Virus help please?

system · January 25, 2005, 4:17pm

I believe I have a trojan virus. I was told to run “Hyjack This” and post the log in hopes of finding a solution.

TIA
b
Logfile of HijackThis v1.99.0
Scan saved at 11:07:42 AM, on 1/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\RioMSC.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\S3Tray2.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\hphmon05.exe
C:\Program Files\InFocus\Projector Manager\pmusbdet.exe
C:\WINNT\System32\wsxsvc\wsxsvc.exe
C:\WINNT\System32\vmss\vmss.exe
C:\WINNT\system32\Rppfaj.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\System32\RunDLL32.exe
C:\Documents and Settings\Administrator\Application Data\mroh.exe
C:\WINNT\system32\winupdt.exe
C:\WINNT\System32??anregw.exe
C:\WINNT\SYSfit.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\winupdt.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {41AC083A-7B1A-41A6-992C-D8B38CFB4E78} - C:\WINNT\System32\ruhlr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SDWin32 Class - {992E222A-9580-4D15-8DE8-81212898D154} - C:\WINNT\System32\muoml.dll
O2 - BHO: (no name) - {A50AC631-2FD5-7F08-87E9-07A2DAA66FE7} - C:\WINNT\System32\byimpglk.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [TP4EX] tp4ex.exe
O4 - HKLM..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM..\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [HP Software Update] “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe”
O4 - HKLM..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM..\Run: [InFocusUSBdetector] C:\Program Files\InFocus\Projector Manager\pmusbdet.exe
O4 - HKLM..\Run: [QBCD Autorun] D:\autorun.exe restart TIMER_SEQUENCE first
O4 - HKLM..\Run: [ruhlrc] C:\WINNT\System32\ruhlrc.exe
O4 - HKLM..\Run: [muomlc] C:\WINNT\System32\muomlc.exe
O4 - HKLM..\Run: [version] C:\WINNT\system32\Kqkqti.exe
O4 - HKLM..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM..\Run: [vmss] C:\WINNT\System32\vmss\vmss.exe
O4 - HKLM..\Run: [secure] C:\WINNT\system32\Rppfaj.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
O4 - HKLM..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU..\Run: [Awoa] C:\Documents and Settings\Administrator\Application Data\mroh.exe
O4 - HKCU..\Run: [Fcv] C:\WINNT\System32??anregw.exe
O4 - HKCU..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU..\Run: [SYSfit] C:\WINNT\SYSfit.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: NICSer_WPC54GS - Unknown - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: QCONSVC - Unknown - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\System32\RioMSC.exe

DavidR · January 25, 2005, 5:35pm

Check out the URL below for an analysis of your log.
http://hijackthis.de/logfiles/89a9754040b5bc3c4b60df47820c2087.html

You might want to bookmark this page for future reference http://hijackthis.de/, here you can paste the contents of the log and get an on-line analysis.

system · January 25, 2005, 5:38pm

Also this is the results from Eddys hijackthis Analyser.

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

r1 - hkcu\software\microsoft\internet explorer\searchurl
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
proxyoverride = 127.0.0.1
r3 - default urlsearchhook is missing
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\winnt\web\related.htm
o9 - extra ‘tools’ menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\winnt\web\related.htm
o16 - dpf: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (yinststarter class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab

HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

Nothing found.

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

o4 - hklm..\run: [s3tray2] s3tray2.exe
o4 - hklm..\run: [hp software update] “c:\program files\hewlett-packard\hp software update\hpwuschd.exe”
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe
o4 - global startup: winzip quick pick.lnk = c:\program files\winzip\wzqkpick.exe

WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD.
YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :

Nothing found.

Also please follow the link DavidR gave you as its always good to double check.

EDIT: Also please use windows update (www.windowsupdate.com) to update your OS as it seems out of date.
And if your not already using a firewall, i suggest you install one. (unless you already have a hardware (router) one)

–lee

Virus help please?

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK WE STRONGLY RECOMMEND TO FIX THEM :

HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD. YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :

Announcements

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD.
YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :