WHat is this?? (Hijack log)

Noxious

OSNN Newbie
Joined
Feb 7, 2004
Messages
4
#1
Logfile of HijackThis v1.97.7
Scan saved at 8:54:31 AM, on 2/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
E:\Program Files\PopUp Killer\popupkiller.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
E:\Downloads\Software\Windows Utilities\Spyware Removal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pre.sympatico.ca/index.jsp?lang=en
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PopUpKiller] E:\Program Files\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\RunServices: [Windows Scrub] wudgra.exe <-------------------------------------------------***************
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37987.5201273148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab




wudgra.exe
for some reason this file was generated at startup.
After denying service to the internet I have removed it from my system32 folder and place on my desktop.
I then restarted and upon boot was prompted to download a file (presumably from internet) the only option being to OPEN with no name of the file visible. I then disabled the registry key in windows run and am still prompted tosave tis file at boot
 

Enyo

OSNN Veteran Addict
Joined
Feb 2, 2003
Messages
1,338
#2
Remove:

O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll

Sounds like wudgra.exe is a trojan.

You can ZIP it up and e-mail it to me and ill see if i can identity it.

Mail it to foobar@ntfs.org
 

Noxious

OSNN Newbie
Joined
Feb 7, 2004
Messages
4
#3
I have already fixed the problem and isolated the file. I would send it to you but unfortunately I have already removed it
I am quite sure it is a trojan now. It also added another exe called s3serv.exe
which i have also fixed. I just wanted to know if anyone else had come across this so I could figure out how I got it. As I can find NOTHING about these files anywhere?
 

Enyo

OSNN Veteran Addict
Joined
Feb 2, 2003
Messages
1,338
#4
Yea neither of the file names are known which would suggest its not a worm but rarther a Trojan with modified names.

What your seeing with IE is done using a flaw in the browser, which i belive was fixed so make sure your fully patched.

What anti-virus do you use? Did it alert you to anything at all? I assume your firewall stepped in and stopped them getting out to the internet?
 

Noxious

OSNN Newbie
Joined
Feb 7, 2004
Messages
4
#5
I am using Panda AV and no I didn't get an alert untill the firewall asked me what to do.
I am checking for updates as I write this
 

sboulema

OSNN Veteran Addict
Joined
Jun 19, 2002
Messages
2,846
#7
enyo didnt wrote it. foobar is just a internet slang word for 'weird stuff' AFAIK
 

Enyo

OSNN Veteran Addict
Joined
Feb 2, 2003
Messages
1,338
#8
Noxious, it sounds like your firewall saved you then. Providing the prompts to download 'something' at boot have gone and the files have been removed it sounds like your safe.

Mainframeguy, i edited my e-mail address out and replaced it with foobar.
 

Noxious

OSNN Newbie
Joined
Feb 7, 2004
Messages
4
#9
Thanx for the help Enyo I didn't notice the IE entry in the hijack log would have left it in
:S
an I had a 15 meg update for windoze
 

dreamliner77

The Analog Kid
Joined
Mar 16, 2002
Messages
4,707
#10
Mainframeguy said:
OT - does your email addie mean you wrote foobar? If so respect to you! I love that player for it's elegant simplicity!

Peter Pawloski is the author of fb2k. He had previously worked on winamp. He can often be found over at hydrogenaudio.org in the fb2k forum as zZzZzZz. Or in the irc channel #foobar2000 on freenode.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,979
Messages
673,325
Members
89,020
Latest member
Amanda99