1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijack this log

Discussion in 'Virus & Other Malware Removal' started by ciscogal, Oct 5, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ciscogal

    ciscogal Thread Starter

    Joined:
    Oct 5, 2003
    Messages:
    9
    Posting Hijack this log for you much appreciated assistance.
    Running XP Home on Dell Dimension 8100 Pent 4 1.3 GHZ

    Trying to help friend with slow performance and constant popups.

    It looks as though she has numerous spyware etc.

    During my research was able to find most of her startup items except a few.

    wad.exe
    NBPWDKR
    Xpsrve
    syscm
    BIPW
    KLI
    GJMQT.exe

    Ran adaware and Spybot
    After which I scanned with Hijack this and received following:
    Logfile of HijackThis v1.97.2
    Scan saved at 7:25:20 PM, on 10/5/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=http://sbc.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;www.prodigy.net;enroll.prodigy.net;enroll-isp.prodigy.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
    O1 - Hosts: 207.44.240.65 rad.msn.com
    O1 - Hosts: 216.93.174.28 view.atdmt.com
    O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dlltmp
    O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\FOne.dll
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\aess2.dll
    O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
    O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
    O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
    O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - c:\program files\clientman\run\msvrfy856c4943.dll
    O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINDOWS\System32\SbSrch_V22.dll
    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - c:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINDOWS\System32\stlbupdt.DLL
    O2 - BHO: (no name) - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB} - C:\WINDOWS\System32\msvcn.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
    O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - c:\program files\clientman\run\dnsrepadad2562.dll
    O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - c:\program files\clientman\run\urlclif752de31.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~1.DLL
    O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - c:\PROGRA~1\CLIENT~1\run\TAGGER~1.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
    O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
    O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll (file missing)
    O3 - Toolbar: AskCosmo! - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\Program Files\Cosmo Popup Blocker\TRReaderBar_.dll (file missing)
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINDOWS\System32\stlbupdt.DLL
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [syscm] C:\WINDOWS\System32\Syscm.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKLM\..\Run: [tdos412n] C:\WINDOWS\System32\tdos412n.exe
    O4 - HKLM\..\Run: [rvsvcs] C:\WINDOWS\System32\rvsvcs.exe
    O4 - HKLM\..\Run: [llhostd] C:\WINDOWS\System32\llhostd.exe
    O4 - HKLM\..\Run: [svers32dm] C:\WINDOWS\System32\svers32dm.exe
    O4 - HKLM\..\Run: [hrLk21S] C:\WINDOWS\System32\hrLk21S.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
    O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Browser Pal Toolbar (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AskCosmo! (HKLM)
    O9 - Extra 'Tools' menuitem: AskCosmo! (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: RealGuide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/aess2.cab
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/turbo.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
    O16 - DPF: {1D870C86-AA3C-4451-81E4-71D480A1A652} (SubSrch_V2_2.clsIeEnhcdSrch) - http://216.93.172.116/sub2bc.exe
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/payload2.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19108/flash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
    O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/ActiveXInstallers/306/nCaseInstaller.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37626.8092476852
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/ads/1402030731/VBouncerOuter1402030731.exe
    O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.getweathercast.com/WUInstCAST.cab
    O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab

    Also in registry under HKEY\localmachine\......windows\currentversion\run there are questionable entries:

    etupapis
    opupp
    P2Pnetworking
    rundll32
    ship6w
    slookupn
    Syscm
    ysmons

    She has quite a mess - and if you haven't already guessed a 17 yr old who downloads all kinds of things.

    Also are some of the gambling sites adware?

    Thanks
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You said it. There is an immense amount of spy/advertising wares worms and trojans there.

    For starters, check all these entries in the HijackThis scanlog, close all browser windows and click fix checked.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx

    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

    O1 - Hosts: 207.44.240.65 rad.msn.com
    O1 - Hosts: 216.93.174.28 view.atdmt.com

    O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dlltmp
    O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\FOne.dll
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\aess2.dll
    O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
    O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
    O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - c:\program files\clientman\run\msvrfy856c4943.dll
    O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINDOWS\System32\SbSrch_V22.dll
    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - c:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINDOWS\System32\stlbupdt.DLL
    O2 - BHO: (no name) - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB} - C:\WINDOWS\System32\msvcn.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
    O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - c:\program files\clientman\run\dnsrepadad2562.dll
    O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - c:\program files\clientman\run\urlclif752de31.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~1.DLL
    O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - c:\PROGRA~1\CLIENT~1\run\TAGGER~1.DLL

    O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
    O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll (file missing)
    O3 - Toolbar: AskCosmo! - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\Program Files\Cosmo Popup Blocker\TRReaderBar_.dll (file missing)
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINDOWS\System32\stlbupdt.DLL
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [syscm] C:\WINDOWS\System32\Syscm.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKLM\..\Run: [tdos412n] C:\WINDOWS\System32\tdos412n.exe
    O4 - HKLM\..\Run: [rvsvcs] C:\WINDOWS\System32\rvsvcs.exe
    O4 - HKLM\..\Run: [llhostd] C:\WINDOWS\System32\llhostd.exe
    O4 - HKLM\..\Run: [svers32dm] C:\WINDOWS\System32\svers32dm.exe
    O4 - HKLM\..\Run: [hrLk21S] C:\WINDOWS\System32\hrLk21S.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
    O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe

    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/aess2.cab
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...B8108/turbo.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
    O16 - DPF: {1D870C86-AA3C-4451-81E4-71D480A1A652} (SubSrch_V2_2.clsIeEnhcdSrch) - http://216.93.172.116/sub2bc.exe
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...08/payload2.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...19108/flash.cab

    O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
    O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/ActiveX...seInstaller.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -

    Reboot afterwards.

    You will also need to install, UPDATE, and run at least one and preferably both of these applications:

    Spybot Instructions and Download
    Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73


    If you have to choose just one, I would install and run Ad-aware following Winchester's recommendations. It is probably the more thorough of the two.

    Post another Scanlog when ready. There will probably be some things that remain and may need deleting in Safe Mode.
     
  3. ciscogal

    ciscogal Thread Starter

    Joined:
    Oct 5, 2003
    Messages:
    9
    thanks so much, will follow your suggestions and get back to you.
    I intended to ask you about running adaware or spybot in safe mode. Glad you mentioned it.
    BTW what did the Dormouse say?
    Great Forum!!
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You can run them in Safe Mode. In fact it would be a good idea to get an antivirus program installed and updated and run that in Safe Mode as well.

    AVG is a decent freebee... Grisoft AVG Free Download

    What did the Dormouse say? You can click on that link to see... :)
     
  5. ciscogal

    ciscogal Thread Starter

    Joined:
    Oct 5, 2003
    Messages:
    9
    Thanks so much for your previous directions. Followed your suggestions and am now posting Hjt scanlog.

    Logfile of HijackThis v1.97.2
    Scan saved at 9:51:30 PM, on 10/7/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\ttriba.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\idimapm.exe
    C:\WINDOWS\System32\soundd.exe
    C:\WINDOWS\System32\DBC32O.exe
    C:\unzipped\hijackthis\HijackThis.exe

    O4 - HKLM\..\Run: [ttriba] C:\WINDOWS\System32\ttriba.exe
    O4 - HKLM\..\Run: [soundd] C:\WINDOWS\System32\soundd.exe
    O4 - HKLM\..\Run: [idimapm] C:\WINDOWS\System32\idimapm.exe
    O4 - HKLM\..\Run: [DBC32O] C:\WINDOWS\System32\DBC32O.exe

    Not sure of the last few items.
    Added items to the ignore list to shorten. Researched thoroughly first, so should be ok.

    Thanks

    I thought that was probably what the Dormouse said. I remember J Airplane from the 70's

    again thanks
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    These look like they are going to be trojan files and possibly difficult to remove. Strange they weren't in running processes on the first post.

    First try this. Open Task Manager, identify the processes, and terminate all as quickly as you can (once one is stopped the others can recreate themselves within seconds):

    ttriba.exe
    idimapm.exe
    soundd.exe
    DBC32O.exe

    Have a Command Shell open (start, run cmd ) and type and enter each line:

    del C:\WINDOWS\System32\ttriba.exe
    del C:\WINDOWS\System32\soundd.exe
    del C:\WINDOWS\System32\idimapm.exe
    del C:\WINDOWS\System32\DBC32O.exe

    Run Hijack This and check and "fix":

    O4 - HKLM\..\Run: [ttriba] C:\WINDOWS\System32\ttriba.exe
    O4 - HKLM\..\Run: [soundd] C:\WINDOWS\System32\soundd.exe
    O4 - HKLM\..\Run: [idimapm] C:\WINDOWS\System32\idimapm.exe
    O4 - HKLM\..\Run: [DBC32O] C:\WINDOWS\System32\DBC32O.exe

    Reboot and see if they have remained deleted or mutated into different file names.

    If the latter we will have to try removing them from a Safe Mode Command prompt or you can try a specialized trojan scanner which has been successful with this type of mutating trojan:

    http://forums.techguy.org/showthread.php?postid=1166572#post1166572
     
  7. ciscogal

    ciscogal Thread Starter

    Joined:
    Oct 5, 2003
    Messages:
    9
    One more time.
    What do you think of this log. The previous 4 items did not appear when I logged on as main user. Those may have been when logged on as different user.
    The system runs at least 75% faster and no pop up junk. Thanks so much for your assistance.
    The following log is the current HJT log

    Logfile of HijackThis v1.97.2
    Scan saved at 1:43:14 PM, on 10/8/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\HPHipm11.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\mdskresd.exe
    C:\WINDOWS\System32\scont.exe
    C:\WINDOWS\System32\magr5i.exe
    C:\WINDOWS\System32\eginir.exe
    C:\unzipped\hijackthis\HijackThis.exe

    O4 - HKLM\..\Run: [mdskresd] C:\WINDOWS\System32\mdskresd.exe
    O4 - HKLM\..\Run: [scont] C:\WINDOWS\System32\scont.exe
    O4 - HKLM\..\Run: [magr5i] C:\WINDOWS\System32\magr5i.exe
    O4 - HKLM\..\Run: [eginir] C:\WINDOWS\System32\eginir.exe

    She is using SBC DSL with a wireless router. Recommended she add security to the wireless and believe it or not she was not running any AV.

    Thanks again
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    C:\WINDOWS\System32\mdskresd.exe
    C:\WINDOWS\System32\scont.exe
    C:\WINDOWS\System32\magr5i.exe
    C:\WINDOWS\System32\eginir.exe

    It looks like they are just mutating. Is this happening with every boot, or just when you log on as a different user?

    Did you try terminating and deleting them from a command prompt before rebooting? You may need to run HijackThis after every boot to determine what their current names are.

    You can try booting in Safe Mode, running HijackThis and see if the 04 entries have the same names. You shouldn't see any of them in running processes.

    Whatever the names are delete each one from the system32 folder and check and "fix" the 04 entries in HijackThis
     
  9. socks

    socks

    Joined:
    Oct 9, 2003
    Messages:
    10
    am i where im supose to be?
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,192
    First Name:
    Derek
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hello Socks.........no your not.
    At the very bottom of this page.....hit the "go" tab and you will be in the main lobby of the security forum.
    Hit the "new thread" button[top right]and post your problem in a shiny new thread.

    ;)
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169785

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice