[Solved] Questionnable HijackThis Log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

4freebird

Thread Starter
Joined
Aug 4, 2002
Messages
67
I'm not certain if this is the appropriate area, but my computer has been acting up lately - sometime's refusing to shut a program down, sometimes not responding to the keyboard until I reboot, slow surfing speed, etc. Although there may be other causes for these problems, can someone review my HijackThis log and tell me if there any extraneous or questionnable lines? For any help, thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 7:18:46 PM, on 4/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\htpatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\PROPEL~1\PropelAC.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Aladdin Systems\iClean\iClean.exe
C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\3web\system\launcher.exe
C:\Program Files\3web\system\cydial95.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opt-in-pays.com/click-home.php?id=78042
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\PROPEL~1\PropelAC.exe
O4 - HKLM\..\Run: [NewsletterReader] C:\Program Files\Newsletter Reader\newstray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [iClean] "C:\Program Files\Aladdin Systems\iClean\iClean.exe" /I
O4 - Global Startup: iSchedule-it.lnk = C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O9 - Extra button: Insight NetKnowledge Tools (HKLM)
O9 - Extra button: All (HKLM)
O9 - Extra 'Tools' menuitem: Close ALL IEx's (HKLM)
O9 - Extra button: Others (HKLM)
O9 - Extra 'Tools' menuitem: Close OTHER IEx's (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{108BEB03-2066-4297-B63E-7C8B8AB0C7BD}: NameServer = 209.197.128.2 209.197.128.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{108BEB03-2066-4297-B63E-7C8B8AB0C7BD}: NameServer = 209.197.128.2 209.197.128.5
 
Joined
Mar 28, 2004
Messages
26
This is all i saw...I Donno what it is , i dont use 2000 so dont uncheck it till someone else confirms it

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,646
Here is a description of mdm.exe, so it looks legit

mdm - mdm.exe - Process Information
Process File: mdm or mdm.exe
Process Name: Machine Debug Manager
Description: Machine Debug Manager is used for debugging applications by technically advanced users and developers and is installed by the Microsoft Script Editor that is included in Microsoft Office.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A

You do have spyware in there though, launcher.exe is spyware, so I will request that this thread be moved over to Security for better assistance.

Cookie
 
Joined
Feb 23, 2003
Messages
16,274
Rescan and put a check next to each of these then close all browser windows and click "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opt-in-pays.com/click-home.php?id=78042

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
 

4freebird

Thread Starter
Joined
Aug 4, 2002
Messages
67
Thanks Mobo - below is my revised log.

Cookiegal, you noted that launcher.exe is spyware. I run Spybot each time I boot up and it has never been identified. How can I get rid of it?

Logfile of HijackThis v1.97.7
Scan saved at 10:49:45 PM, on 4/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\htpatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\PROPEL~1\PropelAC.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Aladdin Systems\iClean\iClean.exe
C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe
C:\Program Files\3web\system\launcher.exe
C:\Program Files\3web\system\cydial95.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\PROPEL~1\PropelAC.exe
O4 - HKLM\..\Run: [NewsletterReader] C:\Program Files\Newsletter Reader\newstray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [iClean] "C:\Program Files\Aladdin Systems\iClean\iClean.exe" /I
O4 - Global Startup: iSchedule-it.lnk = C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O9 - Extra button: Insight NetKnowledge Tools (HKLM)
O9 - Extra button: All (HKLM)
O9 - Extra 'Tools' menuitem: Close ALL IEx's (HKLM)
O9 - Extra button: Others (HKLM)
O9 - Extra 'Tools' menuitem: Close OTHER IEx's (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
 
Joined
Jul 26, 2002
Messages
46,349
You've still got this one:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm

This is a known CWS hijacker.

Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.

IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"
 
Joined
Oct 9, 2001
Messages
9,396
And the Launcher.exe looks like its part of your 3web mail service.
;)
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,646
Hi again,

I just wanted to post what I found on that launcher.exe

WinTasks Process Library

launcher - launcher.exe - Process Information
Process File: launcher or launcher.exe
Process Name: Launcher
Description: Spyware application associated with DownloadWare.
Company: Intercort Systems (DownloadWare)
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
Common Errors: N/A

Thanks $teve for pointing out that it's part of 3web mail. I supposed it's a tracking thingy or something so it gets classified as spyware. Same as that backweb thing I got with my Logitech mouse and keyboard, which I deleted.

Cookie
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top