Another Hijack this log to decipher
Results 1 to 4 of 4

Thread: Another Hijack this log to decipher

  1. November 19th, 2004, 12:50 PM #1
    thorian
    thorian is offline
    Registered User thorian's Avatar
    Join Date
    Aug 2004
    Posts
    280

    Another Hijack this log to decipher

    I Ran spybot search and destroy and A2 removed gobs of spy/malware and restored functionality to IE mostly however there is one last piece that is serving up a popup that I cannot find Here is the log from that computer after 2 hrs of working on this one I need fresh eyes.

    Thanks

    Thorian

    Logfile of HijackThis v1.97.7
    Scan saved at 11:42:59 AM, on 11/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    c:\program files\ciscovpn\client\cvpnd.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\mnmsrvc.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv50.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\GWHotKey.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04. exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\WINNT\system32\dmifmsp.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\DOCUME~1\ssmith\LOCALS~1\Temp\ICD1.tmp\svcmm32. exe
    C:\WINNT\system32\filmext.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\winupdt.exe
    C:\Program Files\NetMeeting\conf.exe
    C:\Program Files\CxtPls\CxtPls.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ssmith\Desktop\HijackThis.exe

    R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {42CD89B0-BC04-4306-A290-1EA14357AA1B} - C:\WINNT\system32\wlghp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
    O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04. exe
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [u7EX36i] dmifmsp.exe
    O4 - HKLM\..\Run: [wlghpc] C:\WINNT\system32\wlghpc.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\ssmith\LOCALS~1\Temp\ICD1.tmp\svcmm32 .exe" /startup
    O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKCU\..\Run: [fwx7RWGtS] filmext.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\ciscovpn\client\ipsecdialer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...771.5611689815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = colinsgrp.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B6E12D37-410C-43E9-9F77-5DC51470DCB9}: NameServer = 64.91.3.46 209.142.136.85
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = colinsgrp.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = colinsgrp.com
    WOTPP Recruit.

    http://www.lp.org/ http://www.badnarik.org/
    Reply With Quote Reply With Quote
  2. November 19th, 2004, 12:54 PM #2
    geoscomp
    geoscomp is offline
    Registered User geoscomp's Avatar
    Join Date
    Apr 2002
    Location
    Minnesota
    Posts
    2,340
    Before you do anything else, put hijack this in it's own folder, instead of leaving it on your desktop..otherwise you will have all sorts of backups scattered all over the desktop.
    Computer Rescue Service

    "those who do not remember history are condemned to repeat it."
    Reply With Quote Reply With Quote
  3. November 19th, 2004, 02:12 PM #3
    hudsonsmith
    hudsonsmith is offline
    Registered User hudsonsmith's Avatar
    Join Date
    Feb 2003
    Location
    New York
    Posts
    2,276
    Did you run spybot and a-squared in safe mode? All these are bad:
    R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: (no name) - {42CD89B0-BC04-4306-A290-1EA14357AA1B} - C:\WINNT\system32\wlghp.dll
    O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [u7EX36i] dmifmsp.exe
    O4 - HKLM\..\Run: [wlghpc] C:\WINNT\system32\wlghpc.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\ssmith\LOCALS~1\Temp\ICD1.tmp\svcmm32 .exe" /startup
    O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKCU\..\Run: [fwx7RWGtS] filmext.exe
    O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    You need to run hijack in safe mode, kill the entries, then find the files and delete them as well.

    Unless you know Columbia Insurance Group or CenturyTel Internet Holdings, these can go too:
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = colinsgrp.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B6E12D37-410C-43E9-9F77-5DC51470DCB9}: NameServer = 64.91.3.46 209.142.136.85
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = colinsgrp.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = colinsgrp.com
    Probability factor of one to one...we have normality, I repeat we have normality. Anything you still can't cope with is therefore your own problem.
    Reply With Quote Reply With Quote
  4. November 19th, 2004, 05:09 PM #4
    thorian
    thorian is offline
    Registered User thorian's Avatar
    Join Date
    Aug 2004
    Posts
    280
    Unless you know Columbia Insurance Group or CenturyTel Internet Holdings, these can go too:
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = colinsgrp.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B6E12D37-410C-43E9-9F77-5DC51470DCB9}: NameServer = 64.91.3.46 209.142.136.85
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = colinsgrp.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = colinsgrp.com[/QUOTE]


    Actually we are columbia Insurance Group
    Intertel is our phone system provider
    WOTPP Recruit.

    http://www.lp.org/ http://www.badnarik.org/
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. HiJack This log - what to remove?
    By viewfinder in forum Spyware & Antivirus - Security
    Replies: 3
    Last Post: September 27th, 2004, 02:41 AM
  2. Help reading hijack log
    By hiram in forum Spyware & Antivirus - Security
    Replies: 4
    Last Post: September 6th, 2004, 04:17 AM
  3. Hijack This log
    By dfritz in forum Tech-To-Tech
    Replies: 3
    Last Post: August 19th, 2004, 10:52 AM
  4. Help with HiJack log...please
    By BornOnFire in forum Tech-To-Tech
    Replies: 10
    Last Post: June 13th, 2004, 11:12 AM
  5. My hijack log....heeellllppp & Thanks
    By sabu724 in forum Windows XP
    Replies: 1
    Last Post: June 2nd, 2004, 12:39 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules