Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Hijack.StartMenu found - since deleted

  • This topic is locked This topic is locked
2 replies to this topic

#1 ozeannie


  • Members
  • 10 posts
  • Local time:09:24 AM

Posted 12 February 2009 - 11:32 PM

I've posted this log after having a post redirected to the Misplaced logs forum. Before looking at the log or giving instructions, please refer back to the post in the misplaced forums:


This is a bit of a different case - there is a reason it is a Deckard scan and not the requested DSS - please read the post above. I can't get to this computer other than via VNC and Mum can't do tech fixes. I posted the DSS scan result because I happened to already have it (our AV company favours doing them - I did it for them thinking I would send it to them but after ringing there the guy insisted that if the AV was up-to-date and found nothing on the scan, the computer was clean.)

In brief...there were 2 infections (win32\FakeAlert.IJ and HijackThis.Startmenu) - that I know of. These have both been cleaned by AV and Malwarebytes respectively. The computer now seems OK but I'm concerned whether anything else is still lurking, particularly a keylogger - I did delete all temp files and temp internet files when I saw that the Win32 bug was in TIF.

My concern is if there was something like a rootkit on the computer previously and we have managed to clean it, what's to say someone hasn't already used it to obtain passwords etc? My concern re the rootkit/keylogger is for 2 reasons:

(1) I found a file called Telnettrace.log in "My Documents" - which had a log which included her username and password. I thought this might have constituted a hack, but the AV guy reckons it could have been a legitimate polling of the modem/router

(2) Concerned about Hijack.startmenu I did a Google and found the post of another user on this website (which I referenced in my original post in the Misplaced forum) - and this user had Hijack.StartMenu PLUS a rootkit - so I was concerned whether the two came in tandem, and, since the other user had the rootkit in the temp folders and I had already deleted these, I wouldn't be able to see if it had been there and neither would Malwarebytes. I also know that some rootkits make themselves "invisible" to regular malware scans.

However (3) I have seen elsewhere that the Deckard scan is now out of favour as there is a bug in it which, if it comes across this particular rootkit, can disable the computer. Since my Mum's computer isn't disabled and we ran Deckard on it, I'm hoping this means she didn't have the rootkit.

Please note as per post above in misplaced forums, I can't access this computer directly to run things like Combofix - I can only do any fixes which could be applied over VNC.

There are a few entries that concern me in the log - I'm not an expert, but if there is something in there that shouldn't be, I'd like to know - it might turn out to be something we already removed, but would like to be sure.

Sorry I'm unable to work on the computer directly, I'm just after a bit of advice as to whether this log looks clean or not and if there is anything that can be done about anything that needs fixing, which I can manage over VNC.


I have now performed the DDS scan as per the instructions "before you post a hijack this log" and attached them. These were performed without VNC or Skype connected (Skype was running, but not connected in a call).

Many thanks for your patience

Deckard's System Scanner v20071014.68
Run by Edna Petfield on 2009-02-12 19:41:05
Computer is in Normal Mode.

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
31: 2009-02-12 08:43:29 UTC - RP375 - Deckard's System Scanner Restore Point
30: 2009-02-11 21:53:55 UTC - RP374 - Software Distribution Service 3.0
29: 2009-02-10 05:25:59 UTC - RP373 - System Checkpoint
28: 2009-02-01 04:57:51 UTC - RP372 - System Checkpoint
27: 2009-01-26 08:44:28 UTC - RP371 - System Checkpoint

-- First Restore Point --
1: 2008-11-14 10:10:59 UTC - RP345 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 223 MiB (512 MiB recommended).

-- HijackThis (run as Edna Petfield.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2009-02-12 19:49:04
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\caavguiscan.exe
C:\Documents and Settings\Edna Petfield\My Documents\Anne\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://D:\cdviewer\CdViewer.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144734894500
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe

End of file - 7873 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\EDNAPE~1\MYDOCU~1\HIGHJA~1\backups\) --

backup-20090104-074209-786 O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
backup-20090104-074247-258 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20090104-074247-438 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - c:\windows\system32\pcampr5.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe"
S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 802.11b/g WLAN
Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_12FA103C&REV_03\4&16793A72&0&30F0
Manufacturer: Broadcom
Name: Broadcom 802.11b/g WLAN
PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_12FA103C&REV_03\4&16793A72&0&30F0
Service: BCM43XX

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: SoftV92 Data Fax Modem with SmartCP
Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_3080103C&REV_03\3&61AAA01&0&FE
Manufacturer: CXT
Name: SoftV92 Data Fax Modem with SmartCP
PNP Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_3080103C&REV_03\3&61AAA01&0&FE
Service: Modem

-- Scheduled Tasks -------------------------------------------------------------

2008-01-19 07:41:56 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2009-01-12 and 2009-02-12 -----------------------------

2009-02-12 17:17:53 0 d------c- C:\Documents and Settings\Edna Petfield\Application Data\Malwarebytes
2009-02-12 17:17:35 0 d------c- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-12 17:17:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-11 16:20:59 0 d-a----c- C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-11 16:20:36 0 d-------- C:\Program Files\SpywareBlaster

-- Find3M Report ---------------------------------------------------------------

2009-02-12 19:38:55 0 d------c- C:\Documents and Settings\Edna Petfield\Application Data\Skype
2009-02-12 15:40:59 0 d------c- C:\Documents and Settings\Edna Petfield\Application Data\skypePM
2009-02-09 18:57:48 0 d------c- C:\Documents and Settings\Edna Petfield\Application Data\HPAppData
2009-01-03 16:52:19 0 d-------- C:\Program Files\Google
2009-01-03 13:12:09 0 d-------- C:\Program Files\Messenger
2009-01-03 13:01:15 0 d-------- C:\Program Files\Movie Maker
2009-01-03 12:58:04 0 d-------- C:\Program Files\Windows NT

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
02/03/2007 05:52 PM 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
02/03/2007 05:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
05/12/2008 08:34 PM 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [17/09/2004 07:19 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [13/10/2004 08:34 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/11/2004 07:40 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [15/09/2007 02:27 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [05/12/2008 08:34 PM]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [13/01/2007 12:48 PM]
"VX1000"="C:\WINDOWS\vVX1000.exe" [06/12/2006 10:38 AM]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [24/01/2009 10:09 AM]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [09/09/2008 02:51 PM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [15/09/2007 02:29 AM]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [07/11/2008 02:31 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 11:12 AM]

"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]



@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

*Newly Created Service* - MBAMSWISSARMY

-- Hosts ----------------------------------------------------------------------- www.007guard.com 007guard.com 008i.com www.008k.com 008k.com www.00hq.com 00hq.com 010402.com www.032439.com 032439.com

10075 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2009-02-12 19:58:34 ------------

Attached Files

Edited by ozeannie, 13 February 2009 - 12:44 AM.

BC AdBot (Login to Remove)


#2 ozeannie

  • Topic Starter

  • Members
  • 10 posts
  • Local time:09:24 AM

Posted 16 February 2009 - 07:05 AM

Couldn't see anywhere to mark solved, but I am closing this post, thanks. I respect the work of the volunteers however my mother wanted to just get it fixed, so we had someone look at it. It would have been difficult to apply the normal scans etc that are done on these forums without direct access to the machine.

#3 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:06:24 PM

Posted 18 February 2009 - 06:34 PM

Thanks for informing us.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users