Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - CO Girl


  • Please log in to reply
10 replies to this topic

#1 CO Girl

CO Girl

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:08:25 AM

Posted 04 November 2004 - 11:50 AM

My first posting (with a little more background info) is on the Windows ME forum here.

Here's my latest and greatest HJT log.

Logfile of HijackThis v1.98.2
Scan saved at 10:09:03 AM, on 11/4/2004
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SK9910DM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP OFFICEJET 7100 SERIES\BIN\HPOGRP07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOFXM07.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F1 - win.ini: load=HPLJSW.EXE
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net


One concern I've had for a long time (that maybe someone can help me with :thumbsup:), is the great number of processes I have running. But I've never been able to identify most of them so I just let them run.

Any help you can give me would be greatly appreciated! :flowers:

BC AdBot (Login to Remove)

 


#2 CO Girl

CO Girl
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:08:25 AM

Posted 04 November 2004 - 12:28 PM

Found some great links to task definitions in another posting so will be checking those out while I wait for a reply.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:25 AM

Posted 04 November 2004 - 10:44 PM

I do not see anything bad here. If yu want to stop some nonessential processes from starting you can fix these in mcsonfig:

O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

#4 CO Girl

CO Girl
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:08:25 AM

Posted 04 November 2004 - 11:33 PM

Okay...thanks so much for looking at the log for me.

Do you happen to have any input on the EDT security scanner? Got all sorts of returns from it (CoolSavings, *.bat, Comet Cursor, bunches of registry entries, etc.) Is HJT considered the end-all scanner for finding malware?

Of course it could be possible that when I lost the EDT program through massive crashes and restores that I also lucked into losing some infections. When I log off I'll disable System Restore to clear the restore points.


I've turned off the processes you suggested, thanks so much for the input. Until today (through your discussion boards) I had no clue what my computer was doing behind my back! :flowers: I also found an entry at answersthatwork.com recommending taskmon be disabled. Any opinion on that?



Just as a reminder to my original posting (on the Win ME forum), I'm still getting a flag on a DSO Exploit from Spybot.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3E

Even after I choose "fix it" and reboot, it comes up again (along with a ton of usage tracks I haven't tackled yet). Any suggestions? Now that I've got Tea Timer running, I can actually make registry changes without Win ME automatically "fixing" them at startup. Can I remove this DSO exploit manually in regedit?


Thanks so much your help Grinler! (I feel like I can't say thank you enough.) I really appreciate it. :thumbsup: You guys run a fantastic site here.

Edited by CO Girl, 05 November 2004 - 09:05 AM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:25 AM

Posted 05 November 2004 - 10:39 AM

I do not know much about th edt security scanner unfortunately. It may be a good product, just do not know :thumbsup:

Btw, download this program:

http://www.majorgeeks.com/download4392.html

to fix the dso exploit

#6 CO Girl

CO Girl
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:08:25 AM

Posted 05 November 2004 - 12:50 PM

Aha - thanks for the fix! DSO Exploit is gone! :thumbsup:

I've fixed my IE settings as recommended in the tutorials and am installing SpywareBlaster as well.

Is there a way to block those sneaky cookies? I keep getting cookies from sites I don't visit, even with Tea Timer enabled. Can I do this via my IE options?

I'll keep a track on this post and if anyone knows about EDT, maybe they'll provide info in the future. It's a little fishy...it returns entries like this (a sampling of the 89 hits I got):

File name: c:\windows\*.bat
CRC verified: no
Description: win32.Swen.A / n/a

Registry Key: HKEY_CLASSES_ROOT\interface\{410f42b7-a61b-4131-bf41-bf05a2635bfd}
CRC verified: n/a
Description: Comet Cursor (Adware) / Comet Cursor is a tool that changes your mouse cursor to match the website visited. Comet Cursor also tracks your visits to web sites that use its cursors…

Registry Key: HKEY_CURRENT_USER\software\netscape\netscape navigator\automation startup
CRC verified: n/a
Description: Hotbar (Adware) / Hotbar is a toolbar that monitors all URLs you visit and adds advertisers' link buttons to its toolbar...

Registry Key: HKEY_CURRENT_USER\software\netscape\netscape navigator\Automation Startup
CRC verified: n/a
Description: iWon (Adware) / n/a

Nothing that can easily be identified and no other software returns hits on. Also, I know Spybot looks for Comet Cursors. :flowers:

Anyway, thanks again. After spending a few days at this site I feel better educated and protected...couldn't have done it on my own.

Cathy

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:25 AM

Posted 05 November 2004 - 01:41 PM

Yeah it does look fishy. This alone does not make sense:

File name: c:\windows\*.bat
CRC verified: no
Description: win32.Swen.A / n/a

As for IE and cookies you can click in the IE internet options you can specify the sites you want to allow/block..just dont block ours or things wont work right :thumbsup:

#8 CO Girl

CO Girl
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:08:25 AM

Posted 05 November 2004 - 01:43 PM

..just dont block ours or things wont work right

Never! :thumbsup:

Thanks. I'm still a little confused though on how to block a cookie. The way I understand your help is to go to Tools>Internet Options>Security>Restricted Sites. But, though I know the cookie names, I don't necessarily know the name of the site (without trying to go there).

example: default@ads.vnuemedia[1].txt

Edited by CO Girl, 05 November 2004 - 01:49 PM.


#9 CO Girl

CO Girl
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:08:25 AM

Posted 08 November 2004 - 04:08 PM

Is my best bet just to manually delete these cookies?

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:25 AM

Posted 08 November 2004 - 04:41 PM

Yeah..there is no way of blocking them without the site.

The one that yo mentioned can be blocked by adding this line to your hosts file:

127.0.0.1 ads.vnuemedia.com


Your hosts file is in c:\windows\system32\drivers\etc

#11 CO Girl

CO Girl
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:08:25 AM

Posted 10 November 2004 - 10:07 AM

Okay...

I don't see the hosts file, but that's okay...I don't feel comfortable messing with it, even if I could find it. I've got it locked via Spybot anyway.

I'll just clean out my cookies folder periodically, and remain diligent with my AdAware and Spybot updates.

Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users