hijack this log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ciscogal

Thread Starter
Joined
Oct 5, 2003
Messages
9
Posting Hijack this log for you much appreciated assistance.
Running XP Home on Dell Dimension 8100 Pent 4 1.3 GHZ

Trying to help friend with slow performance and constant popups.

It looks as though she has numerous spyware etc.

During my research was able to find most of her startup items except a few.

wad.exe
NBPWDKR
Xpsrve
syscm
BIPW
KLI
GJMQT.exe

Ran adaware and Spybot
After which I scanned with Hijack this and received following:
Logfile of HijackThis v1.97.2
Scan saved at 7:25:20 PM, on 10/5/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=http://sbc.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;www.prodigy.net;enroll.prodigy.net;enroll-isp.prodigy.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dlltmp
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\FOne.dll
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\aess2.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - c:\program files\clientman\run\msvrfy856c4943.dll
O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINDOWS\System32\SbSrch_V22.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - c:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINDOWS\System32\stlbupdt.DLL
O2 - BHO: (no name) - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB} - C:\WINDOWS\System32\msvcn.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - c:\program files\clientman\run\dnsrepadad2562.dll
O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - c:\program files\clientman\run\urlclif752de31.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~1.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - c:\PROGRA~1\CLIENT~1\run\TAGGER~1.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll (file missing)
O3 - Toolbar: AskCosmo! - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\Program Files\Cosmo Popup Blocker\TRReaderBar_.dll (file missing)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINDOWS\System32\stlbupdt.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [syscm] C:\WINDOWS\System32\Syscm.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [tdos412n] C:\WINDOWS\System32\tdos412n.exe
O4 - HKLM\..\Run: [rvsvcs] C:\WINDOWS\System32\rvsvcs.exe
O4 - HKLM\..\Run: [llhostd] C:\WINDOWS\System32\llhostd.exe
O4 - HKLM\..\Run: [svers32dm] C:\WINDOWS\System32\svers32dm.exe
O4 - HKLM\..\Run: [hrLk21S] C:\WINDOWS\System32\hrLk21S.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Browser Pal Toolbar (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AskCosmo! (HKLM)
O9 - Extra 'Tools' menuitem: AskCosmo! (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/aess2.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/turbo.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
O16 - DPF: {1D870C86-AA3C-4451-81E4-71D480A1A652} (SubSrch_V2_2.clsIeEnhcdSrch) - http://216.93.172.116/sub2bc.exe
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/payload2.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19108/flash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/ActiveXInstallers/306/nCaseInstaller.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37626.8092476852
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/ads/1402030731/VBouncerOuter1402030731.exe
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.getweathercast.com/WUInstCAST.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab

Also in registry under HKEY\localmachine\......windows\currentversion\run there are questionable entries:

etupapis
opupp
P2Pnetworking
rundll32
ship6w
slookupn
Syscm
ysmons

She has quite a mess - and if you haven't already guessed a 17 yr old who downloads all kinds of things.

Also are some of the gambling sites adware?

Thanks
 
Joined
Dec 9, 2000
Messages
45,855
You said it. There is an immense amount of spy/advertising wares worms and trojans there.

For starters, check all these entries in the HijackThis scanlog, close all browser windows and click fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com

O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dlltmp
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\FOne.dll
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\aess2.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - c:\program files\clientman\run\msvrfy856c4943.dll
O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINDOWS\System32\SbSrch_V22.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - c:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINDOWS\System32\stlbupdt.DLL
O2 - BHO: (no name) - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB} - C:\WINDOWS\System32\msvcn.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - c:\program files\clientman\run\dnsrepadad2562.dll
O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - c:\program files\clientman\run\urlclif752de31.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~1.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - c:\PROGRA~1\CLIENT~1\run\TAGGER~1.DLL

O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll (file missing)
O3 - Toolbar: AskCosmo! - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\Program Files\Cosmo Popup Blocker\TRReaderBar_.dll (file missing)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINDOWS\System32\stlbupdt.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O4 - HKLM\..\Run: [syscm] C:\WINDOWS\System32\Syscm.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [tdos412n] C:\WINDOWS\System32\tdos412n.exe
O4 - HKLM\..\Run: [rvsvcs] C:\WINDOWS\System32\rvsvcs.exe
O4 - HKLM\..\Run: [llhostd] C:\WINDOWS\System32\llhostd.exe
O4 - HKLM\..\Run: [svers32dm] C:\WINDOWS\System32\svers32dm.exe
O4 - HKLM\..\Run: [hrLk21S] C:\WINDOWS\System32\hrLk21S.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/aess2.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...B8108/turbo.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
O16 - DPF: {1D870C86-AA3C-4451-81E4-71D480A1A652} (SubSrch_V2_2.clsIeEnhcdSrch) - http://216.93.172.116/sub2bc.exe
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...08/payload2.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...19108/flash.cab

O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/ActiveX...seInstaller.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -

Reboot afterwards.

You will also need to install, UPDATE, and run at least one and preferably both of these applications:

Spybot Instructions and Download
Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73


If you have to choose just one, I would install and run Ad-aware following Winchester's recommendations. It is probably the more thorough of the two.

