-
November 19th, 2004, 12:50 PM
#1
Registered User
Another Hijack this log to decipher
I Ran spybot search and destroy and A2 removed gobs of spy/malware and restored functionality to IE mostly however there is one last piece that is serving up a popup that I cannot find Here is the log from that computer after 2 hrs of working on this one I need fresh eyes.
Thanks
Thorian
Logfile of HijackThis v1.97.7
Scan saved at 11:42:59 AM, on 11/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
c:\program files\ciscovpn\client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv50.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04. exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\DIGStream\digstream.exe
C:\WINNT\system32\dmifmsp.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\DOCUME~1\ssmith\LOCALS~1\Temp\ICD1.tmp\svcmm32. exe
C:\WINNT\system32\filmext.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\winupdt.exe
C:\Program Files\NetMeeting\conf.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ssmith\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {42CD89B0-BC04-4306-A290-1EA14357AA1B} - C:\WINNT\system32\wlghp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04. exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [u7EX36i] dmifmsp.exe
O4 - HKLM\..\Run: [wlghpc] C:\WINNT\system32\wlghpc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\ssmith\LOCALS~1\Temp\ICD1.tmp\svcmm32 .exe" /startup
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [fwx7RWGtS] filmext.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\ciscovpn\client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...771.5611689815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = colinsgrp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6E12D37-410C-43E9-9F77-5DC51470DCB9}: NameServer = 64.91.3.46 209.142.136.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = colinsgrp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = colinsgrp.com
WOTPP Recruit.
http://www.lp.org/ http://www.badnarik.org/
-
November 19th, 2004, 12:54 PM
#2
Registered User
Before you do anything else, put hijack this in it's own folder, instead of leaving it on your desktop..otherwise you will have all sorts of backups scattered all over the desktop.
-
November 19th, 2004, 02:12 PM
#3
Registered User
Did you run spybot and a-squared in safe mode? All these are bad:
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {42CD89B0-BC04-4306-A290-1EA14357AA1B} - C:\WINNT\system32\wlghp.dll
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [u7EX36i] dmifmsp.exe
O4 - HKLM\..\Run: [wlghpc] C:\WINNT\system32\wlghpc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\ssmith\LOCALS~1\Temp\ICD1.tmp\svcmm32 .exe" /startup
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [fwx7RWGtS] filmext.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
You need to run hijack in safe mode, kill the entries, then find the files and delete them as well.
Unless you know Columbia Insurance Group or CenturyTel Internet Holdings, these can go too:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = colinsgrp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6E12D37-410C-43E9-9F77-5DC51470DCB9}: NameServer = 64.91.3.46 209.142.136.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = colinsgrp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = colinsgrp.com
Probability factor of one to one...we have normality, I repeat we have normality. Anything you still can't cope with is therefore your own problem.
-
November 19th, 2004, 05:09 PM
#4
Registered User
Unless you know Columbia Insurance Group or CenturyTel Internet Holdings, these can go too:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = colinsgrp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6E12D37-410C-43E9-9F77-5DC51470DCB9}: NameServer = 64.91.3.46 209.142.136.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = colinsgrp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = colinsgrp.com[/QUOTE]
Actually we are columbia Insurance Group
Intertel is our phone system provider
WOTPP Recruit.
http://www.lp.org/ http://www.badnarik.org/
Similar Threads
-
By viewfinder in forum Spyware & Antivirus - Security
Replies: 3
Last Post: September 27th, 2004, 02:41 AM
-
By hiram in forum Spyware & Antivirus - Security
Replies: 4
Last Post: September 6th, 2004, 04:17 AM
-
By dfritz in forum Tech-To-Tech
Replies: 3
Last Post: August 19th, 2004, 10:52 AM
-
By BornOnFire in forum Tech-To-Tech
Replies: 10
Last Post: June 13th, 2004, 11:12 AM
-
By sabu724 in forum Windows XP
Replies: 1
Last Post: June 2nd, 2004, 12:39 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks