RE: Need Help with Hijackthis File
From: castles_and_dreams (castlesanddreams_at_discussions.microsoft.com)
Date: 01/27/05
- Next message: Jupiter Jones [MVP]: "Re: hotfix files and auto updates"
- Previous message: bonehead: "User Permission?"
- Next in thread: oldmountainman: "RE: Need Help with Hijackthis File"
- Reply: oldmountainman: "RE: Need Help with Hijackthis File"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 13:17:02 -0800
Dear "oldmountainmain", did you see anything like this in your computer files:
http://h30043.www3.hp.com/aio/en/check=ch1
?
A keyword search brought me to your post so I thought I would ocmment and
request assistance as well, I have concerns for my personal security.
I located this file in my user temp files GTEK and when trying to identify
it keep coming up with thie HiJack so still I want to know if I have been
hacked or something. Also, in my internet temp files not my regular temp
files on 01/13/05 I found and DELETED copies of yahoo emails pages I had
visited and stuff like that, would that be a sign of being hacked? I
installed spyware and Norton Internet Security 2005 so back up is run on
adware however this is not a back up file, any information is appreciated. XP
thanks castles_and_dreams@hotmail.com
"oldmountainman" wrote:
> My research, so far, indicates that the "04 Global Startup: Microsoft
> Office.hta" item is trying to run a malicious script everytime I re-start my
> PC (or is the malicious script?). Symantec's antivirus catches it, so I can
> stop it. But I have a suspicion that some of the other items in 09, 12, 16
> and 17 might be bad, also. See log file, below.
>
> Can anyone help me?
>
> Thanks, oldmountainman
>
> Logfile of HijackThis v1.98.2
> Scan saved at 1:48:45 PM, on 12/30/2004
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
> C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
> C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
> C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
> C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
> C:\WINDOWS\System32\nvsvc32.exe
> C:\WINDOWS\System32\sgd.exe
> C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
> C:\WINDOWS\system32\ZONELABS\vsmon.exe
> C:\Program Files\Raxco\PerfectDisk\PDSched.exe
> C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
> C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\WINDOWS\StartupMonitor.exe
> C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
> C:\Program Files\Firetrust\Benign\B9.exe
> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
> C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
> C:\WINDOWS\System32\HPZipm12.exe
> C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\unzipped\HiJackThis\HijackThis.exe
>
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
> C:\WINDOWS\system32\NvCpl.dll,NvStartup
> O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
> O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize
> O4 - Global Startup: Microsoft Office.hta
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no
> file)
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
> C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) -
> http://www.drivershq.com/DD_v4.CAB
> O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
> scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
> O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) -
> https://www.support.microsoft.com/OAS/ActiveX/odc.cab
> O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control)
> -
> http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
> O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
> Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
> O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
> http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?319
> O17 -
> HKLM\System\CCS\Services\Tcpip\..\{47607765-7A06-4A5C-A9F9-FB76942BE247}:
> NameServer = 151.164.1.8,206.13.28.12
>
>
> --
> oldmountainman
- Next message: Jupiter Jones [MVP]: "Re: hotfix files and auto updates"
- Previous message: bonehead: "User Permission?"
- Next in thread: oldmountainman: "RE: Need Help with Hijackthis File"
- Reply: oldmountainman: "RE: Need Help with Hijackthis File"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
