{K}{E}
02-08-2006, 07:48 AM
trojan downloader:

O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
[P][RO][CE][SS][OR]
02-08-2006, 04:23 PM
ImageShack didn't do that. When using ImageShack copy and paste the last link at the bottom. It's marked: "Direct link to image".

See this one is hosted at ImageShack:
http://img202.imageshack.us/img202/9632/idunno1li.jpg

I guess 3 hours of sleep leaves me vulnerable to mistakes, :D. I got 14 hours today, hopefully I wont malfunction.

And thank you everyone for the help! I've truncated all the unnecessary running processes, and booted the ol' laptop up, and suprise suprise, the spot is only in history now. I will also keep the link to the hijackthis log analyzer, thats a really nifty site ;).

Regards,
Zach