re: Worst case of spyware ive seen yet (hijack this log)
Tuesday, April 13, 2004 at 1:08 pm
Windows XP Annoyances Discussion Forum
Posted by jcw
(5124 messages posted)
This post is to illustrate the replies of prior posters. A difficulty in working
with Hijack This is that it can require interpretation and investigation on what
to delete (or not), which can be time-consuming. Running other anti-malware programs
first can help weed out some of the malware and thus reduce the time spent on analyzing
the Hijack This log and determining what to delete.
Looking at the posted Hijack This log, a user could reasonably have HJT fix-delete
the items listed below. But how many of them would have been removed by other anti-malware
tools if run first?
First, does the user really want P2P Networking and Kazaa? If not, delete these
items:
(in addition to removal of the folder: C:\Program Files\Kazaa Lite K++ )
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
/AUTOSTART
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa
Lite K++\Kazaa.kpp" /SYSTRAY
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
Delete these items:
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\WINDOWS\System32\wintsvit.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazefind.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310}
- C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded
Program Files\bridge.dll
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKCU\..\Run: [WCPI] C:\WINDOWS\System32\wintsvit.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/new/bridge.cab
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/UGO20.exe
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
Unless the user really wants "180Solutions" or "nCASE", delete these items:
C:\msbb.exe
O4 - HKLM\..\Run: [msbb] c:\msbb.exe
Unless the user really wants the comet toolbar etc., delete these items:
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.cometsystems.com/search.php?tmpl=3A
O2 - BHO: (no name) - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\COMETS~1\Platform\Bin\csbho.dll
O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\COMETS~1\Platform\Bin\csietb.dll
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
The following items look suspicious and would warrant further investigation:
C:\WINDOWS\System32\Oei49.exe
C:\WINDOWS\System32\NkzAH.exe
O4 - HKLM\..\Run: [LVCJQ] C:\WINDOWS\LVCJQ.exe
O4 - HKLM\..\Run: [WZADGJ] C:\WINDOWS\WZADGJ.exe
O4 - HKLM\..\Run: [BEHKORUX] C:\WINDOWS\BEHKORUX.exe
O4 - HKLM\..\Run: [ZAQ9] C:\docume~1\sarah\locals~1\temp\ZAQ9.exe
O4 - HKLM\..\Run: [iMM] C:\docume~1\sarah\locals~1\temp\iMM.exe
O4 - HKLM\..\Run: [52P8G@T2HRJ8@L] C:\WINDOWS\System32\Cjo9g.exe
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.217.29.115/cax.cab
C:\docume~1\sarah\locals~1\temp\ZAQ9.exe
On Tuesday, April 13, 2004 at 3:04 am, Binary01 wrote:
>I had a young friend tell me of a problem with popups and homepage resets etc, and
>i recommended Hijack This after having success myself. She really doesnt know a
lot
>about computers, and had no idea that hers was loaded with spamware.
>
>I know the common reg keys and files, but honestly ive never seen so many foreign
>files in a registry.
>Another person running winxp that i know has the same problem, same files etc.
>It seems that ive avoided some hassles by not updating to xp.
>
>If someone could take the time to look over this log and get back to me with what
>to remove, I can relay it to her, and have her scan again, then repost.
>
>Thank you in advance,
>Chris.
>
>
>Logfile of HijackThis v1.97.7
>Scan saved at 7:38:26 PM, on 13/04/2004
>Platform: Windows XP SP1 (WinNT 5.01.2600)
>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
>Running processes:
>C:\WINDOWS\System32\smss.exe
>C:\WINDOWS\system32\winlogon.exe
>C:\WINDOWS\system32\services.exe
>C:\WINDOWS\system32\lsass.exe
>C:\WINDOWS\system32\svchost.exe
>C:\WINDOWS\System32\svchost.exe
>C:\WINDOWS\system32\LEXBCES.EXE
>C:\WINDOWS\system32\LEXPPS.EXE
>C:\WINDOWS\system32\spoolsv.exe
>C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
>C:\WINDOWS\System32\nvsvc32.exe
>C:\WINDOWS\Explorer.EXE
>C:\WINDOWS\System32\RunDll32.exe
>C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
>C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
>C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
>C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
>C:\Program Files\Common Files\CMEII\CMESys.exe
>C:\Program Files\ISTsvc\istsvc.exe
>C:\msbb.exe
>C:\docume~1\sarah\locals~1\temp\ZAQ9.exe
>C:\docume~1\sarah\locals~1\temp\iMM.exe
>C:\Program Files\Common files\updater\wupdater.exe
>C:\Program Files\Common Files\GMT\GMT.exe
>C:\Program Files\Messenger\msmsgs.exe
>C:\WINDOWS\System32\rundll32.exe
>C:\Documents and Settings\Sarah\Application Data\mbhc.exe
>C:\WINDOWS\System32\wintsvit.exe
>C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
>C:\Program Files\PrecisionTime\PrecisionTime.exe
>C:\WINDOWS\System32\Oei49.exe
>C:\WINDOWS\System32\NkzAH.exe
>C:\WINDOWS\System32\svchost.exe
>C:\Documents and Settings\Sarah\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
>
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazefind.com/
>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.cometsystems.com/search.php?tmpl=3A
>R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
>R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
>R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
>R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310}
>- C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
>O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
>O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
>O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
>6.0\Reader\ActiveX\AcroIEHelper.dll
>O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
>O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
>O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
>O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
>O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
>O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded
>Program Files\bridge.dll
>O2 - BHO: (no name) - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\COMETS~1\Platform\Bin\csbho.dll
>O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
>O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\COMETS~1\Platform\Bin\csietb.dll
>O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
>O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
>O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
>O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
>O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
>O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
>O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
>/AUTOSTART
>O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program
Files\Kazaa
>Lite K++\Kazaa.kpp" /SYSTRAY
>O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
>O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
>O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
>O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
>O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
>O4 - HKLM\..\Run: [msbb] c:\msbb.exe
>O4 - HKLM\..\Run: [LVCJQ] C:\WINDOWS\LVCJQ.exe
>O4 - HKLM\..\Run: [WZADGJ] C:\WINDOWS\WZADGJ.exe
>O4 - HKLM\..\Run: [BEHKORUX] C:\WINDOWS\BEHKORUX.exe
>O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
>O4 - HKLM\..\Run: [ZAQ9] C:\docume~1\sarah\locals~1\temp\ZAQ9.exe
>O4 - HKLM\..\Run: [iMM] C:\docume~1\sarah\locals~1\temp\iMM.exe
>O4 - HKLM\..\Run: [52P8G@T2HRJ8@L] C:\WINDOWS\System32\Cjo9g.exe
>O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
>O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
>O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
>O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
>O4 - HKCU\..\Run: [Asis] C:\Documents and Settings\Sarah\Application Data\mbhc.exe
>O4 - HKCU\..\Run: [WCPI] C:\WINDOWS\System32\wintsvit.exe
>O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
>O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
>O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
>O9 - Extra button: Related (HKLM)
>O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
>O9 - Extra button: Messenger (HKLM)
>O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
>O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
>O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
>O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
>O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.217.29.115/cax.cab
>O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
>O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
>O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
>O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
>O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
>O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
>http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
>O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/new/bridge.cab
>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
>O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/UGO20.exe
>O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
>O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
>O17 - HKLM\System\CCS\Services\Tcpip\..\{08BB1645-9B33-4EA5-A7BF-CAAB29D930BD}:
NameServer
>= 203.173.250.4 203.173.250.2
>O17 - HKLM\System\CS1\Services\Tcpip\..\{08BB1645-9B33-4EA5-A7BF-CAAB29D930BD}:
NameServer
>= 203.173.250.4 203.173.250.2
|
All messages in this thread [show all]
 |  | re: Worst case of spyware ive seen yet (hijack this log) (jcw: Tue, Apr 13, 2004, 1:08 pm) |
| |
| |
| |
Return to the Windows XP Discussion Forum
|
|
