1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HijackThis Log

Discussion in 'Virus & Other Malware Removal' started by Damonc, Sep 20, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Damonc

    Damonc Thread Starter

    Joined:
    May 9, 2001
    Messages:
    644
    Hi, Can someone tell me what needs to be removed from this log if anything..


    Logfile of HijackThis v1.97.2
    Scan saved at 9:01:51 AM, on 21/09/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\program files\primesoft\aswnk\aswnk.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Ulead Systems\Ulead PhotoImpact\Abmtsr.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\PhotoImpact SE\PI3LOAD.EXE
    c:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FREXT.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Paul Zielinski\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband2/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/au/?http://search.yahoo.com.au/search/aunz/options
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - __C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
    O2 - BHO: (no name) - {44A23DAB-8D31-43AE-9F68-5AC24CF7CE8C} - C:\WINDOWS\System32\msinfosys.dll
    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - __C:\WINDOWS\SYSTEM32\BHO001.DLL (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - __C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: PrimeSoft - {44A23DAB-8D31-43AE-9F68-5AC24CF7CE8C} - C:\WINDOWS\System32\msinfosys.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [ASWnk] c:\program files\primesoft\aswnk\aswnk.exe /noconnect
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - Startup: Ulead Quick Access.lnk = C:\Program Files\PhotoImpact SE\PI3LOAD.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Ulead Quick Access.lnk = C:\Program Files\PhotoImpact SE\PI3LOAD.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact\ABMTSR.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mdx: C:\Program Files\Internet Explorer\PLUGINS\NPMDXJF.DLL
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - http://www.ato.gov.au/formflow/codebase/FormCtl.cab
    O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.ato.gov.au/formflow/codebase/plsspeller.cab
    O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://M:\HD\nskey.dll
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfoliomanager.westpac.com.au/portfoliomanager/portfoliomanager.cab
    O16 - DPF: {85D6F6C3-97FE-11D1-86CC-080009B6ACE6} (JetForm Image Filter (TIF)) - http://www.ato.gov.au/formflow/codebase/imagetif.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37735.6986342593
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.exe
    O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (FormFlowScriptObject Class) - http://www.ato.gov.au/formflow/codebase/scriptobject.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/proclaim/NSupd9x.cab
    O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://cdn.mtree.com/mt/dialers/fc/UniDist.CAB
    O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - http://www.ato.gov.au/formflow/codebase/fontinstaller.cab
     
  2. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    Hi Damon, there are plenty of baddies that I can see. You can use the following programs to clear them yourself and help keep them away. First I would recommend that you goto http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished let it fix everything it finds.

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?...p;page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.

    Be sure and take advantage of the "Immunize" feature in Spybot.

    Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks.
    On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster and weekly scans with Spybot and Adaware will go a long way toward keeping you spyware free.

    IMPORTANT!: Alwayds check for updated detections and referencefiles before scanning with Spybot and Adaware.

    When you have finished doing all that post another log up here, and if there's anything left we'll be happy to help you remove it.
     
  3. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband2/
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch

    O2 - BHO: (no name) - {44A23DAB-8D31-43AE-9F68-5AC24CF7CE8C} - C:\WINDOWS\System32\msinfosys.dll

    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - __C:\WINDOWS\SYSTEM32\BHO001.DLL (file missing)

    O3 - Toolbar: PrimeSoft - {44A23DAB-8D31-43AE-9F68-5AC24CF7CE8C} - C:\WINDOWS\System32\msinfosys.dll

    O4 - HKLM\..\Run: [ASWnk] c:\program files\primesoft\aswnk\aswnk.exe /noconnect

    O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://cdn.mtree.com/mt/dialers/fc/UniDist.CAB
    O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/proclaim/NSupd9x.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.exe

    Then reboot in safe mode (press F8 repeatedly on start-up) and delete (in bold):

    c:\program files\primesoft\aswnk\aswnk.exe

    C:\WINDOWS\SYSTEM32\BHO001.DLL

    C:\WINDOWS\System32\msinfosys.dll
     
  4. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    A few remarks on that:

    As for the first item, it's quite OK to delete the entire Primesoft folder in Program Files, not just the file itself.

    Also, Hijack This will effectively unregister AND delete the dll when you have it fix a BHO, so the second two will probably not be there any more.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166259

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice