Please Help! Hijackthis Log Included

ghill32
ghill32
in Malware talk

My computer has been taken over by some annoying virus or spyware or something!


I keep getting a balloon pop up that says "A Critical error could occur" and there is a Windows Update and Help and Support Center shortcuts on my desktop that will not go away. Please Help!!!


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 5:37:32 PM, on 1/11/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16574)


Boot mode: Normal


Running processes:


C:\WINDOWS\Explorer.EXE


C:\WINDOWS\AGRSMMSG.exe


C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe


C:\WINDOWS\system32\ctfmon.exe


C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccntmon.exe


C:\PROGRA~1\INTERA~1\I3ACA.exe


C:\WINDOWS\system32\taskmgr.exe


C:\Program Files\Mozilla Firefox\firefox.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie


R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://tsg1/ConnectComputer/


O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe


O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe


O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe


O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe


O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe


O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow


O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"


O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139


O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe


O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - Global Startup: BTTray.lnk = ?


O4 - Global Startup: VPN Client.lnk = ?


O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll


O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O14 - IERESET.INF: START_PAGE_URL=http://companyweb


O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://tsg1/connectcomputer/nshelp.dll


O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab


O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TSG.local


O17 - HKLM\Software\..\Telephony: DomainName = TSG.local


O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TSG.local


O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TSG.local


O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe


O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe


O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe


O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe


O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe


O23 - Service: I3 Update Service (I3UpdateSvc) - Interactive Intelligence, Inc. - C:\Program Files\Interactive Intelligence\I3UpdateSvcU.exe


O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe


O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe


O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe


O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe


O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe


O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--


End of file - 5712 bytes

Comments

  • alexcrist
    alexcrist

    Hi Georgia,


    Sorry for the very late response.


    With HijackThis, fix the following line:


    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139


    Also, if you don't recognize the address below, fix the line:


    O14 - IERESET.INF: START_PAGE_URL=http://companyweb


    After you fix these, reboot our computer and post a new log.


    Cris.

  • AndreiASM
    AndreiASM

    You shoud also place the file C:\WINDOWS\mrofinu572.exe in an archive with the password infected, and attach it to a new post. We`ll take a look at it.

All Time Leaders

Categories

Defenders of the month