Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis help needed


  • This topic is locked This topic is locked
10 replies to this topic

#1 torpedo

torpedo

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 18 August 2004 - 12:41 AM

Could an experienced member please help me review this log file. Thank you so much for your help.


Logfile of HijackThis v1.98.2
Scan saved at 2:36:03 PM, on 8/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\OFFICESCAN 95\PCCWIN97.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\OFFICESCAN 95\OFCDOG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\S3MON.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NETSWITCHER FOR WINDOWS\NETSWTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\MY DOCUMENTS\JOHNNY'S STUFF\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 156.147.188.197 gwkumi01/lgphilips gwkumi01
O1 - Hosts: 156.147.188.198 gwkumi02/lgphilips gwkumi02
O1 - Hosts: 156.147.188.199 gwkumi03/lgphilips gwkumi03
O1 - Hosts: 156.147.188.200 gwkumi04/lgphilips gwkumi04
O1 - Hosts: 150.150.12.12 gwanyang01/lgphilips gwanyang01
O1 - Hosts: 130.147.44.37 seo001m seo001m/m/server/philips
O1 - Hosts: 130.147.44.38 seo002m seo002m/m/server/philips
O2 - BHO: (no name) - {63B749C1-B8D9-11D8-9D8D-00094817F20F} - C:\WINDOWS\SYSTEM\PBOGOAA.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [OfficeScan95] "C:\PROGRAM FILES\OFFICESCAN 95\pccwin97.exe" -HideWindow
O4 - HKLM\..\Run: [S3Mon] S3Mon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Services] C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\WBF2U3NO\WEBCAM[1].EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [OfficeScan95] "C:\PROGRAM FILES\OFFICESCAN 95\Pccwin97.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [NetSwitcher Tray Application] C:\PROGRA~1\NETSWI~1\NETSWT~1.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = lgphilips-lcd.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = diamond.philips.com
O18 - Filter: text/html - {3BA18324-BF27-11D8-9D8D-0009733DBE50} - C:\WINDOWS\SYSTEM\PBOGOAA.DLL
O18 - Filter: text/plain - {3BA18324-BF27-11D8-9D8D-0009733DBE50} - C:\WINDOWS\SYSTEM\PBOGOAA.DLL

BC AdBot (Login to Remove)

 


m

#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:46 AM

Posted 18 August 2004 - 09:18 AM

Hi torpedo,

Please do the following:

Download the program FindNFix from the following location:

http://www10.brinkster.com/expl0iter/freeatlast/FNF/

Once it is downloaded, double-click on the file to run it. Follow the prompts to install the program. Once it is installed a window will open up showing the installation directory and a bunch of files in the right section of the window.

On the right portion of the window look for the file called !LOG!.bat and double-click on it. It will scan through your computer for a while, so be patient. When it is completed it will automatically open a notepad window called Log.txt.

Copy the contents of that file into a reply to this post.

#3 torpedo

torpedo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 19 August 2004 - 01:15 AM

Hey Groovicus,

I followed the link to findnfix but my computer has windows 98. The website says that the program is only compatible with windows 2k and windows XP. I haven't run the program yet because I'm worried it might do more harm. Please tell me what I should do.

Thank you so much in advance

Edited by torpedo, 19 August 2004 - 01:55 AM.


#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:46 AM

Posted 19 August 2004 - 02:06 AM

lol..there I go, being a dork again :thumbsup:

Let's try this instead:

Please follow these steps:

Step 1:

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for .dll the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.

5. Continue to Step 2.

Step 2:

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the unmark all button.

6. Then put checkmarks in the following checkboxes:

Under Registry put a checkmark in the Run Keys checkbox.

Under System/Drivers put a check in the Running Proccess checkbox.

7. Press the OK button.

8. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

9. Post a copy of the log as a reply to this post.



#5 torpedo

torpedo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 19 August 2004 - 10:00 AM

mousedll.dll

Herewith is the log file.

Thank you

Attached Files


Edited by torpedo, 19 August 2004 - 10:02 AM.


#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:46 AM

Posted 19 August 2004 - 10:53 AM

Ok, you can delete those tools now. mousedll.dll is a valid file.


You have a CWS infection.

Please download the CWShredder.


**********************************************************************


Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\PBOGOAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O18 - Filter: text/html - {3BA18324-BF27-11D8-9D8D-0009733DBE50} - C:\WINDOWS\SYSTEM\PBOGOAA.DLL
O18 - Filter: text/plain - {3BA18324-BF27-11D8-9D8D-0009733DBE50} - C:\WINDOWS\SYSTEM\PBOGOAA.DLL

***********************************************************************

Boot into SAFE MODE by tapping the f8 key during boot up.

