Hijack This Log Thread

bohemianfey · Post by **bohemianfey** » 2004-12-15 03:43pm

Thank you!

2000AD · Post by **2000AD** » 2004-12-21 02:28pm

Let's see what crap my brother's got on the home PC while i've been away:

Logfile of HijackThis v1.98.0
Scan saved at 19:46:46, on 21/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMAN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SLRUNDLL.EXE
C:\UNZIPPED\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {0C628C08-51F2-4C4E-9D53-C96D1FCD8BC6} - C:\WINDOWS\SYSTEM\BEOND.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [IDMan] C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMAN.EXE /onboot
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [IDMan] C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMAN.EXE /onboot
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: Download with IDM - C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IEExt.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O18 - Filter: text/html - {1CAC9AF5-75FC-4AAF-A46B-7D510C76E1E4} - C:\WINDOWS\SYSTEM\BEOND.DLL
O18 - Filter: text/plain - {1CAC9AF5-75FC-4AAF-A46B-7D510C76E1E4} - C:\WINDOWS\SYSTEM\BEOND.DLL

2000AD · Post by **2000AD** » 2004-12-21 02:31pm

Note: I'm using FIrefox, nopt IE. OIf my brother's been using IE i will be pissed!

Crayz9000 · Post by **Crayz9000** » 2004-12-21 02:43pm

He has. Also, you're using an old version of HijackThis!, the current version is 1.98.2. Please clean the following and repost your log from the newer version.

Delete the following ASAP:

C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0C628C08-51F2-4C4E-9D53-C96D1FCD8BC6} - C:\WINDOWS\SYSTEM\BEOND.DLL
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O18 - Filter: text/html - {1CAC9AF5-75FC-4AAF-A46B-7D510C76E1E4} - C:\WINDOWS\SYSTEM\BEOND.DLL
O18 - Filter: text/plain - {1CAC9AF5-75FC-4AAF-A46B-7D510C76E1E4} - C:\WINDOWS\SYSTEM\BEOND.DLL

Since you use Firefox, you shouldn't need Internet Download Manager, and I'm not sure if it bundles advertisements:

C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMAN.EXE
O4 - HKCU\..\Run: [IDMan] C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMAN.EXE /onboot
O4 - HKCU\..\RunServices: [IDMan] C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMAN.EXE /onboot
O8 - Extra context menu item: Download with IDM - C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IEExt.htm

The following are legitimate but not really needed:

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\STARTER.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

2000AD · Post by **2000AD** » 2004-12-21 03:14pm

Thanks, i'll get the new edition of HJT wheh i can.

Dillon · Post by **Dillon** » 2004-12-23 10:42pm

I'm cleaning up the computer at my mom's house, and this seems like an essential step, so here's the log...

Logfile of HijackThis v1.99.0
Scan saved at 10:43:24 PM, on 23/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\3WEB ACCESS MANAGER\ACCESS MANAGER\APP\ENTERNET.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE

Datana · Post by **Datana** » 2004-12-23 10:53pm

observer_20000: Nothing too serious -- just the leftovers of the automated cleaning and a fragment of Ibis toolbar. You know the drill.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE

Dillon · Post by **Dillon** » 2004-12-23 10:56pm

Thanks!

Stormbringer · Post by **Stormbringer** » 2004-12-25 03:49pm

Where the heck do I download Hijack This?

Datana · Post by **Datana** » 2004-12-25 04:54pm

Stormbringer wrote:Where the heck do I download Hijack This?

This site (also listed in the C&G FAQ) has a list of all HijackThis! mirrors. Spyware sometimes blocks it, though, so here is a direct link to one of the mirrors. By the way, 1.99, a new version, is out -- everyone be sure to snag it. Keep a copy of 1.98.2, though, as 1.99 is known to trigger crashes in certain r00ted systems.

General Zod · Post by **General Zod** » 2004-12-26 03:13am

i'm cleaning up a bunch of spyware crap on someone else's pc, so if somebody more versed in hjt logs than me can give this one a quick rundown and let me know what to zap, it'd be appreciated.

