Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT--nancylouisehite


  • This topic is locked This topic is locked
10 replies to this topic

#1 noonytunes

noonytunes

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alcalde, New Mexico
  • Local time:03:47 PM

Posted 10 September 2004 - 07:57 PM

:flowers: My first post concerning IE hijack was 8-19-04 (IE has been hijacked). I posted in Internet Applications on 9-7-04 concerning a problem I've had since I got that problem rectified. Grinler said to post a new hijackthis log, so here it is:

Logfile of HijackThis v1.98.2
Scan saved at 6:45:38 PM, on 9/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP

Share-to-Web\hpgs2wnd.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch

Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch

Jukebox\mmtask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.ex

e
C:\Program

Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://www.yahoo.com/search/ie6.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://red.clientapps.yahoo.com/customize/ie/defa

ults/sp/yie6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://red.clientapps.yahoo.com/customize/ie/defa

ults/su/yie6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customize/ie/defa

ults/sb/yie6/*http://www.yahoo.com/search/ie.htm

l
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://red.clientapps.yahoo.com/customize/ie/defa

ults/sp/yie6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://red.clientapps.yahoo.com/customize/ie/defa

ults/stp/yie6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://red.clientapps.yahoo.com/customize/ie/defa

ults/su/yie6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Yahoo!
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\

Internet Settings,ProxyOverride =

;localhost;;<local>
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN Toolbar -

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\MSN

Toolbar\01.01.1629.0\en-us\msntb.dll (file

missing)
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard]

C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2]

C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program

files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [hpsysdrv]

c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Microsoft Works Update

Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace

Daemon] C:\Program Files\Hewlett-Packard\HP

Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PaperPort PTD]

c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"

/checktask
O4 - HKLM\..\Run: [VirusScan Online]

"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program

Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program

Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [mmtask] C:\Program

Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Program

Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealOne Player\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Microsoft Works Update

Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - HKCU\..\Run: [Acme.PCHButton]

C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.ex

e
O4 - HKCU\..\Run: [PPWebCap]

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbar

Init
O4 - HKCU\..\Run: [SpybotSD TeaTimer]

C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Startup: PalNetaware.lnk = C:\Program

Files\Paltalk\pnetaware.exe
O4 - Global Startup: EPSON Status Monitor 3

Environment Check 2.lnk =

C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\

E_SRCV02.EXE
O8 - Extra context menu item: &AOL Toolbar search

- res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Yahoo! Dictionary -

file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search -

file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ComcastHSI -

{669B269B-0D4E-41FB-A3D8-FD67CA94F646} -

http://www.comcast.net/ (file missing)
O9 - Extra button: Support -

{8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help -

{97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\Program Files\Internet

Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF:

START_PAGE_URL=http://www.yahoo.com
O16 - DPF:

{F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6}

(MSN Chat Control 4.5) -

http://chat.msn.com/bin/msnchat45.cab

By the way, I ran McAfee virus scan last night. There were no infected files. I ran ad-aware today--it removed 4 things. I ran spybot search and destroy. The usual DSO exploit came up and was removed. (It always comes back though.)
I hope this isn't TOO MUCH INFORMATION.

Thanks muchly, nancylouisehite
:thumbsup:
noonytunes

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:47 PM

Posted 11 September 2004 - 12:43 AM

Other than being a little hard to read, the log looks fine.

Try this:

Please run two online virus scans:

http://housecall.antivirus.com/
http://www.pandasoftware.com/activescan/

Then let us know if its working better and what the scans found.