Run the shredder, and let it fix everything it finds.

Run Adaware again, while still in safe mode.

***********************************************************************

Reboot and post a new log, and let me know how things are working. :D

#7 torpedo

torpedo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 20 August 2004 - 12:41 AM

Hey Groovicus,

Everything works fine now. The home page of my browser doesn't get reset anymore.

Could you please review this log file. It's from my desktop pc. My browser home page doesn't get reset on this pc but I have had pop-ups come up every once in a while.

Thank you once again!


Logfile of HijackThis v1.97.7
Scan saved at 2:35:33 PM, on 8/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wupdater.exe
C:\OfficeScan NT\ofcdog.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\WINNT\system32\devldr32.exe
C:\OfficeScan NT\pccntmon.exe
C:\OfficeScan NT\RAUAgent.exe
E:\Daemon Tools\daemon.exe
C:\Program files\koreandoumi1.0\netpia.exe
C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
E:\quicktime\qttask.exe
C:\program files\mngbcnt\mngbcnt.exe
C:\WINNT\system32\RUNDLL32.EXE
D:\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Johnny's stuff\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
F1 - win.ini: load=C:\WINNT\system32\com1\dragoon\ss.bat
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {09F93072-DE5E-4B5A-B347-F80FD7CB7309} - C:\WINNT\system32\webmailHook20040812.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [WLNNPREEUE] C:\WINNT\System32\SMSCONFIG.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Tau Monitor] G:\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\Run: [contime] C:\winnt\system32\contime.exe
O4 - HKLM\..\Run: [Norton Live Updater] sochost.exe
O4 - HKLM\..\Run: [NetpiaLite] c:\Program files\koreandoumi1.0\netpia.exe
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "E:\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [AdvList] c:\program files\mngbcnt\mngbcnt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] D:\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunServices: [mssysint] IEXPLORE .EXE
O4 - HKLM\..\RunServices: [Norton Live Updater] sochost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: KT ADSL.lnk = C:\Program Files\NTS\KT ADSL\app\EnterNetFolder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {2B3CC8B1-EC8B-4BFE-B9ED-3460E383292E} (NetpiaPIOCX Control) - http://plugin.netpia.com/oneclick/webmail/NetpiaPIOCX1.ocx
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {3EFC2239-B769-469F-A5E6-38693AE0B9DE} (Sysinfo2 Control) - http://speed.nca.or.kr/login/sysinfo2.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {43B464D9-7BAC-4110-81AF-90EA8502B97D} (NetpiaPIOCX Control) - http://plugin.netpia.com/oneclick/webmail/NetpiaPIOCX.ocx
O16 - DPF: {4BE7DD52-858D-46B4-84B9-345DFDB554F8} (GraphicCtrl Class) - http://speed.kornet.net/sw5/SpeedTest/KTSpeedCtrl.cab
O16 - DPF: {5AD4C70C-2F35-4263-9611-5654E2219861} (DinterApp Control) - http://ad.dinter.co.kr/adv/DinterApp.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://speed.kornet.net/sw5/qtest/cab/KTSpeedNewCtrl.cab
O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} (BugsMediaPlayer Control) - http://so.bugs.co.kr/BugsOggPlay_9.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {C193DE20-29F4-4B4F-963B-EB20CB3186C0} (SpeedTest Control) - http://speed.nca.or.kr/speedtest/SpeedTest.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://so.bugs.co.kr/SetGlb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D5FC2094-4B01-4F6C-A07C-E247C9442E5A} (AvatarWeb Control) - http://www.msnplus.co.kr/download/activex/AvatarWeb.cab

Edited by torpedo, 20 August 2004 - 12:46 AM.


#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:46 AM

Posted 20 August 2004 - 11:57 AM

If you don't mind. let's see a final log from that first system.

I need you to use the updated verision of HJT on that second system. :thumbsup:

#9 torpedo

torpedo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 21 August 2004 - 01:27 AM

first system:

Logfile of HijackThis v1.98.2
Scan saved at 3:24:56 PM, on 8/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\OFFICESCAN 95\PCCWIN97.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\OFFICESCAN 95\OFCDOG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\S3MON.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NETSWITCHER FOR WINDOWS\NETSWTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\MY DOCUMENTS\JOHNNY'S STUFF\HIJACKTHIS\HIJACKTHIS.EXE