Logfile of HijackThis v1.99.0
Scan saved at 01:10:20, on 12/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TrayBar\Traybar.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\WINDOWS\StartupMonitor.exe
D:\WINDOWS\System32\RunDll32.exe
D:\Program Files\Restore Desktop\RestoreDesktop.exe
D:\Program Files\Calculadora Printing Calculator\calc246.exe
D:\Program Files\Hidden Menu\HiddenMenu.exe
D:\PROGRA~1\FOLDER~3\folders.exe
D:\Program Files\Unforgiven Organizer\unage.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\Program Files\TurboNote\tbnote.exe
D:\Program Files\Birthday\Birthday.exe
D:\Program Files\Rainlendar\Rainlendar.exe
D:\Program Files\SaverStarter\SaverStarter.exe
D:\Program Files\TrayBar\Traybar.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\CompuServe 7.0\wcs2000.exe
D:\WINDOWS\Explorer.EXE
G:\FireFox\firefox.exe
D:\PROGRA~1\ULTIMA~1.7\uzip.exe
D:\DOCUME~1\DANICO~1\LOCALS~1\TEMP\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Traybar] D:\Program Files\TrayBar\Traybar.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [RestoreDesktop] D:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [CalcIntel] D:\Program Files\Calculadora Printing Calculator\calc246.exe systray
O4 - HKCU\..\Run: [Hidden Menu] D:\Program Files\Hidden Menu\HiddenMenu.exe
O4 - HKCU\..\Run: [Folders (1.00)] "D:\PROGRA~1\FOLDER~3\folders.exe" t
O4 - HKCU\..\Run: [U32 Agent] "D:\Program Files\Unforgiven Organizer\unage.exe"
O4 - HKCU\..\Run: [EMA] D:\Program Files\EMA\EMA.exe start
O4 - Startup: Birthday.lnk = D:\Program Files\Birthday\Birthday.exe
O4 - Startup: FreeShade.lnk = D:\WINDOWS\FreeShade.exe
O4 - Startup: MiniReminder.lnk = D:\Program Files\MiniReminder\MiniReminder.exe
O4 - Startup: Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: ScreenSaverStarter.exe.lnk = D:\Program Files\SaverStarter\SaverStarter.exe
O4 - Startup: Traybar.lnk = D:\Program Files\TrayBar\Traybar.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = D:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TurboNote.lnk = D:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: Save Image - res://D:\Program Files\Picture Ace Lite\PictureAceLite.exe/130
O8 - Extra context menu item: Send Link to TrekTrak - D:\WINDOWS\Web\TrekTrakLink.htm
O8 - Extra context menu item: Send Page to TrekTrak - D:\WINDOWS\Web\TrekTrak.htm
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Insert signature - {5E35CA41-3800-4ce7-843A-967B4D761700} - D:\Program Files\Quotes\ieplugin\ieplugin.exe
O9 - Extra button: (no name) - {5E35CA41-3800-4ce7-843A-967B4D761701} - D:\Program Files\Quotes\ieplugin\launch.htm
O9 - Extra 'Tools' menuitem: Quotes plugin - QLiner.com - {5E35CA41-3800-4ce7-843A-967B4D761701} - D:\Program Files\Quotes\ieplugin\launch.htm
O9 - Extra button: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - D:\WINDOWS\System32\cachepal.exe
O9 - Extra 'Tools' menuitem: CachePal - {5F4A4622-8370-440e-88CC-CA2256D1A08A} - D:\WINDOWS\System32\cachepal.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Flash Movie Extractor Scout LITE - {D5FA3931-9170-4C51-9053-4C64B11CE531} - D:\Program Files\Flash Movie Extractor Scout LITE\flashextract.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - D:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O9 - Extra 'Tools' menuitem: Picture Ace Lite - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - D:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.0.8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3242102312
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94EA6AE5-744C-4E80-AE58-A7F52BA81AFB}: NameServer = 205.188.146.145
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe

Datana · Post by **Datana** » 2004-12-26 03:55am

Darth_Zod: There's only one piece of overt spyware in this log (listed below), so I assume that you've run automated removal already. The rest of this stuff is comprised of such uncommon software that I'm not sure exactly what to trust. The entries I could find data on are all benign, if obscure widgets. I don't think I've ever seen anyone front-load so many pieces of software on startup before, either -- does this person actually need all of these things popping up on startup? With so many programs running at once, I'm loath to list anything as a waste of memory if the person is picky about his/her configuration.

The one killable piece is:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.0.8.cab

CursorMania is a program that tries to load up CoolWebSearch at every opportunity, but I see no trace of CWS in this log (presumably killed by whatever automated programs you've used). Best to kill the entry and do another sweep with CWShredder to be on the safe side.

General Zod · Post by **General Zod** » 2004-12-26 12:48pm

cool. thanks for the help.

