Jump to content

[SOLVED]Do I Need Help?


faith_michele
 Share

Recommended Posts

This is the second one that I have posted.

I conducted an adaware scan prior to the HJT scan.

Do I need help?

 

Thank You,

Faith

 

Logfile of HijackThis v1.98.2

Scan saved at 4:44:02 AM, on 10/22/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\LTMSG.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097618636218

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab

O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab

Link to comment
Share on other sites

Hello faith_martlock

 

I'll be having a look at your Hijack This log and will reply with some suggestions as soon as possible.

 

In the mean time there is something you could do in preperation.

Lets move Hijack This into a folder of Its own.

Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Failure to do so may mean needed backups will not be available.

 

If the Ad-Aware you used is not the newest version, please do the following.

 

Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywareinfo.com/index.php?showtopic=11150

-reboot after using Ad-Aware SE. Also while there get the VX2 plugin and run it too.

 

Get Spybot - Search & Destroy from http://security.kolla.de (This is the NEW Version 1.3)

 

These are programs you should run weekly. Be sure to update both before using and to Reboot each after using, to allow them to finish their work.

Link to comment
Share on other sites

Hello Faith;

 

Please print out these instructions so you can read them while you clean your system. A printout also makes a good check list for Hijack This, to avoid making errors.

 

 

Please run Hijack This again and place check marks next to the following entries.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

 

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

 

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers

 

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

 

The following entries are optional, or known resource hogs. If you have noticed an overall slowdown in your computer, consider shutting down some of these. Please read the description following each and check mark for "fixing" (or follow instructions for disabling) according to your needs.

 

BackWeb is installed by a number of programs to update their software automatically, but it is considered to be spyware because of the way that it does this.

Check the link just below for more information about "backweb" to help you make an informed decision.

http://www.pestpatrol.com/PestInfo/B/Backweb.asp

 

O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

 

Resource hog that launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it but it isn't required anyway. Different filenames used for different variants.

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

Close all other windows and browsers, then click on "Fix Checked.

 

 

Please Reboot, run Hijack this again and copy the log to paste here, in this string, using the New Reply function, so I will be advised of your post.

Link to comment
Share on other sites

Okay, I did everything that you told me to do.

 

Here's my latest scan.

 

Faith

 

Logfile of HijackThis v1.98.2

Scan saved at 1:50:14 PM, on 10/24/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\igfxtray.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097618636218

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab

O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab

Link to comment
Share on other sites

Hi faith_martlock

I found something unusually suspicious and would like you to do the following, please.

 

Please use the following link to get an online Trojan Scan.

http://scan.sygatetech.com/pretrojanscan.html

 

Then,

Choose one of these, they are online virus scanners,

run one of them and have them fix anything they find.

 

Panda

http://www.pandasoftware.com/activescan/co...n_principal.htm

 

Trend Micro

http://housecall.trendmicro.com/housecall/start_corp.asp

 

And, here's the link to McAfee AVERT Stinger and instructions for use.

 

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.

 

Please let us know what the results are.

 

Then,

Use the following link to download a Free Trial Version of Trojan Hunter. Update it if possible and let it scan your PC. Then please post a fresh Hijack This log here.

 

Trial Version of Trojan Hunter.

http://www.misec.net/trojanhunter/

Link to comment
Share on other sites

Piatan,

 

All results came back negative except for Sygate.

 

Sygate results- Trojan- Tiny Telnet Server (= TTS)

 

Port 23 (Open)- Telnet is used to remotely create a shell (dos prompt), this can allow an attacker to control your system as if he was sitting in front of it.

 

I finally got Ad-Aware to have a clean scan by restarting and not opening any applications during the scan. MRUs were appearing as negligeable risks if I used even Word.

 

Spybot comes back with the DSO Exploit on every scan.

 

I have all the newest updates and security patches now.

 

Here is my new HJT log.

 

Thanks,

 

Faith

 

 

Logfile of HijackThis v1.98.2

Scan saved at 5:34:57 AM, on 10/26/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\igfxtray.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097618636218

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab

O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{58BD298F-E8CD-490F-9557-F75CD34F8923}: NameServer = 216.166.216.20,64.40.72.20

Link to comment
Share on other sites

Hi faith_martlock

 

No need to worry about that DSO Exploit in Spybot. It is only a "glitch" in the Program, that should have been fixed before now. Try updating and see if it stops.

 

So far as the Sygate report goes,

 

run Trojan Hunter and see if it agrees with Sygate.

 

Then, lets do this:

Check the Properties on the two following 09 files.

 

To check a files properties, Right click on the file and select "Properties". This will sometimes give you information such as the size, attributes,version number and often the maker.

From this you can often determine if it is good. With these, if they check to be from Microsoft, they are okay. I'm possibly being overly cautious.

 

 

Do the following , only if the two 09 files are not from Microsoft.

 

Please run Hijack This again and place check marks next to the following entries.

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

 

Close all other windows and browsers, then click on "Fix Checked.

Then please REBOOT.

 

Please reboot into safe mode - How do I boot into "Safe" mode?

 

You may need to show hidden files to delete the following File(s) and Folder(s).How to show all hidden and system files

 

Delete the following File,while in Safe Mode.

 

C:\Program Files\Messenger\msmsgs.exe

 

Reboot into normal mode,enable hidden files and post a fresh Hijack This log in this thread. Otherwise, your log is clean.

 

For your Protection - It is suggested that you download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

 

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

 

Both are very small free programs that you run once, and then just occasionally to check for updates.

 

And also see

So how did I get infected in the first place?

Link to comment
Share on other sites

The Trojan Hunter reports no suspicious ports.

 

The only msnsgs file that I found was for MSN Messenger. I could not find the actual numbers referenced.

 

Here's my new scan.

 

Logfile of HijackThis v1.98.2

Scan saved at 2:46:41 AM, on 10/27/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\LTMSG.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\igfxtray.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097618636218

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab

O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{58BD298F-E8CD-490F-9557-F75CD34F8923}: NameServer = 216.166.216.20,64.40.72.20

 

Thanks,

Faith

Link to comment
Share on other sites

Hello Faith

 

Lets do this a bit differantly this time.

 

Please reboot into safe mode - How do I boot into "Safe" mode?

 

You will need to show hidden files to delete the following File(s) and Folder(s).How to show all hidden and system files

 

Now, lets see if that file is reachable.

 

C:\Program Files\Messenger\msmsgs.exe <---This file.

 

And if so, check the Properties to see if it is a legitimate Microsoft file.

 

To check a files properties, Right click on the file and select "Properties". This will sometimes give you information such as the size, attributes,version number and often the maker.

From this you can often determine if it is good.

 

If the file is Microsoft, then do nothing.

 

 

 

 

If it is not Microsoft, do the following.

 

While still in SAFE MODE and all other Programs and Windows closed,

Run Hijack this and place a check on the following and click on Fix Checked.

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

 

DO NOT REBOOT AT THIS POINT.

 

Remaining in SAFE MODE,Delete the following File.

 

C:\Program Files\Messenger\msmsgs.exe <------This file only.

 

Then disable your system restore ( Instructions to do so, if needed for XP ).

 

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

 

 

Reboot into normal mode,enable hidden files and post a fresh Hijack This log in this thread to receive additional suggestions.

Link to comment
Share on other sites

Piatan,

 

I apologize for taking so long to do this. The msmsgs.exe file that is in the MSN Messenger program file. I have not reinstalled that or windows messenger since my full system recovery. I'm hesitant to do so. I went to remove the MSN messenser, but it was not listed in my ADD/REMOVE programs tab. I have added the SpywareGuard and SpywareBlaster to my machine. I really think that the Adware is the biggest problem because my son does play many games. I did solve my network problem with my ISP and Windows Update is working properly now.

 

Thank You Very Much!

 

Faith

 

This is my latest scan-

 

Logfile of HijackThis v1.98.2

Scan saved at 2:53:37 AM, on 11/2/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\igfxtray.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097618636218

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab

O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{58BD298F-E8CD-490F-9557-F75CD34F8923}: NameServer = 216.166.216.20,64.40.72.20

Link to comment
Share on other sites

 Share

×
×
  • Create New...