Please help me with this HJT log

Discussion in 'adware, spyware & hijack cleaning' started by helon, Nov 24, 2003.

Thread Status:
Not open for further replies.
  1. helon

    helon Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    2
    Hello to all,
    i'm suffering continuous spyware and adware infections. I'm running both Spybot and Ad-aware updated but some registry entries and some files were not recognized at all...
    Last time (today) a file named IPU.EXE was trying many time to load ad popups, but nothing i can find searching on google and with the previous tools. :doubt:
    I post my hjt log:


    Logfile of HijackThis v1.97.7
    Scan saved at 1:06:49 AM, on 11/25/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~2\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\mgabg.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\mspmspsv.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINDOWS\Explorer.EXE
    C:\OfficeScan NT\pccntmon.exe
    C:\WINDOWS\System32\PDesk\PDesk.exe
    C:\OfficeScan NT\Pop3Trap.exe
    C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\OPERAT~1\LOCALS~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:1080
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.it/
    O2 - BHO: (no name) - {024DE5EB-3649-445E-8D57-C09A9A33D479} - C:\WINDOWS\system32\PHelper.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: (no name) - {65B346E0-0A23-11D7-B2F7-00C0F04D8274} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: *.bansel.it
    O15 - Trusted Zone: http://www.dexara.net
    O15 - Trusted Zone: http://www.egostat.com
    O16 - DPF: ismco - https://nms.mci.com/ismco.cab
    O16 - DPF: ismcomu - https://nms.mci.com/ismcomu.cab
    O16 - DPF: ismin - https://nms.mci.com/ismin.cab
    O16 - DPF: ismoe - https://nms.mci.com/ismoe.cab
    O16 - DPF: ismrpt - https://nms.mci.com/ismrpt.cab
    O16 - DPF: ismsi - https://nms.mci.com/si/ismsi.cab
    O16 - DPF: ismtb - https://nms.mci.com/ismtb.cab
    O16 - DPF: ismtlskl - https://nms.mci.com/ismtlskl.cab
    O16 - DPF: ismtlssw - https://nms.mci.com/ismtlssw.cab
    O16 - DPF: ismxml - https://nms.mci.com/ismxml.cab
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
    O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.adultoweb.com/dialershtml/dialerweb.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} (InPop.InControl) - http://adlogix.com/pop/InPop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15dc4fbaa4a7de581c22/netzip/RdxIE601_it.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.0790393519
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab




    Finally, i don't have any IOMEGA installed but the entry still persist..

    Sorry for my english..i'm italian, but help me the same :rolleyes:
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Helon,

    Welcome to Wilders!

    please close out of all programs and windows and select and fix the following;

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    O2 - BHO: (no name) - {024DE5EB-3649-445E-8D57-C09A9A33D479} - C:\WINDOWS\system32\PHelper.dll
    O3 - Toolbar: (no name) - {65B346E0-0A23-11D7-B2F7-00C0F04D8274} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
    O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3}
    (IntRuboskizo Class) - http://www.adultoweb.com/dialershtml/dialerweb.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

    Then reboot and let us know how things are afterward

    Also, if you haven't already, I strongly recommend that you install Javacool's "Spyware Blaster" which can be obtained here

    http://www.javacoolsoftware.com/spywareblaster.html

    Hope this helps!

    Regards,

    Dan
     
  3. helon

    helon Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    2
    Ok man! I've installed spyware blaster before to do all, and now the situation seems to be clear as you can read in the follow:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:54:12 AM, on 11/25/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~2\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\mgabg.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\mspmspsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\PDesk\PDesk.exe
    C:\OfficeScan NT\pccntupd.exe
    C:\DOCUME~1\OPERAT~1\LOCALS~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:1080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.it/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spyware_Protect\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spyware_Protect\SpywareGuard\sgmain.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: *.bansel.it
    O15 - Trusted Zone: http://www.dexara.net
    O15 - Trusted Zone: http://www.egostat.com
    O16 - DPF: ismco - https://nms.mci.com/ismco.cab
    O16 - DPF: ismcomu - https://nms.mci.com/ismcomu.cab
    O16 - DPF: ismin - https://nms.mci.com/ismin.cab
    O16 - DPF: ismoe - https://nms.mci.com/ismoe.cab
    O16 - DPF: ismrpt - https://nms.mci.com/ismrpt.cab
    O16 - DPF: ismsi - https://nms.mci.com/si/ismsi.cab
    O16 - DPF: ismtb - https://nms.mci.com/ismtb.cab
    O16 - DPF: ismtlskl - https://nms.mci.com/ismtlskl.cab
    O16 - DPF: ismtlssw - https://nms.mci.com/ismtlssw.cab
    O16 - DPF: ismxml - https://nms.mci.com/ismxml.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} (InPop.InControl) - http://adlogix.com/pop/InPop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15dc4fbaa4a7de581c22/netzip/RdxIE601_it.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.0790393519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    Only one other question, where i can find something to clear my registry? It seems that some entries are wrong or spyw modified...

    Thanks for all your support
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi helon,

    Excellent job sofar.
    Two more entries need fixing:
    O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} (InPop.InControl) - http://adlogix.com/pop/InPop.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15dc4fbaa4a7de581c22/netzip/RdxIE601_it.cab

    A recent thread about registry cleaners can be found here:
    http://www.wilderssecurity.com/showthread.php?t=16473

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.