Hijackthis log

[McK1987]

Hi Guys,

Would like to pick your brains!

Can anybody see anything that should not be running on this machine? My links on IE is constantly being taken off the toolbars when I like to have it expanded across the top of my IE window. Also I am receiving a lot of trojan alerts through McAfee and I receive a RUNDLL message on startup.

Thanks in advance guys!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:41:04, on 07/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USSMB/2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id%language
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.iblogin.com/hobsinternet/en/internet/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80140
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80140
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80140
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80140
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.uk.msn.com/USSMB/2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100513185723.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [8169Diag] C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe /hw
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [{BBCE312A-9C50-5DD2-A639-8DACBBBC6D3A}] "C:\Documents and Settings\Gran Sheila\Application Data\Viyvuk\nepuk.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11194 bytes

 

[Cambridge PC Support]

yep, pop it into http://www.hijackthis.de

 

[NeutronTech]

Hi Guys,

Would like to pick your brains!

Can anybody see anything that should not be running on this machine?

Hijack this



Check this site: http://www.blackviper.com/

 

[Xander]

Just at a glance:

O4 - HKCU\..\Run: [{BBCE312A-9C50-5DD2-A639-8DACBBBC6D3A}] "C:\Documents and Settings\Gran Sheila\Application Data\Viyvuk\nepuk.exe"

There's not many programs that have a good reason for running in the App Data folder. 99._% of the time, it's malware.*

Incidentally, I'd recommend Autoruns over HijackThis. With the former, you can turn things off/on and can undo a change. HijackThis is a one-way street if you delete something by accident.

Does HijackThis look anywhere that Autoruns doesn't?


edit: * Google Chrome is one of the only programs I can think of that runs there:
Its folder on my machine: C:\Users\{username}\AppData\Local\Google\Chrome\Application

 

[McK1987]

The reason I uploaded this log was because McAfee was detecting Trojans. However, it seemed as though McAfee was detecting them and quarenteening them as it should do.


A worrying incident occurred on the users PC last night when she went on to the Bank of Scotland website to make a payment. After logging in to the website as per usual, the user then clicked to go into her account to make the payment. It was at this point that she was prompted with a message saying there was going to be a security check. Her house phone number was on screen and she was asked to confirm this number so she did by clicking 'Continue'. On the next page, it then said that the bank was going to call her to carry out this security check and confirm that this was in fact the owner of the account. So she clicked 'Call me Now'. True enough, the house phone rang and she answered. It then appeared on the computer screen to click on the # key on the phone and then type 0088 on the phone so she did. At this point there was a bit activity ont he screen and the PC looked as though it was loading up next page....at this point she noticed that the heading of the next page read 'Payment Completed'. When the next page was laoded, it was her accounts and roughly £1000 had bene taken from her account by a L R Shaw!!

She was not expecting this payment nor did she want to make this payment! She did not access bank through a search engine or a link. The URL was typed in the address bar and the padlock and the https was all there. She never gave out any details or submitted any details.

She has called the bank and the bank will cover her for the money but it got me thinking, was there soemthing I could have removed to stop this happening? A virus, trojan?? The bank did ask her to run a full system scan but I would have thought this would have been the bank's fault for allowing somebody to compromise their site.

I understand this may be slightly confusing!!

Any thoughts guys???

Thanks in advance!!

 

[Kitten Kong]

Let me get this straight in my head..

Your client went onto the RBS website, to make a payment, and was then alerted to this strange security message?

Questions.. Was it the true RBS website, and not a cloned one?

Did the website have the https, and the padlock on it, when she logged in?

From then on, everything was as mentioned in your post?

I personally find this VERY strange, and worrying to say the least. I think the bank should have a look at this immediately, and if needed pass the details onto their fraud department.

Which browser was your client running?

Did the browser come up with 'this site may be fraud etc, and your client simply bypassed it?

Have you tried a manual removal of any virus(es), run Hitman Pro, via cloud, to check the system more thoroughly. Ran a online scanner etc.

Other then that, I am completely clueless..

EDIT, just re-read your post, and saw the part re the https, and the padlock. Apologies.

 

[dannyd]

Hi Guys,

Would like to pick your brains!

Can anybody see anything that should not be running on this machine? My links on IE is constantly being taken off the toolbars when I like to have it expanded across the top of my IE window. Also I am receiving a lot of trojan alerts through McAfee and I receive a RUNDLL message on startup.

Thanks in advance guys!!

Forum Rules

No End Users
These forums are for either current computer technicians, or soon to be computer technicians. We do not provide computer help to any non-technicians .

Do not ask for technical help without having done basic diagnosis first.

Try this
http://forums.majorgeeks.com/

 

[McK1987]

Let me get this straight in my head..

Your client went onto the RBS website, to make a payment, and was then alerted to this strange security message?

Questions.. Was it the true RBS website, and not a cloned one?

Did the website have the https, and the padlock on it, when she logged in?

From then on, everything was as mentioned in your post?

I personally find this VERY strange, and worrying to say the least. I think the bank should have a look at this immediately, and if needed pass the details onto their fraud department.

Which browser was your client running?

Did the browser come up with 'this site may be fraud etc, and your client simply bypassed it?

Have you tried a manual removal of any virus(es), run Hitman Pro, via cloud, to check the system more thoroughly. Ran a online scanner etc.

Other then that, I am completely clueless..

EDIT, just re-read your post, and saw the part re the https, and the padlock. Apologies.

Thanks for your quick response!

The client was running IE7 if I remember correctly. The client has McAfee Internet Security running and also has the McAfee Site Advisor tool but nothing came up telling the client that this site may be fraud.

It certianly seemed to the clietn to be the correct site and I had a look after and it seemed legit to me, something that may have actually caught myself out!

She has contacted the bank and they are looking into it. I just wondered if there anything ont he PC that may have caused this or do you think it is more at the banks end?

I ran a Virus scan but it didn't find anything.

Thanks Again guys!!

 

[McK1987]

Forum Rules

No End Users
These forums are for either current computer technicians, or soon to be computer technicians. We do not provide computer help to any non-technicians .

Do not ask for technical help without having done basic diagnosis first.

Try this
http://forums.majorgeeks.com/

I apologise! It was actually on a client's PC but the way I wrote this is that it was my own just because I thought it was wasier to explain! I do actually work as a Service Desk Analyst and as a mobile Computer Technician!

 

[Kitten Kong]

She has contacted the bank and they are looking into it. I just wondered if there anything ont he PC that may have caused this or do you think it is more at the banks end?

I ran a Virus scan but it didn't find anything.

Thanks Again guys!!

Besides Mcafee, have you tried any other scans, or manual removal?

Even a online scanner ie trend micro, panda etc.. Hitman pro, would be a good bet in my mind.

 

[McK1987]

I haven't tried any online scanners as of yet but I will do. Thanks for the advice!

 

[Kitten Kong]

also it may be worth while running autoruns, and process explorer, and have a look manually for anything which shouldnt be there.

 

[MobileTechie]

If you have some virus-like symptoms but not obvious infection then check for rootkits. First thing I'd do is run TDSSKiller.

 

[McK1987]

Right, wee update on this one...

I went back round and ran Hitmanpro and it come back with a trojan which it quarantined.

The same process was found in autoruns.

The process was runnng in C:\Documents and Settings\**User**\Application Data\viyvuk\nepuk.exe

I did notice this program in the registry but everytime i deleted and refreshed it would re-appear.

After running Hitman Pro, Superantispyware and restarting, the file is no longer there. Now I think I have removed the file. Hitman pro no longer finds anything, just hope it's removed and not recreated as a different name.

I feel confident now to say to the user it's removed and PC is clean.

I don't know exactly how it got there? Was it due to the user maybe clicking something or what? A trojan?

Cheers for all your assistance guys.

 

[Xander]

You're welcome.

Take a look at the links in this post to Mark Russinovich's videos. Get to know Process Explorer.
Between (mostly) it, and Autoruns, they can be your two best friends for getting rid of the majority of malware.

There's a dozen different ways this stuff can get on a system, from an independent scripted hijack to a user giving popups permission to install things.