Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - Richard Steele


  • This topic is locked This topic is locked
4 replies to this topic

#1 richard_01

richard_01

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 02 September 2004 - 07:43 PM

Logfile of HijackThis v1.98.2
Scan saved at 01:32:41, on 03/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mfsyncsv.exe
C:\Program Files\PS Tray Factory\PSTrayFactory.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\mrfshl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\AlfaClock\AlfaClock.exe
C:\Utils\DESKMENU.EXE
C:\Program Files\FreeWheel\FreeWheel.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\fxsclnt.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\fxsclnt.exe
C:\TURNPIKE304\Connect.exe
C:\TURNPI~1\Turnctrl.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.squeaky.demon.co.uk/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Richard's web wanderer
O4 - HKLM\..\Run: [PinnacleDriverCheck] "C:\WINDOWS\System32\PSDrvCheck.exe"
O4 - HKLM\..\Run: [SoundMan] "SOUNDMAN.EXE"
O4 - HKLM\..\Run: [MirrorFolderShell] "C:\WINDOWS\System32\mrfshl.exe"
O4 - HKLM\..\Run: [TrayFactory] "C:\Program Files\PS Tray Factory\PSTrayFactory.EXE /silent"
O4 - HKLM\..\RunOnce: [TrayFactory] C:\Program Files\PS Tray Factory\PSTrayFactory.EXE /start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [C:\Documents and Settings\Richard\Desktop\Comms\Ad-Watch SE Plus.lnk] "C:\Documents and Settings\Richard\Desktop\Comms\Ad-Watch SE Plus.lnk"
O4 - HKCU\..\Run: [C:\Documents and Settings\Richard\Desktop\Comms\Spyware Blaster.lnk] "C:\Documents and Settings\Richard\Desktop\Comms\Spyware Blaster.lnk"
O4 - HKCU\..\Run: [C:\Documents and Settings\Richard\Desktop\Comms\zonealarm.lnk] "C:\Documents and Settings\Richard\Desktop\Comms\zonealarm.lnk"
O4 - HKCU\..\Run: [C:\Documents and Settings\Richard\Desktop\Apps\AlfaClock.lnk] "C:\Documents and Settings\Richard\Desktop\Apps\AlfaClock.lnk"
O4 - Startup: DESKMENU.EXE.lnk = C:\Utils\DESKMENU.EXE
O4 - Startup: FreeWheel.lnk = C:\Program Files\FreeWheel\FreeWheel.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: MS-KB - {8b2d996f-b7d1-4961-a929-414d9cf5ba7b} - http://support.microsoft.com/default.aspx?...H;EN-US;KBHOWTO (file missing)
O9 - Extra 'Tools' menuitem: MS-KB - {8b2d996f-b7d1-4961-a929-414d9cf5ba7b} - http://support.microsoft.com/default.aspx?...H;EN-US;KBHOWTO (file missing)
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96D8A85E-7F0F-42CE-BFAA-D56F91AEEA3B}: NameServer = 158.152.1.43 158.152.1.58

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:52 PM

Posted 02 September 2004 - 10:04 PM

Hello. Are you having any problems in particular?

#3 richard_01

richard_01
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 06 September 2004 - 11:18 AM

No problems that I'm aware of, but hijack this cites the (17) item. Clearing it doesn't work, it's back after the next boot. I finally found "whois" and ran the IP addresses through that.

These addresses show up as Demon Internet, which *is* my ISP.

So I've asked them to explain themselves, assuming of course, that the whois is right.

Thanks.

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:52 PM

Posted 06 September 2004 - 07:34 PM

Your ISP often shows up as an 017 entry, and is perfectly normal. If you look through some of the other logs, you will see that in alomost all of them, there will be an 017 entry that correlates to their respective ISP.

Grinler has put together a nice HJT tutorial that can be found here:
http://www.bleepingcomputer.com/forums/ind...showtutorial=42

#5 richard_01

richard_01
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 07 September 2004 - 04:47 AM

Thanks, I'll go look right now.

Sorry to trouble you.


Rgds.


Richard




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users