Need Help with Hijack This log...
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Need Help with Hijack This log...

  1. #1
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066

    Need Help with Hijack This log...

    I have recently been hit with a huge spyware/adware attack, I accidently clicked yes to a pop up and boy will I never make that mistake again lol. Anyway, I was hit with well over 200 things of malware. I spent hours cleaning up after it with Spybot, Adaware, and CWshredder. But I still noticed things, like my connection dropping, which was already discussed, and also pop ups and this weird box that pops up and the only way to get rid of it is to restart my comp. I did a Hijack This scan and check it out... Now I'm no Hijack This genius but I don't think the "hosts" are a good sign that my fully updated spybot, adaware, and CWshredder and not to mention Avast! did it's job very well...

    Logfile of HijackThis v1.97.7
    Scan saved at 12:22:32 AM, on 8/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\2Wire\Gateway\2PortalMon.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
    C:\Documents and Settings\Devin Taylor\Desktop\Devin computer defenses\hijackthis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8100
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O9 - Extra button: Joyo (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: PowerWord (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_41.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab


    Thanks in advance for any help
    I am the uber duck!!1
    Proxy Tools

  2. #2
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    I'm not that great at reading hijack this logs but I did a search on lspak.dll and came up with some things. It seems you can't just delete it or it will screw up your connection. You need to run lsp-fix form here first: http://www.cexx.org/lspfix.htm. Then it will be safe for removal. Hope this helps.
    When death sleeps it dreams of you...

  3. #3
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066
    Well, I would try that out, but the link doesn't work...
    I am the uber duck!!1
    Proxy Tools

  4. #4
    Before we go any further-

    Confirm for us that you ran updated spybot, adaware, and AV scans in both safe and normal mode?

    Also run housecall.trendmicro.com's virus scanner.

  5. #5
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066
    yes I have, I also ran other things like bitdefender's online scan and a couple other's...
    I am the uber duck!!1
    Proxy Tools

  6. #6
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    Blah, the link doesn't work because it has a period at the end of it http://www.cexx.org/lspfix.htm
    When death sleeps it dreams of you...

  7. #7
    I'm going to recommend to you, what everyone reading this log is going to be doing anyways:

    http://www.google.com


    I'm not flaming you, just behing honest. That's how Hijack logs are responded to, people google the information for you.

  8. #8
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    hi

    Or wait for the HijackThis Team to arrive....Tsk Tsk Groove and meeeeee.

    Personally i am not good reading these logs so i don't even try to ...........so the best thnk is to ask some who knows what to look for......apart from the google..

    What i would suggest is don't take random advice on these CWS Trojan issues ...........these thinks are interlinked and there is a set procedure to get rid of them..........deleteing random files will not help well generally......Take advice form one person.....and make sure that person know what to look for........So wait for someone like those two gentelmen to arrive.........they might be able to help you appropriately.......both are genegally quick to respont to these kind of threads these days.........


    --Good Luck--

  9. #9
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    I'm going to recommend to you, what everyone reading this log is going to be doing anyways:
    Muerto, good catch. Removing 010's with HJT will break your internet connection by destroying your winsock, which in most cases requires a reinstall of the OS. You won't find that on Google.

    ***************

    Create a new restore point first..most times this next step works flawlessly. I want you to be prepared in case you are the 1% where it goes wrong.

    Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of lspak.dll, cdlsp.dll, and nothing else . Reboot

    Downlaod the VX2 plug-in for Adaware from here:
    http://updates.ls-servers.com/plvx2cleaner.exe
    Install it, but don't run it yet.

    Also, verify that Adaware is fully up to date. New definitions came out yesterday.

    Update your version of HJT to 1.98 from here:
    http://www.downloads.subratam.org/hijackthis.zip

    Put a checkmark next to the following entries in HijackThis. Make sure all
    other windows and browsers are closed before clicking on “Fix Checked”
    .

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

    ***********************************************************************

    Open notepad and paste in the following lines:

    del c:\ *.tmp
    del %temp%\*.tmp /f
    del %windir%\prefetch\*.*
    del %windir%\temp\*.* /f

    Save to desktop as 'clean.bat' , file types-‘all files’

    ***********************************************************************

    Reboot into safe mode.

    Run Adaware with the following options:

    • Configure Ad-aware
      • Click on the Gear-shaped icon at the top to open the Settings window.
      • All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.
      • General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)
      • Scanning Settings
        • Scan Within Archives
        • Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.
        • Scan Active Processes
        • Scan Registry
        • Deep Scan Registry
        • Scan my IE favorites for banned URL’s
        • Scan my Hosts file
      • Advanced Settings - Enable all four options under 'Log-file Detail level'
      • Tweak Settings
        • Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'
        • Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'
      • Click Proceed
    • Click on the 'Start' button in the lower right.
    • Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.
    • Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.
    • Close Ad-aware
    Next, open Adaware again, and run the VX2 finder Plugin that you installed.

    Then run adaware again to clean up what the plug in found.

    Run the clean.bat that you created before.

    Then reboot and post a new log.

  10. #10
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    I'm sure that Soda hasn't forgot that he is the author of the following thread on HJT log reading.............

    So I'll post it anyway.

    http://www.antionline.com/showthread...hreadid=255989

    [edit] belay that, pull up a chair and listen real close, let Uncle Groove tell you a story. [/edit]
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •