1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Can anyone help with this Hijackthis log file please?

Discussion in 'Virus & Other Malware Removal' started by pileyrei, Dec 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. pileyrei

    pileyrei Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    594
    Hi

    This is my work pc and so some things may look "alien" when infact they are internal programs.

    Basically I seem to have loads of spyware. Each day spybot finds different things.

    Any ideas on what I can definitely delete?

    Logfile of HijackThis v1.97.7
    Scan saved at 3:52:48 PM, on 12/16/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
    C:\PROGRA~1\NavNT\DefWatch.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\PROGRA~1\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    c:\winnt\system32\wscript.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\mqsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
    C:\WINNT\system32\tp4serv.exe
    C:\WINNT\system32\RunDll32.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
    C:\PROGRA~1\NavNT\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\Program Files\AproposClient\Apropos.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\WINNT\regedit.exe
    C:\Documents and Settings\All Users\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myfunstart.com/index.cfm?pc=bwhp5
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://aponline.apci.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {146F1A76-A982-43BE-B533-526AB70E8A9C} - C:\WINNT\system32\ddheml.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\system32\mseclk.dll
    O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\WINNT\system32\mseffm.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINNT\system32\mscdka.dll
    O2 - BHO: (no name) - {D319662B-D5BF-4538-ADF3-8D3E36362608} - C:\Documents and Settings\All Users\Application Data\X0ff\X0ff.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINNT\system32\msobfl.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinMsg50RegSet] C:\winnt\regedit.exe /s "C:\Program Files\AirProducts\WinMsgr50\HKCUSettings.reg"
    O4 - HKLM\..\Run: [WinMsg50IMSet] C:\WINNT\System32\wscript.exe "C:\Program Files\AirProducts\WinMsgr50\IMSetting.vbs"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msgdmf.exe
    O4 - Startup: Fix GAD Apps.lnk = C:\Program Files\Executive Software\DiskeeperWorkstation\Icon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://aponline.apci.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} (accel Class) - http://www.riversoftware.net/x0ff.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = america.apci.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = america.apci.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = america.apci.com,apci.com,europe.apci.com,ape.apci.com,asiapac.apci.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = america.apci.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = america.apci.com,apci.com,europe.apci.com,ape.apci.com,asiapac.apci.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = america.apci.com,apci.com,europe.apci.com,ape.apci.com,asiapac.apci.com

    Thanks

    Pileyrei
     
  2. Sephiroth11

    Sephiroth11

    Joined:
    Sep 24, 2003
    Messages:
    298
    I don't see anything out of the ordinary... But, to make sure... run spybot again, then download SpyWareGuard from http://www.wilderssecurity.net/spywareguard.html and install it. Use the "LiveUpdate" feature of it and get the latest updates for it. This program is a real-time application and filters out most spyware.
     
  3. pileyrei

    pileyrei Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    594
    I've been Hijacked!

    heheh.

    Thanks Cybertech.

    Regards

    Pileyrei
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,790
    First Name:
    Derek
    Hi Pileyrei

    fix all these in HJt as you have done before


    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
    O2 - BHO: (no name) - {146F1A76-A982-43BE-B533-526AB70E8A9C} - C:\WINNT\system32\ddheml.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\system32\mseclk.dll
    O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\WINNT\system32\mseffm.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINNT\system32\mscdka.dll
    O2 - BHO: (no name) - {D319662B-D5BF-4538-ADF3-8D3E36362608} - C:\Documents and Settings\All Users\Application Data\X0ff\X0ff.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINNT\system32\msobfl.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msgdmf.exe
    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} (accel Class) - http://www.riversoftware.net/x0ff.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

    reboot & delete all these files
    C:\WINNT\system32\ddheml.dll
    C:\WINNT\system32\mseclk.dll
    C:\WINNT\system32\mseffm.dll
    C:\WINNT\system32\mscdka.dll
    C:\WINNT\system32\msobfl.dll
    C:\WINNT\system32\msgdmf.exe

    and these folders
    C:\PROGRAM FILES \INCREDIFIND\
    C:\Documents and Settings\All Users\Application Data\X0ff\

    Download & Run CWshredder from
    http://www.merijn.org/cwschronicles.html

    and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected

    then reboot &
    Download Spybot - Search & Destroy from http://security.kolla.de

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &
    download AdAware 6
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it.

    THEN TO STOP THIS CONSTANTLY HAPPENING READ HERE
    go here http://forums.net-integration.net/index.php?showtopic=3051 for info on how to tighten your security settings and how to help prevent future attacks.
    On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests..

    Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.

    And have a happy Xmas and a scumware free new year
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,790
    First Name:
    Derek
  6. Sephiroth11

    Sephiroth11

    Joined:
    Sep 24, 2003
    Messages:
    298
    Alright, am I doing something wrong? Seems whenever I post Tech for someone, their is usually another more qualified person that acts like my post was invisable and tells the person more steps. Was I right to recommend SpywareGuard?
     
  7. bandit429

    bandit429

    Joined:
    Feb 11, 2002
    Messages:
    4,962
    Absolutely not Sephiroth11,,,,,,,there are 3 things about posting tech,,,,,,,number one,, always be prepared for the worst. Ok what is the worst. Causing someone to lose all they have in thier computer because a mistake was made. Number 2 never ever take it personally because you miss something,,,realise its an opportunity to learn and seize that opportunity. Number 3 we here are ALLLLLL your friends who are here to back you up the same as you should us if you see we miss something. Its a team play.


    :) :D ;)

    Im sorry I cannot comment about spyguard you know more about that than I.
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,790
    First Name:
    Derek
    Hi Sepiroth, No you are doing nothing wrong, as bandit says, its all team play and a matter of learning and recognising the baddies.

    spyware guard is very good at stopping new baddies getting on. It does not & isn't designed to remove them

    Much of dealing with these parasites, just takes a bit of recognizing what doesn't look right.

    I just noticed that certain files looked wrong and then when you suspect something, start to do a few investigations.

    basically if a BHO comes up in google as no entries it is almost guaranteed to be one of the baddies using random names or ID numbers

    then check out the bho lists & start uplists at http://www.sysinfo.org/index.php

    they carry the most uptodate known lists of BHO's and start ups entries. and tell you if they are good & bad.

    fter a while you start to get the feel of a baddie even if it looks like a genuine file.

    The standard routine should always be to recommend running CWshredder, Spybot and adaware, weven if you can't see any obvious baddies. They will pick ip lots that don't appear in a hjt log.

    Then after it's clean, recommend applications to prevent the baddies getting on in the first place, like spyware guard etc.
     
  9. pileyrei

    pileyrei Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    594
    My goodness what a great reply Derek!

    Thank you very much for your efforts, greatly appreciated!

    Merry Christmas to you!

    Regards

    Pileyrei
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/188021

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice