HiJackthis log help request

Discussion in 'adware, spyware & hijack cleaning' started by Ahamay17, May 14, 2004.

Thread Status:
Not open for further replies.
  1. Ahamay17

    Ahamay17 Registered Member

    Joined:
    May 13, 2004
    Posts:
    21
    Location:
    Broken Arrow, Oklahoma
    I have been using Ad-aware, Spybot Search and Destroy, and Google Toolbar popup blocker for probably a year now (+ or -) I have had little to no problems until recently. Several things have occured in the last 4 or 5 weeks that have me concerned. 1st was my winsock was corrupted while I was doing my weekly security run, which consists of updating and running the above mentioned programs along with CoolWebShredder. After completing the scans and cleans, and not seeing anything out of the ordinary (mostly tracking cookies) my winsock was corupted leaving me without internet acsess. Since having fixed the winsock issue, there have been several things that seem suspect to me, but I'm not sure if they are related, I could just be a bit paranoid :eek:

    1. There has not been an update available for Spybot S & D in over 4 weeks. I just noticed there is a new version out, which I downloaded, maybe that is the reason for no recent update? Anyway that seemed like a long time.
    2. I always use a blank start page with IE, now about every 3rd or 4th time I open IE it switches the start page to an MSN page. I never even surf MSN nor do I want to.
    3. When I click a link there is always a few second pause before anything occurs, then it takes off like normal and loads at my typical DSL speeds.
    4. Despite having the Google Toolbar popup blocker on, and having great success with it in the past, I have begun getting popups, usually a few per website, and more often than not they seem to be related to that site rather than the self generated ones from my hard drive, but still annoying as ever.
    5. I get a lot of images that don't load while surfing with IE. I can always right click on them, and then they will load. It is usually images that are repeated many times on the same web page.

    At about the time I started to notice these problems I just happened to look at my Nod32 scan logs, and saw I was infected by 6 different trojans. Nod32 was set up to scan every night, but what I didn't know was it wasn't cleaning, simply scanning and logging. I then had to go back and manually run the scan in clean mode. (If it can be setup to clean automatically, I can't figure it out. . .) Also according to the Nod32 scan log at one point I had 6 trojans, but I can only see were 3 were cleaned, but none are being detected after those 3 were cleaned, to the present.


    Here is my log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:12:19 AM, on 5/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\mqsvc.exe
    C:\WINDOWS\System32\mqtgsvc.exe
    C:\Program Files\Security\HiJack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - C:\Program Files\Bugnosis\WebBug.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Bugnosis - {930E4DE1-973D-42D6-BF6E-6788E06BD003} - C:\Program Files\Bugnosis\WebBug.dll
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38106.6730671296
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

    It's great to see the service you guys provide here, it really outweighs the dis-service that the scums of the internet attempt to provide. . !

    P.S. Me and the family are about to head off to Oklahoma City to see Metallica, so I probably won't be checking back for a few days, and I didn't want anyone who might respond quickly to think I'm unappreciative.

    TIA

    Ray
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Ahamay17,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com

    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

    Then reboot.
    Did you try installing Sun's java?
    http://www.java.com:80/en/download/manual.jsp

    And how was teh Metallica concert? *puppy*

    Regards,

    Pieter
     
  3. Ahamay17

    Ahamay17 Registered Member

    Joined:
    May 13, 2004
    Posts:
    21
    Location:
    Broken Arrow, Oklahoma
    Done, and thanks. . !

    I do have Sun's java installed, I even went to the test page they have to make sure. Is there something in my log that suggests it's not installed?

    Metallica was awsome, so was Godsmack. . .It's hard to imagine them being as good as they are after all these years. . .

    Thanks again,

    Ray
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Sometimes you can see the version of Java in use under O16 in the logs, but the abscense is not conclusive.

    You can try to update the Google toolbar. You should find there is a newer versions available.

    Spybot S&D was not updated in a while due to the work that was done on the new version. Hopefully their old pace will be picked up again.

    I never found something that works for everyone to get all the images loaded.
    When I use IE I have the same problem.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.