Re: Please Help - HijackThis Logfile!
From: Spoonman (neil_at__mypiercings_namnoops1.demon.co.uk)
Date: 02/22/05
- Previous message: kevin_at_ppic.com: "Ensuring that a sever and website are secure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Feb 2005 16:24:27 -0000
things to tick to reomve in hijack this.
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} -
C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O2 - BHO: (no name) - {DECCC11D-54AA-0D5D-DD4E-08C53C7910C2} -
C:\WINDOWS\System32\wgfynlhj.dll
O4 - HKCU\..\Run: [Aepzvofv] C:\WINDOWS\System32\m?iexec.exe
things i'm not sure about
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
Hopefully that should sort you out
Spoony
remove _mypiercings_ to email me
"Hachabarata" <hachabarata@yahoo.com> wrote in message
news:1102915723.922714.258600@z14g2000cwz.googlegroups.com...
> Bashar wrote:
>> "Hachabarata" <hachabarata@yahoo.com> wrote in message
>> news:1102788010.558300.223700@c13g2000cwb.googlegroups.com...
>>
>> I can pick out Backweb as spyware. Not really the worst of the web
> though.
>> Sidestep is a low level threat as well. Also check this out:
>> http://www.neuber.com/taskmanager/process/msmsgs.exe.html - This the
>> messenger service that is usually on by default but if you have
> turned it
>> off before, this process should make you suspicious. The process can
> been
>> associated with the alcarys worm. This is all I can readily see for
> now.
>> I am sure others may pick out some more baddies. Some pointers:
>>
>> Explain your problem a bit more and include all the steps you have
> taken so
>> far to remove the spyware/malware/virus problems. Further to this,
> stop
>> using IE and switch to Firefox. Yah yah yah, you can still use it on
>> occasion (banking, updates) but do most of your surfing with another
>> browser. Nuff said. I see you installed a number of other spyware
> tools
>> and guards. So much for them eh? I also shy away from all that
> yahoo
>> crap...never trusted it.
>>
>> Okeedokee:
>>
>> 1) Update your virus definitions (I hope you got this..)
>> 2) Update Spybot and Adaware
>> 3) Download Stinger from here: http://vil.nai.com/vil/stinger/
>> 4) Download Bazooka from here:
>> http://www.kephyr.com/spywarescanner/index.html
>> 5) Go here for a second opinion on virus scanning:
>> http://housecall.trendmicro.com/housecall/start_corp.asp
>> 6) Now boot to safe mode using F8 when restarting your comp
>> 7) Run the antivirus, adaware, spybot, stinger. Reboot and scan
> again in
>> safe mode.
>> 8) Now reboot and run normally. Scan using your antivirus or
> trendmicro,
>> adaware, and bazooka(for a 3rd opinion).
>>
>> If you still have problems, reply to the group. This will all take a
> bit of
>> time so I hope you don't have a cake in the oven...
>>
>
> Thanks for the input. I did most of what you've recommended, but
> nothing helps with the IE spyware problem. I've tried Adaware, Spybot,
> Spyware Doctor, Spysubtract, SpywareBlaster, and a bunch of other
> programs, and I'm kinda desperate now :)
>
> I did see the word "WildTangent" once while using Spybot, which I heard
> was evil Spyware, but Spybot removed it, so that shouldn't be the
> problem anymore. I'm the only user that is affected by this spyware in
> my PC, as my wife hasn't got the same problem.
>
> I downloaded the "stinger" program and ran it, but it came up with
> nothing. But I haven't got any other virus programs to run except
> McAfee that came with the computer a year ago.
>
> I've downloaded Mozilla, but unlike IE, I'm unable to delete individual
> form entries. e.g. if I type "computer virus" in google one time and do
> a search, the second time I type the letter "c", the word "computer
> virus" shows up below the form entry. In IE, the easy way to delete
> this entry would be to simply scroll down and hit the "delete" key, but
> this doesn't work in Mozilla.
