Results 1 to 3 of 3

Thread: Hijackthis Log

  1. #1

    Hijackthis Log

    I'm working on a friend's machine that has been royally infested with spyware. I was wondering if any of you would look at my log file and tell me what I need to get rid of.

    Logfile of HijackThis v1.98.1
    Scan saved at 3:18:02 PM, on 10/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    c:\Toshiba\IVP\swupdate\swupdtmr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\smsc.exe
    C:\WINDOWS\System32\syshelper.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    C:\WINDOWS\System32\TPSMain.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\TPSBattM.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Verizon Online\Dial 4.0\VisualIPInsight\IPMon32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\avicap47.exe
    C:\WINDOWS\System32\ccfgnt33.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\svhost.exe
    C:\WINDOWS\TEMP\gr33k.exe
    C:\WINDOWS\dipset.exe
    C:\Program Files\Win Comm\WinComm.exe
    C:\Program Files\Win Comm\WinLock.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\kbdir.exe
    C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\Program Files\Internet Optimizer\actalert.exe
    c:\temp\msbb.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\Documents and Settings\Renee Fultz\Desktop\Anti Spyware\HijackThis 1.98.1.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
    R3 - Default URLSearchHook is missing
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Dial 4.0\VisualIPInsight\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Dial 4.0\VisualIPInsight\IPMon32.exe"
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\acsnofpv.exe
    O4 - HKLM\..\Run: [7D55C40D] C:\WINDOWS\System32\myzgtqukwtlo.exe
    O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\Run: [s1lk] C:\documents and settings\renee fultz\local settings\temp\s1lk.exe
    O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\WditARpr.exe
    O4 - HKLM\..\Run: [c285cdd2b8c5] C:\WINDOWS\System32\avicap47.exe
    O4 - HKLM\..\Run: [MicrosoftUpdate] syshelper.exe
    O4 - HKLM\..\Run: [75ddd7f6ad1b] C:\WINDOWS\System32\ccfgnt33.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft AutoUpdater] svhost.exe
    O4 - HKLM\..\Run: [Printer] C:\WINDOWS\dipset.exe
    O4 - HKLM\..\Run: [4F7k3pR] ddebrowser.exe
    O4 - HKLM\..\Run: [Microsoft Update Machines] servize.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\RunServices: [C5738423] C:\WINDOWS\System32\myzgtqukwtlo.exe
    O4 - HKLM\..\RunServices: [MicrosoftUpdate] syshelper.exe
    O4 - HKLM\..\RunServices: [Microsoft AutoUpdater] svhost.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machines] servize.exe
    O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\RunOnce: [MicrosoftUpdate] syshelper.exe
    O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\RENEEF~1\LOCALS~1\Temp\djtopr1150.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - HKCU\..\Run: [LooqRfd4i] dfrpsetu.exe
    O4 - HKCU\..\Run: [kbdir] C:\WINDOWS\System32\kbdir.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\Run: [MicrosoftUpdate] syshelper.exe
    O4 - HKCU\..\Run: [Microsoft AutoUpdater] svhost.exe
    O4 - HKCU\..\RunOnce: [MicrosoftUpdate] syshelper.exe
    O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
    O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Dial 4.0\ControlPad\Misc\a_menu.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098310179953
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    go here and follow the instructions. Remove the obvious ones and then post the new logs so we can work from there.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Well you are right about the fact, that your friends computer is royally infested with malware anyway here is an analysis of your hijackthis log
    http://hijackthis.de/logfiles/c71d91...908db5fb2.html
    see the results your-self. about 36 nasty entries there.

    simple rules to get rid of this infections
    1. use a spyware cleaner like spybot : security.kolla.de or www.lavasoft.de
    2. run these scanners in safe mode also
    3. switch to firefox web browser
    4. use an anti-virus
    5. use a good firewall- monitor its logs, and creat rules with care !
    5. update update update and update
    also use imminuse feature in spy.bot
    anyway running above mentioned anti-spyware software should do the job for you
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •