Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • This topic is locked This topic is locked
2 replies to this topic

#1 bjhere68

bjhere68

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 22 June 2008 - 07:00 AM

Hi,

Sorry I'm new here, I have noticed my explorer and foxfire settings sometimes change and I get pop-ups. So I'm not sure if I have adware or something on my system that not supposed to be there. Sometimes my system is working slow, etc. .....Thanks for any help or assurance!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:21 AM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\My Documents\RCA EasyRip\EZDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\My Documents\RCA EasyRip\EZPlayerbase.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:87;https=69.19.14.10:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.1;localhost
O1 - Hosts: 172.29.12.82 mse20fe1.mse20.exchange.ms
O1 - Hosts: 172.29.12.82 mse20fe1
O1 - Hosts: 172.29.12.84 mse20fe2.mse20.exchange.ms
O1 - Hosts: 172.29.12.84 mse20fe2
O1 - Hosts: 172.29.12.86 mse20be1.mse20.exchange.ms
O1 - Hosts: 172.29.12.86 mse20be1
O1 - Hosts: 172.29.12.87 mse20be2.mse20.exchange.ms
O1 - Hosts: 172.29.12.87 mse20be2
O1 - Hosts: 172.29.12.97 mse20be3.mse20.exchange.ms
O1 - Hosts: 172.29.12.97 mse20be3
O1 - Hosts: 172.29.12.67 mse19fe1.mse19.exchange.ms
O1 - Hosts: 172.29.12.67 mse19fe1
O1 - Hosts: 172.29.12.68 mse19fe2.mse19.exchange.ms
O1 - Hosts: 172.29.12.68 mse19fe2
O1 - Hosts: 172.29.12.69 mse19be1.mse19.exchange.ms
O1 - Hosts: 172.29.12.69 mse19be1
O1 - Hosts: 172.29.12.70 mse19be2.mse19.exchange.ms
O1 - Hosts: 172.29.12.70 mse19be2
O1 - Hosts: 172.29.12.54 mse18fe1.mse18.exchange.ms
O1 - Hosts: 172.29.12.54 mse18fe1
O1 - Hosts: 172.29.12.55 mse18fe2.mse18.exchange.ms
O1 - Hosts: 172.29.12.55 mse18fe2
O1 - Hosts: 172.29.12.56 mse18be1.mse18.exchange.ms
O1 - Hosts: 172.29.12.56 mse18be1
O1 - Hosts: 172.29.12.57 mse18be2.mse18.exchange.ms
O1 - Hosts: 172.29.12.57 mse18be2
O1 - Hosts: 172.29.12.8 mse17fe1.mse17.exchange.ms
O1 - Hosts: 172.29.12.8 mse17fe1
O1 - Hosts: 172.29.12.11 mse17fe2.mse17.exchange.ms
O1 - Hosts: 172.29.12.11 mse17fe2
O1 - Hosts: 172.29.12.12 mse17be1.mse17.exchange.ms
O1 - Hosts: 172.29.12.12 mse17be1
O1 - Hosts: 172.29.12.14 mse17be2.mse17.exchange.ms
O1 - Hosts: 172.29.12.14 mse17be2
O1 - Hosts: 172.29.12.29 mse16fe1.mse16.exchange.ms
O1 - Hosts: 172.29.12.29 mse16fe1
O1 - Hosts: 172.29.12.30 mse16fe2.mse16.exchange.ms
O1 - Hosts: 172.29.12.30 mse16fe2
O1 - Hosts: 172.29.12.31 mse16be1.mse16.exchange.ms
O1 - Hosts: 172.29.12.31 mse16be1
O1 - Hosts: 172.29.12.32 mse16be2.mse16.exchange.ms
O1 - Hosts: 172.29.12.32 mse16be2
O1 - Hosts: 172.30.10.124 mse15fe1.mse15.exchange.ms
O1 - Hosts: 172.30.10.124 mse15fe1
O1 - Hosts: 172.30.10.127 mse15fe2.mse15.exchange.ms
O1 - Hosts: 172.30.10.127 mse15fe2
O1 - Hosts: 172.30.10.129 mse15be1.mse15.exchange.ms
O1 - Hosts: 172.30.10.129 mse15be1
O1 - Hosts: 172.30.10.130 mse15be2.mse15.exchange.ms
O1 - Hosts: 172.30.10.130 mse15be2
O1 - Hosts: 172.30.10.105 mse14fe1.mse14.exchange.ms
O1 - Hosts: 172.30.10.105 mse14fe1
O1 - Hosts: 172.30.10.106 mse14fe2.mse14.exchange.ms
O1 - Hosts: 172.30.10.106 mse14fe2
O1 - Hosts: 172.30.10.108 mse14be1.mse14.exchange.ms
O1 - Hosts: 172.30.10.108 mse14be1
O1 - Hosts: 172.30.10.109 mse14be2.mse14.exchange.ms
O1 - Hosts: 172.30.10.109 mse14be2
O1 - Hosts: 172.30.10.84 mse12fe1.mse12.exchange.ms
O1 - Hosts: 172.30.10.84 mse12fe1
O1 - Hosts: 172.30.10.85 mse12fe2.mse12.exchange.ms
O1 - Hosts: 172.30.10.85 mse12fe2
O1 - Hosts: 172.30.10.87 mse12be1.mse12.exchange.ms
O1 - Hosts: 172.30.10.87 mse12be1
O1 - Hosts: 172.30.10.88 mse12be2.mse12.exchange.ms
O1 - Hosts: 172.30.10.88 mse12be2
O1 - Hosts: 172.30.10.79 mse11fe1.mse11.exchange.ms
O1 - Hosts: 172.30.10.79 mse11fe1
O1 - Hosts: 172.30.10.80 mse11fe2.mse11.exchange.ms
O1 - Hosts: 172.30.10.80 mse11fe2
O1 - Hosts: 172.30.10.82 mse11be1.mse11.exchange.ms
O1 - Hosts: 172.30.10.82 mse11be1
O1 - Hosts: 172.30.10.83 mse11be2.mse11.exchange.ms
O1 - Hosts: 172.30.10.83 mse11be2
O1 - Hosts: 172.30.10.112 mse11be3.mse11.exchange.ms
O1 - Hosts: 172.30.10.112 mse11be3
O1 - Hosts: 172.30.10.61 mse10fe1.mse10.exchange.ms
O1 - Hosts: 172.30.10.61 mse10fe1
O1 - Hosts: 172.30.10.103 mse10fe3.mse10.exchange.ms
O1 - Hosts: 172.30.10.103 mse10fe3
O1 - Hosts: 172.30.10.64 mse10be1.mse10.exchange.ms
O1 - Hosts: 172.30.10.64 mse10be1
O1 - Hosts: 172.30.10.65 mse10be2.mse10.exchange.ms
O1 - Hosts: 172.30.10.65 mse10be2
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy Dock] C:\Documents and Settings\Owner\My Documents\RCA EasyRip\EZDock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [PlayCenter2] "C:\Program Files\Creative\SBAudigy\PlayCenter2\MDEntry.EXE" "C:\Program Files\Creative\SBAudigy\PlayCenter2" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-19 Startup: LivePerson.lnk = C:\Program Files\LivePerson\hc.exe (User 'LOCAL SERVICE')
O4 - S-1-5-18 Startup: LivePerson.lnk = C:\Program Files\LivePerson\hc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LivePerson.lnk = C:\Program Files\LivePerson\hc.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: LivePerson.lnk = C:\Program Files\LivePerson\hc.exe
O4 - Startup: RCA Detective.lnk = C:\Documents and Settings\Owner\My Documents\RCA Detective\RCADetective.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187232793968
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4A9645D-8578-4AE0-ABD5-D05D39371A99}: NameServer = 206.174.129.2,206.174.129.5
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 13462 bytes

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 25 June 2008 - 04:45 PM

Hi

your log's clean :thumbsup:

All those entries in the HOSTS file don't look like malware,they look like a private network ?

-

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ... in your case :-

jre1.6.0_02

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 6' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

-
what are the pop-ups for

-

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 24 July 2008 - 04:45 PM

Due to lack of feedback this topic is now closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users