Anarchist Bunny · Post by **Anarchist Bunny** » 2005-01-03 12:23pm

Logfile of HijackThis v1.99.0
Scan saved at 11:15:53 AM, on 1/3/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\GE\GE 97990 RF Optical Mouse\Ver5.3\MOUSE32A.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Ian\Desktop\Stuff\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\GE\GE 97990 RF Optical Mouse\Ver5.3\MOUSE32A.EXE
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components \Instant Updater\RuLaunch.exe" /startmonitor

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{0428D766-2777-477A-AB05-45F063054C25}: NameServer = 209.210.176.9 209.210.176.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{0428D766-2777-477A-AB05-45F063054C25}: NameServer = 209.210.176.9 209.210.176.8
O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Gear Security Service - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common files\WinTools\WToolsS.exe (file missing)

Been a while since I did a good cleaning

Datana · Post by **Datana** » 2005-01-03 01:18pm

Anarchist Bunny: Terminate ViewMgr.exe first, then kill the following entries.

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

The following are optional:

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Faram · Post by **Faram** » 2005-01-03 06:21pm

Microsoft is releasing it's own anti spyware application:

Long linky to a rewiev.

They bought Giant software that made a for me unknown and untested spyware remover. IMHO they shold have bought Adaware or Spybot instead, but I guess they did't like the free part.

jcow79 · Post by **jcow79** » 2005-01-10 08:30pm

resolved

Crayz9000 · Post by **Crayz9000** » 2005-01-10 08:44pm

Make *sure* you have the latest CWS Shredder. Older versions will be noticed by CWS and won't run.

jcow79 · Post by **jcow79** » 2005-01-10 08:49pm

Crayz9000 wrote:Make *sure* you have the latest CWS Shredder. Older versions will be noticed by CWS and won't run.

I have the latest version because when I ran the update it said i had the most up-to-date version.

Datana · Post by **Datana** » 2005-01-10 10:36pm

jcow79: Have you killed infected background processes before starting the HJT! purge? From what I can see, C:\WINNT\system32\vqugor.exe is likely what's restoring the deleted entries, and if it's doing something while HJT! is running, it won't get removed. Apart from that, I can't see anything else suspicious in that log. Try Kill2Me as well -- you appear to have Look2Me, judging by the presence of links to 69.20.16.183.

jcow79 · Post by **jcow79** » 2005-01-11 01:01am

Datana wrote:jcow79: Have you killed infected background processes before starting the HJT! purge? From what I can see, C:\WINNT\system32\vqugor.exe is likely what's restoring the deleted entries, and if it's doing something while HJT! is running, it won't get removed. Apart from that, I can't see anything else suspicious in that log. Try Kill2Me as well -- you appear to have Look2Me, judging by the presence of links to 69.20.16.183.

Yeah, i have been running it in safe mode and it clears everything out just fine. But when I get back into windows normally....everything comes back. However the exe changes names every time.
Something else is generating random exe's.

I will try the kill2me though. Thanks for the suggestion.

jcow79 · Post by **jcow79** » 2005-01-11 03:16pm

I ran the kill2me.exe and said there was no sign of infection. Any other suggestions?

Datana · Post by **Datana** » 2005-01-11 07:52pm

This is much more difficult than other cases; I've never seen an infection that comes back despite getting squashed in HJT!. Try VX2Finder to locate any hidden spyware DLL files and delete those from Safe Mode (or better yet, the Recovery Console). Also, when dealing with Look2Me, you can't have any open Explorer windows -- it hooks into Explorer tightly enough that if you have an Explorer window open, even in Safe Mode, it'll restart. Use the Task Manager to kill every instance of Explorer.exe and try to delete files VX2Finder points out via command prompt.

jcow79 · Post by **jcow79** » 2005-01-13 11:36am

Ok, I ran the VX2 tool with no success. We are getting an error message on start up that perhaps will provide clues as to what has infected this computer. The message is: An exception occured while trying to run ""C:\winnt\system32\moc40.dll", UMonitor"

Now the DLL listed in this message changes everytime but the path and the Umonitor portion remain the same. Any clues?

Datana · Post by **Datana** » 2005-01-13 01:14pm

I've been doing a bit of research on the subject -- looks like this is a new version of VX2 that's much harder to remove than previous ones. Others report the "UMonitor" issue you have, and it all seems to tie back to that.

There's an updated version of VX2Finder as part of this package (the most recent version is a bit down the page rather than the first post). Run the batchfile and it should handle the task itself.

Oh, and is System Restore active? Disable it if it is -- it'll actually restore any removed spyware.