Is someone able to read a Hijack This! log?

[LostAngeles]

Somehow my boyfriend's been suffering from an abundance of spyware, pop-ups, and god knows what else. Ad-aware isn't doing a thing and SpySweeper will pick up Ad-aware's slack, but it keeps having to remove the same things.

If I posted a log tonight, is there anyone who could help us out with this please?

 

[Soapy Sam]

LA. I can read the bits about porn site cookies. Go ahead and post it.

 

[Uh_Clem]

There's quite a few folks here that can read them. Go ahead and post.

 

[bignickel]

This site should help with understanding the logs

http://hjt.wizardsofwebsites.com/

Installing the same thing over and over again? What's it installing? Software? Or changing your browser's start page?

 

[LostAngeles]

This site should help with understanding the logs

http://hjt.wizardsofwebsites.com/

Installing the same thing over and over again? What's it installing? Software? Or changing your browser's start page?

He keeps getting the start page changed and this search.exe toolbar crap. Every time we run Spy Sweeper that and LopDotCom crap comes up. I'm giving it another run now, before I do the Hijack This.

(We got kittens tonight so we've been kind of distracted.)

 

[LostAngeles]

It crashed once I posted this... *sigh*

OK, what I've taken out will be bolded.

-------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 11:49:58 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINNT\System32\mscmgr.exe
C:\Valve\Steam\Steam.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\staA4.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: nameeqeggs - {FBA0AC94-F470-BF74-A801-6ABC5261707D} - C:\PROGRA~1\Drvview\FILE OPEN.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [aim peak] C:\PROGRA~1\PlusBash\Five Keep.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

 

[LostAngeles]

This is interesting. Those O1 values keep coming back after being fixed.

 

[LostAngeles]

I just removed the spykiller entry too. A bit of google showed that to be spyware.

Talk about low.

 

[Oleron]

Some general points:

Make sure you visit windows update regularly and download all critical patches.

Turn off system restore in XP. Some people like this but I consider it to be a virus safe-haven.

Use something other than Outlook (or Outlook Express) for email. Use an alternative browser to Internet explorer.
I suggest Eudora, Pocomail, Pegasus for email. I suggest Opera or Firefox for browsing.

Use Spybot Search and Destroy for sweeping.

You have Zonealarm installed, which is good, but I would uninstall ZA and replace it with Agnitum Outpost. Not because it is a better product but because it will examine your traffic "fresh" and force you to review all the rules you have set.

Update your virus scanner and run a full system scan.

 

[Yahweh]

"Yahweh has requested the information in this post be disregarded"
(there you go Yahweh! tim)




This is what I can make of the Hijack This! log...


The following are spyware:

C:\WINNT\System32\smss.exe (See here for definition.)

C:\WINNT\system32\services.exe (See here for definition.)

C:\WINNT\system32\spoolsv.exe (See here for definition.)

C:\WINNT\system32\rundll32.exe (See here for definition.)


Be aware of files:

C:\WINNT\system32\winlogon.exe (If you find a file called winlogon.exe located anywhere but the System32 directory, then it is spyware. See here for definitions.)

C:\WINNT\system32\lsass.exe (If you see this file figure into msconfig/startup, submit the file to submit@misec.net and ask them if it is spyware.)


I dont know what to make of these files:

C:\WINNT\system32\svchost.exe


Make sure you open Regedit and see your startup programs under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . It'll take a bit of time, but search Google for "wintime startup repository [somestartupfile.exe]", if you find any files which are spyware delete the particular registry and 9 out of 10 times the problem will be solved

 

[davidhorman]

PLEASE disregard what Yahweh posted (I don't mean that rudely, but it's incorrect and I don't want anyone to go recycle-bin happy with their files).

The linked pages are not very informative. They seem to list every filename a virus could possibly have, but the ones are almost certainly legit.

The following are spyware:

C:\WINNT\System32\smss.exe (See here for definition.)

Please check your own link - in that case it's informative enough to tell you that smss.exe is supposed to reside in system32, anywhere else and it's a virus.

C:\WINNT\system32\services.exe (See here for definition.)

Supposed to be there.

C:\WINNT\system32\spoolsv.exe (See here for definition.)

Again, it is supposed to be in system32. The viral version is sp00lsv.exe

C:\WINNT\system32\rundll32.exe (See here for definition.)

Also supposed to be there.

Be aware of files:

C:\WINNT\system32\winlogon.exe (If you find a file called winlogon.exe located anywhere but the System32 directory, then it is spyware. See here for definitions.)

C:\WINNT\system32\lsass.exe (If you see this file figure into msconfig/startup, submit the file to submit@misec.net and ask them if it is spyware.)

Since both are in system32 there's probably nothing to worry about.

I dont know what to make of these files:

C:\WINNT\system32\svchost.exe

"Application that works as a host process for services that run from dynamic link libraries."

David

 

[Oleron]

This is what I can make of the Hijack This! log...


The following are spyware:

C:\WINNT\System32\smss.exe (See here for definition.)

C:\WINNT\system32\services.exe (See here for definition.)

C:\WINNT\system32\spoolsv.exe (See here for definition.)

C:\WINNT\system32\rundll32.exe (See here for definition.)

Sorry Yahweh but the first 3 you have identified are genuine system processes.
The last one "rundll32.exe" is suspect, you are right I think on this one.

c:\winnt\system32\spoolsv.exe is the print spooler.
c:\winnt\system32\smss.exe is legit.
c:\winnt\system32\services.exe is the windows service controller.

Just didn't want LA to delete these processes - no offence meant.

 

[Oleron]

Sorry, DH beat me to it!
(And said it better!)

DH is also right about rundll32. My mistake.

 

[Vitnir]

What about the cool web search virus/trojan/spyware/hijacker?

I haven't had the opportunity to get infested with CWS but it's supposed to change startup page and search page.

 

[Rob Lister]

Also be advised that if you are using XP and running adaware or spy sweeper they will not necessarily be able to delete/repair register entries made by system users. Each, I think, reports that it cannot repair and asks to restart at your next startup. Do that. Then log on as another user and re-run both scans. Do this for all users.

Additionally, both spy sweeper and adaware have update features. Use them.

 

[bignickel]

A search for "search200.com" brought me to one page, with this advice:

http://www.easywindows.com/messages/4830.html
"Posted by JIM on June 03, 2004 at 20:46:35:

In Reply to: allaboutsearch/searchexe/search200.com posted by Thom on June 03, 2004 at 04:26:37:

: Please please please; if anyone know of a definitive way to get rid of this parasite!
: it's taking over my start page, adding some favorites to mine, which i have to supress all the time...
: it"s really driving me crazy!

Go to www.search200.com and then go to help and at the bottom there are instructions to uninstall. Took me a long time to figure it out. "


Will this work? I dunno, because I'm not will to go into the 'belly of the beast', as it were, to find out. I don't want my box infected too.

Since you're already infected, it shouldn't hurt

 

[Shadowhawk]

Note that while rundll32.exe is a valid process (for example, it's what shuts off or restarts a Windows system. If you hit ctrl-alt-delete after you initiate a shutdown, and you kill that process, you abort the shutdown), there are several bits of spyware that use rundll32.exe to load. On LostAngeles' system, though, it's being used to run some nVidia software.

This is something bad that should be removed:
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
(Here for more info)


I'd also remove these:
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
(These are stay-resident programs for things that don't need to stay resident. You don't need HP or Java constantly looking for updates)

O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
(This is something with Kontiki, which is part of cnet's useless security delivery/spyware software).

I'd also remove:
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield...trol/avxnew.dll

 

[Yahweh]

Oleron, DavidHorman,

Thanks for catching my mistakes. I had a very recent bug infection on my machine and the particular website I used helped clean all the nasty bits out.

I hope its not too late add: I'm not an expert. Find a qualified specialist before deleting any from your harddrive.


Thanks!