WHat is this?? (Hijack log)

Discussion in 'Windows Desktop Systems' started by Noxious, Feb 7, 2004.

  1. Noxious

    Noxious OSNN One Post Wonder

    Messages:
    4
    Logfile of HijackThis v1.97.7
    Scan saved at 8:54:31 AM, on 2/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    E:\Program Files\PopUp Killer\popupkiller.EXE
    C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\tbctray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
    E:\Downloads\Software\Windows Utilities\Spyware Removal\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pre.sympatico.ca/index.jsp?lang=en
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [PopUpKiller] E:\Program Files\PopUp Killer\popupkiller.EXE
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
    O4 - HKLM\..\RunServices: [Windows Scrub] wudgra.exe <-------------------------------------------------***************
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37987.5201273148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab




    wudgra.exe
    for some reason this file was generated at startup.
    After denying service to the internet I have removed it from my system32 folder and place on my desktop.
    I then restarted and upon boot was prompted to download a file (presumably from internet) the only option being to OPEN with no name of the file visible. I then disabled the registry key in windows run and am still prompted tosave tis file at boot
     
  2. Enyo

    Enyo Moderator

    Messages:
    1,338
    Remove:

    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll

    Sounds like wudgra.exe is a trojan.

    You can ZIP it up and e-mail it to me and ill see if i can identity it.

    Mail it to foobar@ntfs.org
     
  3. Noxious

    Noxious OSNN One Post Wonder

    Messages:
    4
    I have already fixed the problem and isolated the file. I would send it to you but unfortunately I have already removed it
    I am quite sure it is a trojan now. It also added another exe called s3serv.exe
    which i have also fixed. I just wanted to know if anyone else had come across this so I could figure out how I got it. As I can find NOTHING about these files anywhere?
     
  4. Enyo

    Enyo Moderator

    Messages:
    1,338
    Yea neither of the file names are known which would suggest its not a worm but rarther a Trojan with modified names.

    What your seeing with IE is done using a flaw in the browser, which i belive was fixed so make sure your fully patched.

    What anti-virus do you use? Did it alert you to anything at all? I assume your firewall stepped in and stopped them getting out to the internet?
     
  5. Noxious

    Noxious OSNN One Post Wonder

    Messages:
    4
    I am using Panda AV and no I didn't get an alert untill the firewall asked me what to do.
    I am checking for updates as I write this
     
  6. Mainframeguy

    Mainframeguy Debiant by way of Ubuntu Folding Team

    Messages:
    3,763
    Location:
    London, UK
    OT - does your email addie mean you wrote foobar? If so respect to you! I love that player for it's elegant simplicity!
     
  7. sboulema

    sboulema Moderator

    Messages:
    2,846
    Location:
    Amstelveen, The Netherlands
    enyo didnt wrote it. foobar is just a internet slang word for 'weird stuff' AFAIK
     
  8. Enyo

    Enyo Moderator

    Messages:
    1,338
    Noxious, it sounds like your firewall saved you then. Providing the prompts to download 'something' at boot have gone and the files have been removed it sounds like your safe.

    Mainframeguy, i edited my e-mail address out and replaced it with foobar.
     
  9. Noxious

    Noxious OSNN One Post Wonder

    Messages:
    4
    Thanx for the help Enyo I didn't notice the IE entry in the hijack log would have left it in
    :S
    an I had a 15 meg update for windoze
     
  10. dreamliner77

    dreamliner77 The Analog Kid

    Messages:
    4,702
    Location:
    Red Sox Nation

    Peter Pawloski is the author of fb2k. He had previously worked on winamp. He can often be found over at hydrogenaudio.org in the fb2k forum as zZzZzZz. Or in the irc channel #foobar2000 on freenode.