O1 - Hosts: 156.147.188.197 gwkumi01/lgphilips gwkumi01
O1 - Hosts: 156.147.188.198 gwkumi02/lgphilips gwkumi02
O1 - Hosts: 156.147.188.199 gwkumi03/lgphilips gwkumi03
O1 - Hosts: 156.147.188.200 gwkumi04/lgphilips gwkumi04
O1 - Hosts: 150.150.12.12 gwanyang01/lgphilips gwanyang01
O1 - Hosts: 130.147.44.37 seo001m seo001m/m/server/philips
O1 - Hosts: 130.147.44.38 seo002m seo002m/m/server/philips
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [OfficeScan95] "C:\PROGRAM FILES\OFFICESCAN 95\pccwin97.exe" -HideWindow
O4 - HKLM\..\Run: [S3Mon] S3Mon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Services] C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\WBF2U3NO\WEBCAM[1].EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [OfficeScan95] "C:\PROGRAM FILES\OFFICESCAN 95\Pccwin97.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [NetSwitcher Tray Application] C:\PROGRA~1\NETSWI~1\NETSWT~1.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = lgphilips-lcd.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = diamond.philips.com



second system:

Logfile of HijackThis v1.98.2
Scan saved at 3:30:30 PM, on 8/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wupdater.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\OfficeScan NT\pccntmon.exe
C:\OfficeScan NT\RAUAgent.exe
E:\Daemon Tools\daemon.exe
C:\Program files\koreandoumi1.0\netpia.exe
C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
E:\quicktime\qttask.exe
C:\program files\mngbcnt\mngbcnt.exe
C:\WINNT\system32\RUNDLL32.EXE
D:\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Johnny's stuff\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
F3 - REG:win.ini: load=C:\WINNT\system32\com1\dragoon\ss.bat
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BrowserHook Class - {09F93072-DE5E-4B5A-B347-F80FD7CB7309} - C:\WINNT\system32\webmailHook20040812.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [WLNNPREEUE] C:\WINNT\System32\SMSCONFIG.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Tau Monitor] G:\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\Run: [contime] C:\winnt\system32\contime.exe
O4 - HKLM\..\Run: [Norton Live Updater] sochost.exe
O4 - HKLM\..\Run: [NetpiaLite] c:\Program files\koreandoumi1.0\netpia.exe
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "E:\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [AdvList] c:\program files\mngbcnt\mngbcnt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] D:\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunServices: [mssysint] IEXPLORE .EXE
O4 - HKLM\..\RunServices: [Norton Live Updater] sochost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: KT ADSL.lnk = C:\Program Files\NTS\KT ADSL\app\EnterNetFolder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {2B3CC8B1-EC8B-4BFE-B9ED-3460E383292E} (NetpiaPIOCX Control) - http://plugin.netpia.com/oneclick/webmail/NetpiaPIOCX1.ocx
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {3EFC2239-B769-469F-A5E6-38693AE0B9DE} (Sysinfo2 Control) - http://speed.nca.or.kr/login/sysinfo2.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {43B464D9-7BAC-4110-81AF-90EA8502B97D} (NetpiaPIOCX Control) - http://plugin.netpia.com/oneclick/webmail/NetpiaPIOCX.ocx
O16 - DPF: {4BE7DD52-858D-46B4-84B9-345DFDB554F8} (GraphicCtrl Class) - http://speed.kornet.net/sw5/SpeedTest/KTSpeedCtrl.cab
O16 - DPF: {5AD4C70C-2F35-4263-9611-5654E2219861} (DinterApp Control) - http://ad.dinter.co.kr/adv/DinterApp.cab
O16 - DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} (KTCtrl Class) - http://speed.kornet.net/sw5/qtest/cab/KTSpeedNewCtrl.cab
O16 - DPF: {66B30EA0-C033-4D4B-9F90-EA0AF07363AF} (BugsMediaPlayer Control) - http://so.bugs.co.kr/BugsOggPlay_9.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {C193DE20-29F4-4B4F-963B-EB20CB3186C0} (SpeedTest Control) - http://speed.nca.or.kr/speedtest/SpeedTest.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CF362BDB-4EA2-11D5-AB47-000102913414} (SetGlb Control) - http://so.bugs.co.kr/SetGlb.cab
O16 - DPF: {D5FC2094-4B01-4F6C-A07C-E247C9442E5A} (AvatarWeb Control) - http://www.msnplus.co.kr/download/activex/AvatarWeb.cab

Edited by torpedo, 21 August 2004 - 01:30 AM.


#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:46 AM

Posted 21 August 2004 - 10:09 AM

The first log looks fine, but it needs an AV.


Two things in that second log need to go:
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [AdvList] c:\program files\mngbcnt\mngbcnt.exe

Everything else looks fine.

#11 torpedo

torpedo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 22 August 2004 - 09:52 AM

Thanks a lot!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users