re: Worst case of spyware ive seen yet (hijack this log)
Tuesday, April 13, 2004 at 5:54 am
Windows XP Annoyances Discussion Forum
Posted by Kevin
(2497 messages posted)
Get rid of Kazaa, then download, update and run Spybot and Ad-Aware.
On Tuesday, April 13, 2004 at 3:04 am, Binary01 wrote:
>I had a young friend tell me of a problem with popups and homepage resets etc, and
>i recommended Hijack This after having success myself. She really doesnt know a
lot
>about computers, and had no idea that hers was loaded with spamware.
>
>I know the common reg keys and files, but honestly ive never seen so many foreign
>files in a registry.
>Another person running winxp that i know has the same problem, same files etc.
>It seems that ive avoided some hassles by not updating to xp.
>
>If someone could take the time to look over this log and get back to me with what
>to remove, I can relay it to her, and have her scan again, then repost.
>
>Thank you in advance,
>Chris.
>
>
>Logfile of HijackThis v1.97.7
>Scan saved at 7:38:26 PM, on 13/04/2004
>Platform: Windows XP SP1 (WinNT 5.01.2600)
>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
>Running processes:
>C:\WINDOWS\System32\smss.exe
>C:\WINDOWS\system32\winlogon.exe
>C:\WINDOWS\system32\services.exe
>C:\WINDOWS\system32\lsass.exe
>C:\WINDOWS\system32\svchost.exe
>C:\WINDOWS\System32\svchost.exe
>C:\WINDOWS\system32\LEXBCES.EXE
>C:\WINDOWS\system32\LEXPPS.EXE
>C:\WINDOWS\system32\spoolsv.exe
>C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
>C:\WINDOWS\System32\nvsvc32.exe
>C:\WINDOWS\Explorer.EXE
>C:\WINDOWS\System32\RunDll32.exe
>C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
>C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
>C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
>C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
>C:\Program Files\Common Files\CMEII\CMESys.exe
>C:\Program Files\ISTsvc\istsvc.exe
>C:\msbb.exe
>C:\docume~1\sarah\locals~1\temp\ZAQ9.exe
>C:\docume~1\sarah\locals~1\temp\iMM.exe
>C:\Program Files\Common files\updater\wupdater.exe
>C:\Program Files\Common Files\GMT\GMT.exe
>C:\Program Files\Messenger\msmsgs.exe
>C:\WINDOWS\System32\rundll32.exe
>C:\Documents and Settings\Sarah\Application Data\mbhc.exe
>C:\WINDOWS\System32\wintsvit.exe
>C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
>C:\Program Files\PrecisionTime\PrecisionTime.exe
>C:\WINDOWS\System32\Oei49.exe
>C:\WINDOWS\System32\NkzAH.exe
>C:\WINDOWS\System32\svchost.exe
>C:\Documents and Settings\Sarah\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
>
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazefind.com/
>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.cometsystems.com/search.php?tmpl=3A
>R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
>R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
>R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
>R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310}
>- C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
>O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
>O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
>O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
>6.0\Reader\ActiveX\AcroIEHelper.dll
>O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
>O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
>O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
>O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
>O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
>O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded
>Program Files\bridge.dll
>O2 - BHO: (no name) - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\COMETS~1\Platform\Bin\csbho.dll
>O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
>O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\COMETS~1\Platform\Bin\csietb.dll
>O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
>O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
>O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
>O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
>O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
>O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
>O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
>/AUTOSTART
>O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program
Files\Kazaa
>Lite K++\Kazaa.kpp" /SYSTRAY
>O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
>O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
>O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
>O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
>O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
>O4 - HKLM\..\Run: [msbb] c:\msbb.exe
>O4 - HKLM\..\Run: [LVCJQ] C:\WINDOWS\LVCJQ.exe
>O4 - HKLM\..\Run: [WZADGJ] C:\WINDOWS\WZADGJ.exe
>O4 - HKLM\..\Run: [BEHKORUX] C:\WINDOWS\BEHKORUX.exe
>O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
>O4 - HKLM\..\Run: [ZAQ9] C:\docume~1\sarah\locals~1\temp\ZAQ9.exe
>O4 - HKLM\..\Run: [iMM] C:\docume~1\sarah\locals~1\temp\iMM.exe
>O4 - HKLM\..\Run: [52P8G@T2HRJ8@L] C:\WINDOWS\System32\Cjo9g.exe
>O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
>O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
>O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
>O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
>O4 - HKCU\..\Run: [Asis] C:\Documents and Settings\Sarah\Application Data\mbhc.exe
>O4 - HKCU\..\Run: [WCPI] C:\WINDOWS\System32\wintsvit.exe
>O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
>O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
>O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
>O9 - Extra button: Related (HKLM)
>O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
>O9 - Extra button: Messenger (HKLM)
>O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
>O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
>O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
>O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
>O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.217.29.115/cax.cab
>O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
>O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
>O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
>O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
>O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
>O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
>http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
>O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/new/bridge.cab
>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
>O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/UGO20.exe
>O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
>O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
>O17 - HKLM\System\CCS\Services\Tcpip\..\{08BB1645-9B33-4EA5-A7BF-CAAB29D930BD}:
NameServer
>= 203.173.250.4 203.173.250.2
>O17 - HKLM\System\CS1\Services\Tcpip\..\{08BB1645-9B33-4EA5-A7BF-CAAB29D930BD}:
NameServer
>= 203.173.250.4 203.173.250.2
|
All messages in this thread [show all]
 |  | re: Worst case of spyware ive seen yet (hijack this log) (Kevin: Tue, Apr 13, 2004, 5:54 am) |
| |
| |
| |
Return to the Windows XP Discussion Forum
|
|