Post another Scanlog when ready. There will probably be some things that remain and may need deleting in Safe Mode.
 

ciscogal

Thread Starter
Joined
Oct 5, 2003
Messages
9
thanks so much, will follow your suggestions and get back to you.
I intended to ask you about running adaware or spybot in safe mode. Glad you mentioned it.
BTW what did the Dormouse say?
Great Forum!!
 
Joined
Dec 9, 2000
Messages
45,855
You can run them in Safe Mode. In fact it would be a good idea to get an antivirus program installed and updated and run that in Safe Mode as well.

AVG is a decent freebee... Grisoft AVG Free Download

What did the Dormouse say? You can click on that link to see... :)
 

ciscogal

Thread Starter
Joined
Oct 5, 2003
Messages
9
Thanks so much for your previous directions. Followed your suggestions and am now posting Hjt scanlog.

Logfile of HijackThis v1.97.2
Scan saved at 9:51:30 PM, on 10/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\ttriba.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\idimapm.exe
C:\WINDOWS\System32\soundd.exe
C:\WINDOWS\System32\DBC32O.exe
C:\unzipped\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ttriba] C:\WINDOWS\System32\ttriba.exe
O4 - HKLM\..\Run: [soundd] C:\WINDOWS\System32\soundd.exe
O4 - HKLM\..\Run: [idimapm] C:\WINDOWS\System32\idimapm.exe
O4 - HKLM\..\Run: [DBC32O] C:\WINDOWS\System32\DBC32O.exe

Not sure of the last few items.
Added items to the ignore list to shorten. Researched thoroughly first, so should be ok.

Thanks

I thought that was probably what the Dormouse said. I remember J Airplane from the 70's

again thanks
 
Joined
Dec 9, 2000
Messages
45,855
These look like they are going to be trojan files and possibly difficult to remove. Strange they weren't in running processes on the first post.

First try this. Open Task Manager, identify the processes, and terminate all as quickly as you can (once one is stopped the others can recreate themselves within seconds):

ttriba.exe
idimapm.exe
soundd.exe
DBC32O.exe

Have a Command Shell open (start, run cmd ) and type and enter each line:

del C:\WINDOWS\System32\ttriba.exe
del C:\WINDOWS\System32\soundd.exe
del C:\WINDOWS\System32\idimapm.exe
del C:\WINDOWS\System32\DBC32O.exe

Run Hijack This and check and "fix":

O4 - HKLM\..\Run: [ttriba] C:\WINDOWS\System32\ttriba.exe
O4 - HKLM\..\Run: [soundd] C:\WINDOWS\System32\soundd.exe
O4 - HKLM\..\Run: [idimapm] C:\WINDOWS\System32\idimapm.exe
O4 - HKLM\..\Run: [DBC32O] C:\WINDOWS\System32\DBC32O.exe

Reboot and see if they have remained deleted or mutated into different file names.

If the latter we will have to try removing them from a Safe Mode Command prompt or you can try a specialized trojan scanner which has been successful with this type of mutating trojan:

http://forums.techguy.org/showthread.php?postid=1166572#post1166572
 

ciscogal

Thread Starter
Joined
Oct 5, 2003
Messages
9
One more time.
What do you think of this log. The previous 4 items did not appear when I logged on as main user. Those may have been when logged on as different user.
The system runs at least 75% faster and no pop up junk. Thanks so much for your assistance.
The following log is the current HJT log

Logfile of HijackThis v1.97.2
Scan saved at 1:43:14 PM, on 10/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\mdskresd.exe
C:\WINDOWS\System32\scont.exe
C:\WINDOWS\System32\magr5i.exe
C:\WINDOWS\System32\eginir.exe
C:\unzipped\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [mdskresd] C:\WINDOWS\System32\mdskresd.exe
O4 - HKLM\..\Run: [scont] C:\WINDOWS\System32\scont.exe
O4 - HKLM\..\Run: [magr5i] C:\WINDOWS\System32\magr5i.exe
O4 - HKLM\..\Run: [eginir] C:\WINDOWS\System32\eginir.exe

She is using SBC DSL with a wireless router. Recommended she add security to the wireless and believe it or not she was not running any AV.

Thanks again
 
Joined
Dec 9, 2000
Messages
45,855
C:\WINDOWS\System32\mdskresd.exe
C:\WINDOWS\System32\scont.exe
C:\WINDOWS\System32\magr5i.exe
C:\WINDOWS\System32\eginir.exe

It looks like they are just mutating. Is this happening with every boot, or just when you log on as a different user?

Did you try terminating and deleting them from a command prompt before rebooting? You may need to run HijackThis after every boot to determine what their current names are.

You can try booting in Safe Mode, running HijackThis and see if the 04 entries have the same names. You shouldn't see any of them in running processes.

Whatever the names are delete each one from the system32 folder and check and "fix" the 04 entries in HijackThis
 
Joined
Oct 9, 2001
Messages
9,396
Originally posted by socks:
am i where im supose to be?
Hello Socks.........no your not.
At the very bottom of this page.....hit the "go" tab and you will be in the main lobby of the security forum.
Hit the "new thread" button[top right]and post your problem in a shiny new thread.

;)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top