Hijackthis log posted - just checking for clean

Discussion in 'adware, spyware & hijack cleaning' started by kbosch, Jun 15, 2004.

Thread Status:
Not open for further replies.
  1. kbosch

    kbosch Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    7
    Hey everyone!

    I wanted to check my laptop at home to make sure it is clean.

    I have run CW Shredder
    I have run and updates SpyBot S&D
    Here is my log file from Hijackthis.

    Thanks in advance for looking

    Kbosch

    Logfile of HijackThis v1.97.7
    Scan saved at 11:19:36 PM, on 6/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\netdc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Documents and Settings\Keith & Melissa\Start Menu\Programs\Startup\svchost.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Utilities\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/
    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - Startup: netdb.exe
    O4 - Startup: svchost.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Use Process Explorer) to Kill the following tasks.
    You will need ProcessExplorer rather than taskmanager to distinguish which of the svchost processes is running from the unusual folder.
    C:\WINDOWS\System32\netdc.exe
    C:\Documents and Settings\Keith & Melissa\Start Menu\Programs\Startup\svchost.exe


    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - Startup: netdb.exe
    O4 - Startup: svchost.exe


    Empty the TIF (Temporary Internet Files)
    To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
    Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

    Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box

    Reboot to SAFE mode
    How to start the computer in Safe mode

    Delete the following files:
    C:\WINDOWS\System32\svohost.exe (careful of the spelling!)
    C:\WINDOWS\System32\swchost.exe (careful of the spelling!)
    C:\Documents and Settings\Keith & Melissa\Start Menu\Programs\Startup\svchost.exe
    C:\WINDOWS\System32\netdc.exe
    netdb.exe


    Also delete the files mentioned in the links at the bottom

    Reboot to normal mode

    Get a good online virus scan at HouseCall

    ------ some partial info (for further cleanup)
    NETDC -- http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=TROJ_DUMARIN.G&VSect=T
    or http://sarc.com/avcenter/venc/data/backdoor.nibu.e.html
     
Thread Status:
Not open for further replies.