Friends Hijackthis Log

Discussion in 'adware, spyware & hijack cleaning' started by mattyl, Mar 30, 2004.

Thread Status:
Not open for further replies.
  1. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    Logfile of HijackThis v1.97.7
    Scan saved at 9:36:48 PM, on 3/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\WMABAR~1\Free Mp3.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\Program Files\Ares\Ares.exe
    C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Union T40\Desktop\spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.union.edu/Campus/OnCampus/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
    http://windowsupdate.microsoft.com/
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} -
    C:\Program
    Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program
    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\PROGRA~1
    \SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} -
    C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7D7FCCC5-3BF1-4897-9968-E135B0C90E03} -
    C:\PROGRA~1
    \WAITDR~1\BIB GRID.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    c:\program
    files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} -
    C:\Program
    Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: Bone one dumb - {821DB888-1846-5275-923B-31ED9303BBE7} -
    C:\PROGRA~1\WAITDR~1\BIB GRID.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
    c:\program
    files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program
    Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program
    Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
    irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TPHOTKEY]
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [BMMLREF] C:\Program
    Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program
    Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [TPKMAPMN] C:\Program
    Files\ThinkPad\Utilities\TpKmapMn.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
    Control
    Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By
    IBM\ibmmessages.exe
    O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS
    Software\Update
    Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
    \spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1
    \pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe
    SILENT
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -
    atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [slowmedia] C:\PROGRA~1\WMABAR~1\Free Mp3.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program
    Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE"
    /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe
    1
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By
    IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware
    6\Ad-
    aware.exe" "+b1"
    O4 - Global Startup: Digimax Viewer 1.0.lnk = C:\Program
    Files\Samsung\Digimax
    Viewer 1.0\DigimaxViewer.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
    present
    O8 - Extra context menu item: &Google Search - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page -
    res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1
    \MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program
    Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    Control) -
    http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us
    /win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall
    /xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    Object) -
    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
    -
    http://anu.popcap.com/games/popcaploader_v5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEBDFE1-942D-48CB-9C2A-
    E519A5EA428A}: NameServer = 149.106.160.3,149.106.160.14

    Sorry for the broken log - it was sent to me in an email. We have done some work already, using spybot and adaware, deleting all that was found with the latest updates. From looking at many logs it seems like there is still some evils lurking just don't know exactly which to delete. Thanks for taking a look!

    mattyl
     
  2. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    Re-ran adware with the newest update. Found a few items which were cleared from the hijackthis log. Then went through and tried to pick out what I knew was bad.

    Here's the newest and better looking log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:41:34 PM, on 3/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Common Files\Network Associates\On Demand Scanner\Scan32\SCAN32.EXE
    C:\Documents and Settings\Union T40\Desktop\spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.union.edu/Campus/OnCampus/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - Global Startup: Digimax Viewer 1.0.lnk = C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEBDFE1-942D-48CB-9C2A-E519A5EA428A}: NameServer = 149.106.160.3,149.106.160.14

    Anything I missed? Thanks again.

    mattyl
     
  3. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi mattyl..

    I noticed you did do scan via AdAware and it found things and you did a new log, but in your second post, you said:

    I hope that the second log is the complete entries and not just selected, if not could you please post your *complete* new log.

    If it is, then simply ignore my post. :D

    Someone should help out shortly. ;)

    Cheers, TAS
     
  4. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    thanks tas

    Even though you said ignore the post I'd like to clarify so as not to confuse the experts with the two posts. The first log was created after I had told my friend to run the both adaware and spybot with the latest updates. I then posted and checked to make sure he had updated the programs. Spybot was up to date but adaware was not. So, the second log is the complete log after what Ad-aware the second time around deleted as well as a few entries I had hijackthis fix (ex: blubster, autoupdate - which im pretty sure aren't needed and are bad - I also made sure the .exe and folders were gone) I also deleted all the toolbars found in the control panel b/c they were not needed. This also cleared a few entries. The second log shows ALL after this was done. Hope that clears things up and sorry for any confusion. Thanks again for taking a look.

    mattyl
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    In that case, I can't find anything either. :D

    Regards,

    Pieter
     
  6. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    thanks for taking the time to give it a look Pieter
     
Thread Status:
Not open for further replies.