1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Could someone please check out this hijackthis log?

Discussion in 'Virus & Other Malware Removal' started by The Echidna, Jul 14, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. The Echidna

    The Echidna Thread Starter

    Joined:
    Jul 13, 2003
    Messages:
    5
    I'm having a bunch of comp issues and I don't understand most of what's in here.

    Also, the hijack this log is saving as a file instead of a text document. It saved as a text document the first time but not the last time I scaned.

    BTW hijackthis is a great program I'ed never have known about if I did't see this board. Thanks!

    Logfile of HijackThis v1.95.0
    Scan saved at 1:52:31 PM, on 7/14/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\SBC\Connection Manager\CManager.exe
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Platypus\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Compaq
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    These two can be removed
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    but thats about it. Any specific problems your having?
     
  3. The Echidna

    The Echidna Thread Starter

    Joined:
    Jul 13, 2003
    Messages:
    5
    For the Record, The Computer infected is a COMPAQ Presario 6000 running Windows XP Home Edition

    Date: 6/9/2003 Time 0:09:58, Guest on Yazaki2003
    The file
    C:\compaq\broadband\cconman.eml
    is infected with the w32 Nimda.enc virus
    Access to the File was denied.

    That's what it said on June 9th. after running Norton Antivirus

    After that my brother did a bunch of things to the computer and then we ran the virus checker again and it didn't show up ever again.

    We knew it was still there because Ad-Aware CONSTANTLY informed us that something was trying to change our registry and when (something like HKey local machine and a bunch of other things), when we clicked block it wouldn't do anything so we had to restart the computer because we didn't want to see what happened when we clicked accept. When clicking block did work, another window with the same message would pop up again immediatly several times.

    We downloaded the Removal Tool from Symantec and it had an error everytime we ran it and it had to close.

    We also had those messenger popups.

    After a while everything slowed down, things weren't working properly. When you right clicked the window that has the options was transparent and you had to scroll over it to make things appear.

    Then we formatted with the recovery disks *full format*. Nimda doesn't get caught by the Virus Scanner. But Alexa is trying to change registry. and something is still there that we never saw before things started acting up. DDCMAN.EXE

    It acts up a lot still. For example, when we log online, it will make it when I click the sound control, it says there's no mixer device or something.

    When we get online, AIM and YIM start up automaticly AND when we close them they open back up again in a few minutes. *only with the ones with saved passwords*

    Pages freeze a lot and don't let me log into certain websites. GameFAQs. When I log in it says I'm logged in and to click somewhere to get to the topic page. I click there and it's as if I never logged in. It says I can't view webpages when I'm off line and wants me to put my password into the DSL window that briefly pops up sometimes when you first click on the DSL Shortcut to log in. The thing is. It says I can't view them, when I AM VIEWING THEM AND I'M LOGGED IN! Grrrrr.\

    When windows shuts down there is an DDC.EXE error.

    After a while. Even if nothing is running, *but still online* The Hourglass will be beside the mouse arrow and flash for a split second then go away. It will do it every few seconds and do it CONSTANTLY! Even if the browser isn't open or AIM or YIM isn't open.

    Some programs don't work, the Shortcut to AIM doesn't work on my desktop and the one one the Internet Explorer bar does work.

    Computer Associates says: CAUTION: Nimda makes irreversible changes to the system. Thus some of the utilities cannot restore settings to their original state (as before the infection) but will make brute force changes to the system that may cause unexpected system behavior after running the utilities. It is therefore imperative that users first carefully review the readme file included with the Nimda System Recovery Utilities.

    Does that mean that Nimda can NEVER be removed from a hard drive no matter if you format or not? Does it write itself to the mother board/BIOS/bootsector *I don't know what that last one is* or whatever How does a virus stay around even after formatting? If it is possible to OBLITERATE Nimda from the system, without a trace? I read somewhere that it can put incrimingating stuff on your harddrive. If it did that, how would I find the bad stuff it put on here? If It did do that, and we were to take the computer in somewhere to get serviced, would we get into trouble? Even if we format to get rid of what they put on the computer, will they still see it and have us get into trouble?

    When I try to log into SBC Global DSL, I get errors like the phone line is busy *WTF*

    IP problems or something,
     
  4. The Echidna

    The Echidna Thread Starter

    Joined:
    Jul 13, 2003
    Messages:
    5
    also, at shutdown, there's always a problem with tfswctrl.exe or something.
     
  5. TEG Reborn

    TEG Reborn

    Joined:
    Jul 27, 2003
    Messages:
    38
    Seeing as though the first poster is my sister, I have the same problems as she does. Only now. deadAIM doesn't seem to allow clone IM, and the icon on the desktop for AIM doesn't work, we have to open IE and use the icon in there. After formatting the harddrive with the system restoredisks, and downloading AIM again, we still have the same problem.

    If we were to get a new OS and harddrive, would we still be having these problems?
     
  6. TEG Reborn

    TEG Reborn

    Joined:
    Jul 27, 2003
    Messages:
    38
    ALSO! There is a problem with norton antivirus, after we register it, it seems to go back to beeing unregistered, we can't get Norton working. And when we start the computer and go into one of our screennames, it says email protection cannot work or something due to the fact the options file is corrupted or missing.

    The computer acts up RIGHT AFTER we format it... -_-
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/146857

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice