Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Read Hijack This Log


  • This topic is locked This topic is locked
3 replies to this topic

#1 ENFORCE123

ENFORCE123

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 04 April 2006 - 01:20 PM

:thumbsup: Logfile of HijackThis v1.99.1
Scan saved at 9:41:53 AM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Windows folder: F:\WINDOWS
System folder: F:\WINDOWS\SYSTEM32
Hosts file: F:\WINDOWS\System32\drivers\etc\hosts

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\Program Files\iM Networks\iM Radio Tuner\iM_Tray.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
F:\WINDOWS\system32\WTablet\TabUserW.exe
F:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\Tablet.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\system32\ZoneLabs\isafe.exe
F:\WINDOWS\System32\alg.exe
F:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
F:\Program Files\Onfolio\onfserv.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Spyware Doctor\swdoctor.exe
F:\Program Files\GPSoftware\Directory Opus\DOpus.exe
F:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
H:\DATA BEGINNING\DOWNLOADS\COMPUTER\SECURITY\HIJACK THIS 4-4-06\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.lib.berkeley.edu:7777/proxy.pac
O2 - BHO: ^ - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (filesize 788664 bytes, MD5 E0882DEFE44ED8D7D5746BA737350B79)
O2 - BHO: ^ - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (filesize 833240 bytes, MD5 152C9B54970D32AC8678643AE677EDB2)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (filesize 343112 bytes, MD5 5E2F2DB01F934243B74440F534880D19)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll (filesize 405504 bytes, MD5 3D3A15D5F7C44868FF26C2A73377D7EE)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll (filesize 1191424 bytes, MD5 677C42CD9FE9C13B4B7B601A2E4065B0)
O4 - HKLM\..\Run: [OpwareSE2] "F:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" (filesize 49152 bytes, MD5 882539219B40107D5BC0557E0088DD79)
O4 - HKLM\..\Run: [MMReminderService] F:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [ISUSScheduler] "F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (filesize 81920 bytes, MD5 51F3C4FBEEF66CEBA7ABE43F4F5C1B69)
O4 - HKLM\..\Run: [ISUSPM Startup] F:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (filesize 221184 bytes, MD5 B4B4EB2F8849E93FE5FECE11E52C5930)
O4 - HKLM\..\Run: [AttuneClientEngine] F:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeF:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeF:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (filesize 2013408 bytes, MD5 92376CCCBDB39B6843511848C8E1865A)
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exeF:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = F:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (filesize 59080 bytes, MD5 B2337403A5E582811F96DE88C03AC7A9)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (filesize 98304 bytes, MD5 3B712DEC13C4D3CC69974F0F6A3F23A7)
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (filesize 98304 bytes, MD5 3B712DEC13C4D3CC69974F0F6A3F23A7)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (filesize 29696 bytes, MD5 43362B96870CE8649F4F2EC893DA93F0)
O4 - Global Startup: iM StartCenter.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE (filesize 83360 bytes, MD5 5BC65464354A9FD3BEAA28E18839734A)
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = F:\WINDOWS\system32\WTablet\TabUserW.exe (filesize 114688 bytes, MD5 EFDF96F16ACAE792D9966B7C9A0E6895)
O8 - Extra context menu item: &Capture Page to Onfolio... - res://F:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Capt&ure Target to Onfolio... - res://F:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Snippet to Onfolio... - res://F:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture Ima&ge to Onfolio... - res://F:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture Page and Selected &Links to Onfolio... - res://F:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteSnippetFromDocumentSelection.html
O8 - Extra context menu item: Capture Selected Ite&ms to Onfolio... - res://F:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddMultipleEntriesFromDocumentSelection.html
O8 - Extra context menu item: Capture Site to &Onfolio... - res://F:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddSiteFromDocument.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (filesize 833240 bytes, MD5 152C9B54970D32AC8678643AE677EDB2)
O9 - Extra button: (no name) - {2fc2f9a4-c43e-42c0-9490-19d6be8b1726} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Onfolio Capture... - {2fc2f9a4-c43e-42c0-9490-19d6be8b1726} - mscoree.dll (file missing)
O9 - Extra button: Onfolio - {30e2a68b-20f5-419d-bbb9-dce92edc4e67} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Onfolio Sidebar - {30e2a68b-20f5-419d-bbb9-dce92edc4e67} - mscoree.dll (file missing)
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL (filesize 40512 bytes, MD5 0FA0BDAA2FF4ED7E5A2FA2EC1B536712)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (filesize 225280 bytes, MD5 0CBE3E4166A08FC379EABF532B4EFE18)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136146393772
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thomsonscientific.webex.com/client/...bex/ieatgpc.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O20 - Winlogon Notify: System Safety Monitor - F:\WINDOWS\SYSTEM32\SSMWinlogonEx.dllF:\WINDOWS\SYSTEM32\SSMWinlogonEx.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - F:\WINDOWS\system32\ZoneLabs\isafe.exeF:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXEF:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeF:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - F:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeF:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exeF:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TabletService - Wacom Technology, Corp. - F:\WINDOWS\system32\Tablet.exeF:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exeF:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 10 April 2006 - 11:51 AM

Hi ENFORCE123,

Sorry for the delay. Could you please post a fresh HijackThis log so we can see if anything has changed? At first glance I see no malware in your log, so could you also tell me why you have posted it--do you have symptoms that make you think you are infected, have general slowness, or just want a checkup? This type of feedback is important.

I also see you have posted this same log at SWI:
http://forums.spywareinfo.com/index.php?sh...=0&#entry389204

If you want help here please let me know--we don't want to tie up more than one helper with all the malware that is out there and to avoid confusion cross-posting is discouraged. I'll be notifying the SWI staff about the other post.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:34 AM

Posted 10 April 2006 - 01:48 PM

Someone is already helping here:

http://spywarewarrior.com/viewtopic.php?t=...fdbf0dbc49aee91

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 10 April 2006 - 02:11 PM

Thanks amateur,

This thread is now closed. ENFORCE123, you're in very good hands with Mosaic1. And just so you know, members of the malware removal community work together and look out for each other. We're all vounteers that put a lot of time into doing this. That's why it's considered rude to cross-post--we could be spending our time helping someone else if we know you are already getting help elsewhere. I would also urge you to reply to Mosaic1--if you don't need help anymore. It's also rude to let your thread go inactive like that.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users