Trojaner-Board - My Log.... Having problems.

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - My Log.... Having problems. (https://www.trojaner-board.de/12170-my-log-having-problems.html)

My Log.... Having problems.

Hello, my log here:

Logfile of HijackThis v1.99.0
Scan saved at 23:35:06, on 14.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\SED\SED.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\msupd5.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Pulse\Pulse.exe
C:\Dokumente und Einstellungen\Scotty69\Eigene Dateien\pr0gz\mIRC\mirc.exe
C:\Dokumente und Einstellungen\Scotty69\Eigene Dateien\pr0gz\_ ZFDown203\mirc32.exe
C:\WINDOWS\System32\rsguqrzr.exe
C:\Dokumente und Einstellungen\Scotty69\Eigene Dateien\pr0gz\FlashFXPv21924.dLs\FlashFXP.exe
C:\Dokumente und Einstellungen\Scotty69\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://arcor.de/login
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {029629AD-283E-CBBE-BC89-9D4666ADC3C5} - C:\WINDOWS\System32\hkaxsbel.dll
O2 - BHO: (no name) - {DF6E4D57-260F-491F-219D-B344911C9251} - C:\WINDOWS\System32\vpgezlny.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SESync] "C:\Programme\SED\SED.exe"
O4 - HKLM\..\Run: [rsguqrzr] C:\WINDOWS\System32\rsguqrzr.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Pulse] C:\Programme\Pulse\Pulse.exe -splash
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: klamm.de - {EB52F380-B8AE-11d5-AE8E-52544025AABB} - http://www.klamm.de/?id=150826 (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: klamm.de - {EB52F380-B8AE-11d5-AE8E-52544025AABB} - http://www.klamm.de/?id=150826 (file missing) (HKCU)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104787459484
O17 - HKLM\System\CCS\Services\Tcpip\..\{C71697A1-AB9B-4B69-B26C-6F3C1544F465}: NameServer = 217.237.150.141 217.237.150.97
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe

Problems are advertising from... I don't know... Mediabuy or so,
I'm a noob, sorry, please help me.

/edit: For a few seconds, this page run: http://www.northernarizonamls.com/sc...757910,-AS,-N1

Nobody here who could help?

Hi,

you should update your system to Service Pack 2. Get E-Scan:

http://www.trojaner-board.de/42731-escan-anleitung.html

create the directory c:\bases and unzip (!) the mwav.exe into that directory. Use kavupd.exe to get the latest signatures. Start a full scan (all files) in safe mode (!). Search the logfile and post everything E-Scan flagged as "infected".
Youre definitely infected with a hijacker but I´m afraid theres a real backdoor too. thats why you should check everything before we proceed.

Thank you for your answer, here's the result:

Sun Jan 16 15:51:30 2005 => File C:\WINDOWS\system32\guard.tmp infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:51:58 2005 => File C:\WINDOWS\mm15201518.Stub.exe infected by "not-a-virus:AdWare.EZula.ah" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:52:01 2005 => File C:\WINDOWS\sahagent-1002.exe infected by "not-a-virus:AdWare.Sahat.h" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:52:03 2005 => File C:\WINDOWS\unstall.exe infected by "not-a-virus:AdWare.MediaMotor.a" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:52:06 2005 => File C:\WINDOWS\system32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:52:34 2005 => File C:\WINDOWS\system32\guard.tmp infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:52:42 2005 => File C:\WINDOWS\system32\jtpm0771e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:53:48 2005 => File C:\DOKUME~1\Scotty69\LOKALE~1\Temp\Del6.tmp infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:53:48 2005 => File C:\DOKUME~1\Scotty69\LOKALE~1\Temp\SskUpdater.exe infected by "not-a-virus:AdWare.SurfSide.c" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:54:02 2005 => File C:\DOKUME~1\Scotty69\LOKALE~1\Temp\uninstall.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.q" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:58:17 2005 => File C:\Dokumente und Einstellungen\Scotty69\Lokale Einstellungen\Temp\Del6.tmp infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:58:18 2005 => File C:\Dokumente und Einstellungen\Scotty69\Lokale Einstellungen\Temp\SskUpdater.exe infected by "not-a-virus:AdWare.SurfSide.c" Virus. Action Taken: No Action Taken.
Sun Jan 16 15:58:34 2005 => File C:\Dokumente und Einstellungen\Scotty69\Lokale Einstellungen\Temp\uninstall.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.q" Virus. Action Taken: No Action Taken.
Sun Jan 16 16:14:22 2005 => File C:\WINDOWS\mm15201518.Stub.exe infected by "not-a-virus:AdWare.EZula.ah" Virus. Action Taken: No Action Taken.
Sun Jan 16 16:14:54 2005 => File C:\WINDOWS\sahagent-1002.exe infected by "not-a-virus:AdWare.Sahat.h" Virus. Action Taken: No Action Taken.
Sun Jan 16 16:19:15 2005 => File C:\WINDOWS\system32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken.
Sun Jan 16 16:20:11 2005 => File C:\WINDOWS\system32\guard.tmp infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
Sun Jan 16 16:20:17 2005 => File C:\WINDOWS\system32\jtpm0771e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
Sun Jan 16 16:21:15 2005 => File C:\WINDOWS\Temp\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken.
Sun Jan 16 16:21:15 2005 => File C:\WINDOWS\Temp\nsdtmp09.dll infected by "not-a-virus:AdWare.MetaDirect.a" Virus. Action Taken: No Action Taken.
Sun Jan 16 16:21:16 2005 => File C:\WINDOWS\Temp\suicidetb.exe infected by "not-a-virus:AdWare.ToolBat.EliteBar.z" Virus. Action Taken: No Action Taken.
Sun Jan 16 16:21:23 2005 => File C:\WINDOWS\unstall.exe infected by "not-a-virus:AdWare.MediaMotor.a" Virus. Action Taken: No Action Taken.

I do nothing until now, because I'm waiting for your help.

Did you check to scan all files?
The reason I wanted the test is:

O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe

Thats definitely malware (it says miscrosoft instead of microsoft) and its running as a service and I need to know what it is. If its not a backdoor and only belongs to some hijacker/Adware we can avoid e new install and fix it. Buy I need to know exactly what it is before.

Get http://www.clearprog.de/index.php?lang=en

You can already deactivate system recovery, boot into to safe mode and fix with HJT:

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {029629AD-283E-CBBE-BC89-9D4666ADC3C5} - C:\WINDOWS\System32\hkaxsbel.dll
O2 - BHO: (no name) - {DF6E4D57-260F-491F-219D-B344911C9251} - C:\WINDOWS\System32\vpgezlny.dll
O4 - HKLM\..\Run: [SESync] "C:\Programme\SED\SED.exe"
O4 - HKLM\..\Run: [rsguqrzr] C:\WINDOWS\System32\rsguqrzr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Clean your temporary files with clearprog.
Delete the files in that entries as well as the other things E-Scan has found. Start into normal mode and activate the system recovery. Post a new logfile of HJT.

We might need this program later if we cant fix it that way:
http://forums.subratam.org/index.php?showtopic=1725