HijackThis Log

Discussion in 'adware, spyware & hijack cleaning' started by Paul_, Jun 8, 2004.

Thread Status:
Not open for further replies.
  1. Paul_

    Paul_ Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    Hi all

    I tryed to find a similar Log on this forum, but unfortunately...
    Can anyone help to clean my PC ?
    The log I have is:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:16:47, on 2004.06.08
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Softwin\BitDefender Professional Edition\vsserv.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Opera75\opera.exe
    C:\Downloads\software\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic Agent\Web\SearchBar.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.lt/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
    O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Name\Local Settings\Temp\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38035.4486226852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6F24A9C5-2C62-4BE6-8233-67F45EA45583}: NameServer = 192.168.1.1

    :rolleyes:

    Thanks
     
  2. Paul_

    Paul_ Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    Also when I tryed to fix with Spybot S&D these files (below), nothing was changed after rebooting. Are these files dangerous? And what is next steps fixing them?
    -------------------------------------------------------------------------
    ossible extension hijack: Default executable handler (Registry change, nothing done)
    HKEY_CLASSES_ROOT\exefile\shell\open\command\!="%1" %*

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1060284298-436374069-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-05-25 Includes\Cookies.sbi
    2004-05-29 Includes\Dialer.sbi
    2004-05-28 Includes\Hijackers.sbi
    2004-05-28 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-05-28 Includes\Malware.sbi
    2004-05-04 Includes\Revision.sbi
    2004-04-12 Includes\Security.sbi
    2004-05-28 Includes\Spybots.sbi
    2004-05-24 Includes\Tracks.uti
    2004-05-28 Includes\Trojans.sbi
    ----------------------------------------------------------------------

    Any ideas?
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  4. Paul_

    Paul_ Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    Hi Pieter,

    Thanks for helping me. :)
    Like I understand, everyting is ok. Or is there any suspicious with my Logfile of HijackThis v1.97.7?
    o_O
    Because in evenigs I have some trobles (PC restart without any notice, work with Word files is very slow (CPU running 100%, HDD is busy too)). When I try to look running processes with Task Manager (the procentage use for curent programs and histogram CPU load) the load normalize. If I minimaizing Task Manager the load of CPU increasing again.
    NOD32 (antivirus program) can't open 4 files.
    Ad-aware 6 can't finnish scan process (it scanning too long in my opinion).
    I don't think that it is hardware problem. More posible software problems (spyware, worms and viruses).

    Please Help
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Have you tried using all the possible scan methods: the Smart system-scan and the select drives option in AdAware?

    I see nothing suspicious in your log. You stated the CPU load normalized when you open TaskManager. Have you tried keeping that minimized in the systray and see what happens then?
    It could be that happens just because you stop doing something else.

    Regards,

    Pieter
     
  6. Paul_

    Paul_ Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    Hi Pieter,

    >Have you tried using all the possible scan methods: the Smart system-scan >and the select drives option in AdAware?

    Yes. Today it found something (see log):

    ArchiveData(auto-quarantine- 10-06-2004 12-20-47.bckp)
    ======================================================

    WINDOWS
    ÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆ
    obj[0]=RegData : exefile\shell\open\command

    o_O AND I blocked:

    Ad-watch Logfile, exported on 2004.06.10
    Total number of events:1
    ===============================================
    2004.06.10 11:08:11 - Registry modification detected
    Root:HKEY_LOCAL_MACHINE
    Key:SOFTWARE\Classes\exefile\shell\open\command
    Value:
    Data:%1 %*
    New Data:"%1" %*

    Possible browser hijack attempt (Blocked)

    ===============================================

    >You stated the CPU load normalized when you open TaskManager. Have you >tried keeping that minimized in the systray and see what happens then?

    Yes, the CPU load normalized when I open TaskManager => Processes, but when I tried keeping that minimized in the systray suddenly the CPU load increased to 100%. It was like a game, I maximaizing TaskManager => Processes the CPU load normalize, when I minimize it CPU load inreased to 100%. ("DU meter" didn't show any internet traffic). If I stay TaskManager => Processes minimized, the CPU load stays in same 100% for ~5min (but I didn't worked with any progam)
    I thought that it could be a smart spyware or something like that, which uses my PC resources and reboots or increases CPU load. I have never seen that things in my all life before. It's very strange.

    >It could be that happens just because you stop doing something else.

    You mean normalizes the CPU load when I stop doing something else?
    No.
    Thats why I interested in my log.
    More info (hardware):
    I am using 1.1GHz Copermine(Celeron), MB A-trend, 192MB, Baraccuda 40GB 7200rpm, GF3 TI 200 64MB, SB Creative AWE 64.

    I am going to opinion, that finally I will need to format C:\ .

    Thank you Pieter for a help
    :)
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  8. Paul_

    Paul_ Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    Hi Pieter,

    I used your suggestion and with Rootkit Detector v0.6.2 found 1 suspicious file: sockspy.dll
    After deleting it in safe mode, everything seems normal. (at least now)
    :)

    Thanks Pieter, You are real expert. :D
     
Thread Status:
Not open for further replies.