Please help me with this HJT log

Discussion in 'adware, spyware & hijack cleaning' started by helon, Nov 24, 2003.

Thread Status:
Not open for further replies.
  1. helon

    helon Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    2
    Hello to all,
    i'm suffering continuous spyware and adware infections. I'm running both Spybot and Ad-aware updated but some registry entries and some files were not recognized at all...
    Last time (today) a file named IPU.EXE was trying many time to load ad popups, but nothing i can find searching on google and with the previous tools. :doubt:
    I post my hjt log:


    Logfile of HijackThis v1.97.7
    Scan saved at 1:06:49 AM, on 11/25/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~2\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\mgabg.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\mspmspsv.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINDOWS\Explorer.EXE
    C:\OfficeScan NT\pccntmon.exe
    C:\WINDOWS\System32\PDesk\PDesk.exe
    C:\OfficeScan NT\Pop3Trap.exe
    C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\OPERAT~1\LOCALS~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:1080
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.it/
    O2 - BHO: (no name) - {024DE5EB-3649-445E-8D57-C09A9A33D479} - C:\WINDOWS\system32\PHelper.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: (no name) - {65B346E0-0A23-11D7-B2F7-00C0F04D8274} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: *.bansel.it
    O15 - Trusted Zone: http://www.dexara.net
    O15 - Trusted Zone: http://www.egostat.com
    O16 - DPF: ismco - https://nms.mci.com/ismco.cab
    O16 - DPF: ismcomu - https://nms.mci.com/ismcomu.cab
    O16 - DPF: ismin - https://nms.mci.com/ismin.cab
    O16 - DPF: ismoe - https://nms.mci.com/ismoe.cab
    O16 - DPF: ismrpt - https://nms.mci.com/ismrpt.cab
    O16 - DPF: ismsi - https://nms.mci.com/si/ismsi.cab
    O16 - DPF: ismtb - https://nms.mci.com/ismtb.cab
    O16 - DPF: ismtlskl - https://nms.mci.com/ismtlskl.cab
    O16 - DPF: ismtlssw - https://nms.mci.com/ismtlssw.cab
    O16 - DPF: ismxml - https://nms.mci.com/ismxml.cab
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
    O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.adultoweb.com/dialershtml/dialerweb.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} (InPop.InControl) - http://adlogix.com/pop/InPop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15dc4fbaa4a7de581c22/netzip/RdxIE601_it.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.0790393519
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab




    Finally, i don't have any IOMEGA installed but the entry still persist..

    Sorry for my english..i'm italian, but help me the same :rolleyes:
     
    helon, Nov 24, 2003
    #1
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Helon,

    Welcome to Wilders!

    please close out of all programs and windows and select and fix the following;

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    O2 - BHO: (no name) - {024DE5EB-3649-445E-8D57-C09A9A33D479} - C:\WINDOWS\system32\PHelper.dll
    O3 - Toolbar: (no name) - {65B346E0-0A23-11D7-B2F7-00C0F04D8274} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
    O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3}
    (IntRuboskizo Class) - http://www.adultoweb.com/dialershtml/dialerweb.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

    Then reboot and let us know how things are afterward

    Also, if you haven't already, I strongly recommend that you install Javacool's "Spyware Blaster" which can be obtained here

    http://www.javacoolsoftware.com/spywareblaster.html

    Hope this helps!

    Regards,

    Dan
     
    Dan Perez, Nov 24, 2003
    #2
  3. helon

    helon Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    2
    Ok man! I've installed spyware blaster before to do all, and now the situation seems to be clear as you can read in the follow:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:54:12 AM, on 11/25/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~2\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\mgabg.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\mspmspsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\PDesk\PDesk.exe
    C:\OfficeScan NT\pccntupd.exe
    C:\DOCUME~1\OPERAT~1\LOCALS~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:1080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.it/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spyware_Protect\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spyware_Protect\SpywareGuard\sgmain.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: *.bansel.it
    O15 - Trusted Zone: http://www.dexara.net
    O15 - Trusted Zone: http://www.egostat.com
    O16 - DPF: ismco - https://nms.mci.com/ismco.cab
    O16 - DPF: ismcomu - https://nms.mci.com/ismcomu.cab
    O16 - DPF: ismin - https://nms.mci.com/ismin.cab
    O16 - DPF: ismoe - https://nms.mci.com/ismoe.cab
    O16 - DPF: ismrpt - https://nms.mci.com/ismrpt.cab
    O16 - DPF: ismsi - https://nms.mci.com/si/ismsi.cab
    O16 - DPF: ismtb - https://nms.mci.com/ismtb.cab
    O16 - DPF: ismtlskl - https://nms.mci.com/ismtlskl.cab
    O16 - DPF: ismtlssw - https://nms.mci.com/ismtlssw.cab
    O16 - DPF: ismxml - https://nms.mci.com/ismxml.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} (InPop.InControl) - http://adlogix.com/pop/InPop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15dc4fbaa4a7de581c22/netzip/RdxIE601_it.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.0790393519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    Only one other question, where i can find something to clear my registry? It seems that some entries are wrong or spyw modified...

    Thanks for all your support
     
    helon, Nov 24, 2003
    #3
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi helon,

    Excellent job sofar.
    Two more entries need fixing:
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} (InPop.InControl) - http://adlogix.com/pop/InPop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15dc4fbaa4a7de581c22/netzip/RdxIE601_it.cab

    A recent thread about registry cleaners can be found here:
    http://www.wilderssecurity.com/showthread.php?t=16473

    Regards,

    Pieter
     
    Pieter_Arntz, Nov 25, 2003
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...