Annoyances.org
Home » Windows XP Discussion Forum » Message 1081884895 Search | Help | Home
  
Tip: Run a free scan for common Windows errors ad

re: Worst case of spyware ive seen yet (hijack this log)
Tuesday, April 13, 2004 at 12:34 pm
Windows XP Annoyances Discussion Forum
Posted by Cole (12 messages posted)

go here: http://www.greatis.com/regrun3appdatabase.htm This is a list of services and processes that should be and should not be running in XP. By the way, XP is much better than earlier versions. These problems are possible across all versions. I work on pc's and have seen this stuff in everything from 95 to XP. You just haven't gone to those sites which download the hijackers. Some of those free download sites are culprits. They do what is called a "Drive-By download". Inexperienced users will click on "OK" to windows that pop up and tell them to. Xupiter and Gator are good examples of this. I recommend Spybot S&D. The real one. Not the fake one. The fake one is spyware. The real one is found at http://www.safer-networking.org/index.php?page=download The author is a guy named Kolla.


On Tuesday, April 13, 2004 at 3:04 am, Binary01 wrote:
>I had a young friend tell me of a problem with popups and homepage resets etc, and
>i recommended Hijack This after having success myself. She really doesnt know a lot
>about computers, and had no idea that hers was loaded with spamware.
>
>I know the common reg keys and files, but honestly ive never seen so many foreign
>files in a registry.
>Another person running winxp that i know has the same problem, same files etc.
>It seems that ive avoided some hassles by not updating to xp.
>
>If someone could take the time to look over this log and get back to me with what
>to remove, I can relay it to her, and have her scan again, then repost.
>
>Thank you in advance,
>Chris.
>
>
>Logfile of HijackThis v1.97.7
>Scan saved at 7:38:26 PM, on 13/04/2004
>Platform: Windows XP SP1 (WinNT 5.01.2600)
>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
>Running processes:
>C:\WINDOWS\System32\smss.exe
>C:\WINDOWS\system32\winlogon.exe
>C:\WINDOWS\system32\services.exe
>C:\WINDOWS\system32\lsass.exe
>C:\WINDOWS\system32\svchost.exe
>C:\WINDOWS\System32\svchost.exe
>C:\WINDOWS\system32\LEXBCES.EXE
>C:\WINDOWS\system32\LEXPPS.EXE
>C:\WINDOWS\system32\spoolsv.exe
>C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
>C:\WINDOWS\System32\nvsvc32.exe
>C:\WINDOWS\Explorer.EXE
>C:\WINDOWS\System32\RunDll32.exe
>C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
>C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
>C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
>C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
>C:\Program Files\Common Files\CMEII\CMESys.exe
>C:\Program Files\ISTsvc\istsvc.exe
>C:\msbb.exe
>C:\docume~1\sarah\locals~1\temp\ZAQ9.exe
>C:\docume~1\sarah\locals~1\temp\iMM.exe
>C:\Program Files\Common files\updater\wupdater.exe
>C:\Program Files\Common Files\GMT\GMT.exe
>C:\Program Files\Messenger\msmsgs.exe
>C:\WINDOWS\System32\rundll32.exe
>C:\Documents and Settings\Sarah\Application Data\mbhc.exe
>C:\WINDOWS\System32\wintsvit.exe
>C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
>C:\Program Files\PrecisionTime\PrecisionTime.exe
>C:\WINDOWS\System32\Oei49.exe
>C:\WINDOWS\System32\NkzAH.exe
>C:\WINDOWS\System32\svchost.exe
>C:\Documents and Settings\Sarah\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
>
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazefind.com/
>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.cometsystems.com/search.php?tmpl=3A
>R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
>R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
>R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
>R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310}
>- C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
>O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
>O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
>O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
>6.0\Reader\ActiveX\AcroIEHelper.dll
>O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
>O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
>O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
>O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
>O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
>O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded
>Program Files\bridge.dll
>O2 - BHO: (no name) - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\COMETS~1\Platform\Bin\csbho.dll
>O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
>O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\COMETS~1\Platform\Bin\csietb.dll
>O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
>O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
>O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
>O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
>O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
>O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
>O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
>/AUTOSTART
>O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa
>Lite K++\Kazaa.kpp" /SYSTRAY
>O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
>O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
>O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
>O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
>O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
>O4 - HKLM\..\Run: [msbb] c:\msbb.exe
>O4 - HKLM\..\Run: [LVCJQ] C:\WINDOWS\LVCJQ.exe
>O4 - HKLM\..\Run: [WZADGJ] C:\WINDOWS\WZADGJ.exe
>O4 - HKLM\..\Run: [BEHKORUX] C:\WINDOWS\BEHKORUX.exe
>O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
>O4 - HKLM\..\Run: [ZAQ9] C:\docume~1\sarah\locals~1\temp\ZAQ9.exe
>O4 - HKLM\..\Run: [iMM] C:\docume~1\sarah\locals~1\temp\iMM.exe
>O4 - HKLM\..\Run: [52P8G@T2HRJ8@L] C:\WINDOWS\System32\Cjo9g.exe
>O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
>O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
>O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
>O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
>O4 - HKCU\..\Run: [Asis] C:\Documents and Settings\Sarah\Application Data\mbhc.exe
>O4 - HKCU\..\Run: [WCPI] C:\WINDOWS\System32\wintsvit.exe
>O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
>O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
>O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
>O9 - Extra button: Related (HKLM)
>O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
>O9 - Extra button: Messenger (HKLM)
>O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
>O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
>O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
>O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
>O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.217.29.115/cax.cab
>O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
>O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
>O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
>O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
>O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
>O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
>http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
>O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/new/bridge.cab
>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
>O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/UGO20.exe
>O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
>O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
>O17 - HKLM\System\CCS\Services\Tcpip\..\{08BB1645-9B33-4EA5-A7BF-CAAB29D930BD}: NameServer
>= 203.173.250.4 203.173.250.2
>O17 - HKLM\System\CS1\Services\Tcpip\..\{08BB1645-9B33-4EA5-A7BF-CAAB29D930BD}: NameServer
>= 203.173.250.4 203.173.250.2


Written in response to:
Worst case of spyware ive seen yet (hijack this log) (Binary01: Tuesday, April 13, 2004 at 3:04 am)

Responses to this message:
*re: Worst case of spyware ive seen yet (hijack this log) (Tone: Monday, December 20, 2004 at 2:07 pm)

All messages in this thread [show all]
-Worst case of spyware ive seen yet (hijack this log) (Binary01: Tue, Apr 13, 2004, 3:04 am)
*re: Worst case of spyware ive seen yet (hijack this log) (Kevin: Tue, Apr 13, 2004, 5:54 am)
*re: Worst case of spyware ive seen yet (hijack this log) (Ms. Eagle: Tue, Apr 13, 2004, 12:20 pm)
-re: Worst case of spyware ive seen yet (hijack this log) (Cole: Tue, Apr 13, 2004, 12:34 pm)
*re: Worst case of spyware ive seen yet (hijack this log) (Tone: Mon, Dec 20, 2004, 2:07 pm)
*re: Worst case of spyware ive seen yet (hijack this log) (jcw: Tue, Apr 13, 2004, 1:08 pm)
Return to the Windows XP Discussion Forum


All content at Annoyances.org is Copyright ©1995-2012 Creative Elementtm All rights reserved.
Please do not plagiarize; redistributing these pages without permission is strictly prohibited.