>
> FWIW, here's the latest HijackThis logfile from my computer:
>
> Logfile of HijackThis v1.98.2
> Scan saved at 9:27:56 PM, on 12/12/2004
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\csrss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
> c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\System32\alg.exe
> C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
> c:\Program Files\Norton AntiVirus\navapsvc.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Network Associates\VirusScan\VsStat.exe
> C:\Program Files\Network Associates\VirusScan\Avconsol.exe
> C:\WINDOWS\system32\csrss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\System32\hphmon05.exe
> C:\HP\KBD\KBD.EXE
> C:\WINDOWS\System32\VTTimer.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\WINDOWS\LTMSG.exe
> C:\Program Files\Multimedia Card Reader\shwicon2k.exe
> C:\WINDOWS\ALCXMNTR.EXE
> C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
> C:\Program Files\Yahoo!\browser\ybrwicon.exe
> C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
> C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
> C:\WINDOWS\system\hpsysdrv.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\PROGRA~1\Yahoo!\browser\ycommon.exe
> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
> C:\Program Files\Microsoft Office\Office\OSA.EXE
> C:\Program Files\interMute\SpySubtract\SpySub.exe
> C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
> C:\WINDOWS\system32\csrss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\System32\hphmon05.exe
> C:\HP\KBD\KBD.EXE
> C:\WINDOWS\System32\VTTimer.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\WINDOWS\LTMSG.exe
> C:\Program Files\Multimedia Card Reader\shwicon2k.exe
> C:\WINDOWS\ALCXMNTR.EXE
> C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
> C:\Program Files\Yahoo!\browser\ybrwicon.exe
> C:\Program Files\BroadJump\Client Foundation\CFD.exe
> C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
> C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
> C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
> C:\PROGRA~1\Yahoo!\browser\ycommon.exe
> C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
> C:\WINDOWS\system\hpsysdrv.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\Program Files\Spyware Doctor\spydoctor.exe
> C:\WINDOWS\System32\m?iexec.exe
> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
> C:\Program Files\Microsoft Office\Office\OSA.EXE
> C:\Program Files\interMute\SpySubtract\SpySub.exe
> C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
> C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
> C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
> C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\Program Files\Internet Explorer\IEXPLORE.EXE
> C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory
> 1 for hijackthis.zip\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> C:\WINDOWS\about.htm
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
> about:blank
> R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
> https://reg.knowledgeadventure.com/prodreg.php?sku=71946
> R3 - Default URLSearchHook is missing
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
> - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
> O2 - BHO: Google Toolbar Helper -
> {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
> files\google\googletoolbar1.dll
> O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
> c:\Program Files\Norton AntiVirus\NavShExt.dll
> O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} -
> C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
> O2 - BHO: (no name) - {DECCC11D-54AA-0D5D-DD4E-08C53C7910C2} -
> C:\WINDOWS\System32\wgfynlhj.dll
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
> C:\WINDOWS\System32\msdxm.ocx
> O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
> - c:\Program Files\Norton AntiVirus\NavShExt.dll
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
> c:\program files\google\googletoolbar1.dll
> O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
> O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
> O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
> Files\Sonic\Update Manager\sgtray.exe" /r
> O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
> O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
> O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec
> Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
> O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
> O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
> O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card
> Reader\shwicon2k.exe
> O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
> O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH
> Jukebox\mmtask.exe
> O4 - HKLM\..\Run: [YBrowser] C:\Program
> Files\Yahoo!\browser\ybrwicon.exe
> O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
> Foundation\CFD.exe
> O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual
> Networks\Visual IP InSight\SBC\IPClient.exe" -l
> O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual
> Networks\Visual IP InSight\SBC\IPMon32.exe"
> O4 - HKLM\..\Run: [Motive SmartBridge]
> C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
> O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP
> Studios\WinPatrol\winpatrol.exe
> O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
> Files\Java\j2re1.4.2_03\bin\jusched.exe
> O4 - HKLM\..\Run: [hpsysdrv] c:\WINDOWS\system\hpsysdrv.exe
> O4 - HKCU\..\Run: [Yahoo! Pager] 1
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
> /background
> O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
> Doctor\spydoctor.exe" /Q
> O4 - HKCU\..\Run: [Aepzvofv] C:\WINDOWS\System32\m?iexec.exe
> O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\Program Files\Spyware
> Assassin 4.0\Spyware Assassin.exe"
> O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
> Sweeper\SpySweeper.exe" /0
> O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq
> Connections\1940576\Program\BackWeb-1940576.exe
> O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
> Files\HP\Digital Imaging\bin\hpqtra08.exe
> O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program
> Files\Microsoft Office\Office\FINDFAST.EXE
> O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft
> Office\Office\OSA.EXE
> O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
> Files\Quicken\bagent.exe
> O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC
> Self Support Tool\bin\matcli.exe
> O4 - Global Startup: SpySubtract.lnk = C:\Program
> Files\interMute\SpySubtract\SpySub.exe
> O8 - Extra context menu item: &Google Search - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmsearch.html
> O8 - Extra context menu item: Backward Links - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmbacklinks.html
> O8 - Extra context menu item: Cached Snapshot of Page -
> res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
> O8 - Extra context menu item: Similar Pages - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmsimilar.html
> O8 - Extra context menu item: Translate into English - res://C:\Program
> Files\Google\GoogleToolbar1.dll/cmtrans.html
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
> C:\WINDOWS\System32\msjava.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console -
> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
> O9 - Extra button: Yahoo! Login -
> {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
> Files\Yahoo!\Common\ylogin.dll
> O9 - Extra 'Tools' menuitem: Yahoo! Login -
> {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
> Files\Yahoo!\Common\ylogin.dll
> O9 - Extra button: (no name) - {3E230861-5C87-11D3-A1C6-00105A1B41B8} -
> C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
> O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
> C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
> O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
> {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
> Files\Yahoo!\Messenger\yhexbmes0521.dll
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\MSMSGS.EXE
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\MSMSGS.EXE
> O12 - Plugin for .mp3: C:\Program Files\Internet
> Explorer\PLUGINS\npqtplugin3.dll
> O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) -
> http://www.kumudam.com/wfplayer/tdserver.cab
> O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) -
> http://www.otxresearch.com/OTXMedia/OTXMedia.dll
> O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} -
> http://www.sidestep.com/get/k42037/sb02a.cab
> O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
> http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
> O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} -
> http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
> O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
> http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
> O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) -
> http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
>> Toodles...
>>
>> Bashar
>
- Previous message: kevin_at_ppic.com: "Ensuring that a sever and website are secure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