#3 noonytunes

noonytunes
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alcalde, New Mexico
  • Local time:03:47 PM

Posted 11 September 2004 - 09:47 AM

:flowers: I hate to appear stupid, but I am having difficulty with the housecall virus scan you recommended. It seems that I got it downloaded, but I don't know how to run it. Is it just McAfee? I am thoroughly confused. Any special internet options for this? I wanted to get this one taken care of before I run panda. Maybe I am not downloading into appropriate location...I've tried twice. Sorry, but I'm not real sharp this morning.
nancylouisehite :thumbsup:
noonytunes

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:47 PM

Posted 11 September 2004 - 12:01 PM

You should have just clicked on the link at housecall that states Scan now , Its free..

http://housecall.trendmicro.com/housecall/start_corp.asp

#5 noonytunes

noonytunes
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alcalde, New Mexico
  • Local time:03:47 PM

Posted 11 September 2004 - 12:59 PM

:trumpet: Well, what happened was...I was trying to access that through Mozilla Firefox browser, and I couldn't. So, I went to it through IE and successfully scanned. No infected files were found. I did the panda too. No infected files were found. I didn't get a log from Housecall. No infected files were found by panda. It says "11 messages". I don't see any way to access them and don't know what that means. :flowers: Thanks for your help though. If I don't have any infected files, then what could be preventing me from getting logged onto .NET through IE. :thumbsup: nancylouisehite
noonytunes

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:47 PM

Posted 11 September 2004 - 01:13 PM

I am not really sure...to be honest. Have you contacted microsoft abnout this?

#7 noonytunes

noonytunes
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alcalde, New Mexico
  • Local time:03:47 PM

Posted 11 September 2004 - 04:46 PM

:thumbsup: Yes! I contacted Microsoft, I contacted the .NET people. Nobody has been able to help me. The .NET people sent me instructions concerning internet options. Nothing changed. Microsoft sent me some instructions. It came to a grinding halt when they told me to insert the cd for svc pk 2--which I downloaded online. They told me to download IE over again, which I did--but it didn't change anything. Still can't get logged onto .NET. They stopped answering me after that. Oh! By the way--this problem existed before I downloaded svc pk 2. And, as I mentioned before, I didn't have it until I had help here dealing with the IE hijack. I don't blame you though, because it's more likely that I did something wrong. Thanks again. :flowers: nancylouisehite
noonytunes

#8 noonytunes

noonytunes
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alcalde, New Mexico
  • Local time:03:47 PM

Posted 12 September 2004 - 01:23 AM

:thumbsup: This may be relevant--I have a Hewlett Packard computer and I downloaded svc pk 2 before checking HP for issues. They had issues with svc pk 1. I assumed that they would have resolved any before 2 came out. You know what they say about ass-u-me. I have more stuff to do on this matter--have my work cut out for me. No fun on the puter today. :trumpet: Perhaps this is TMI, but on the HP site it recommended Spy Subtract. I'm going to post an attachment of what I got from that scan. :cool: If anything comes to mind about all of this, please share. I'll be working on things. I hate to uninstall svc pk 2--it took soooo long to install. :inlove: Thanks again. I am grateful for people like you that donate your time to help. nancylouisehite :flowers:

Attached Files


noonytunes

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:47 PM

Posted 12 September 2004 - 02:05 PM

Can you log onto the .NET stuff with firefox?

#10 noonytunes

noonytunes
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alcalde, New Mexico
  • Local time:03:47 PM

Posted 12 September 2004 - 02:51 PM

Yes, I can access msn e-mail and groups through Mozilla Firefox. It is limited, however. If I post on an msn group message board, I don't have any choices with font and can't use emoticons. There are quite a few things that I feel I need Internet Explorer and the .NET access for. I'm real hooked on one of the games at zone.com (msn), and I can't access that through Mozilla Firefox. I haven't gone over all of the things on the Hewlett Packard website yet, today, concerning the svc pk 2. One thing about Mozilla Firefox, it is good if you are really doing some surfing. :thumbsup: nancylouisehite
noonytunes

#11 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:47 PM

Posted 12 September 2004 - 04:26 PM

One thing about Mozilla Firefox, it is good if you are really doing some surfing. whistling.gif nancylouisehite



That's a fact. Be sure and read Raw's post about pipelining:
pipelining Firefox

and if you like to tinker with those settings;
about cofig

I wish I could be of more help with the .Net questions, though. :thumbsup: It threw me a curve when I was able to update to .Net Frameworks 1.1 at Windows Updates when I didn't have .Net 1.0 installed at the time... requiring a second download of the update that WU detected later. Installing/uninstalling Windows components can be, ahh... unusually challenging at times. :flowers:
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users