Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • Please log in to reply
1 reply to this topic

#1 ronikoren

ronikoren

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 10 December 2004 - 07:00 PM

hi, my internet explorer as well as windows explorer seem to be hijacked. please help me analyze this log.
thanks in advance,
rk

Logfile of HijackThis v1.98.2
Scan saved at 12:16:19 AM, on 12/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
I:\software\tools and utilities\multi media\audio only\Winamp\Winampa.exe
D:\WINDOWS\System32\cmd64.exe
D:\WINDOWS\System32\msrexe.exe
D:\WINDOWS\System32\tibs3.exe
D:\WINDOWS\System32\tbctray.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\roni\Application Data\dtor.exe
D:\progs\video\Common\Bin\WinCinemaMgr.exe
D:\progs\Palm\hotsync.exe
D:\progs\yahoo\Messenger\ymsgr_tray.exe
D:\WINDOWS\system32\altsvc.exe
D:\WINDOWS\system32\msnmsgr.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\cmd.exe
D:\progs\spyware\Spybot - Search & Destroy\SpybotSD.exe
D:\progs\spyware\HijackThis19802.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\roni\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\roni\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\roni\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\roni\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\roni\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\roni\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
O1 - Hosts file is located at: D:\WINDOWS\nsdb\hosts
O1 - Hosts: 82.179.166.164 lender-search.com
O1 - Hosts: 82.179.166.165 hot-searches.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - D:\WINDOWS\System32\popup_bl.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - D:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {90B5C6DC-13AC-4A61-975B-84252C29468A} - D:\WINDOWS\System32\hpfhijo.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - D:\WINDOWS\System32\MTC.dll (file missing)
O4 - HKLM\..\Run: [WinampAgent] "I:\software\tools and utilities\multi media\audio only\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ControlPanel] D:\WINDOWS\System32\cmd64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [System Service] D:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [tibs3] D:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [TraySantaCruz] D:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\RunOnce: [tlc] D:\WINDOWS\update13.js
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\progs\yahoo\Messenger\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = D:\progs\Palm\hotsync.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\progs\video\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\progs\yahoo\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\progs\yahoo\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://209.8.20.130/dl/adv314/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111114457} - file://c:\ied_s7m.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/bltd/116.chm::/file.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=2732
O18 - Filter: text/html - {B963F8EF-982A-4E6C-B55E-34BE55A00336} - D:\WINDOWS\System32\hpfhijo.dll
O18 - Filter: text/plain - {B963F8EF-982A-4E6C-B55E-34BE55A00336} - D:\WINDOWS\System32\hpfhijo.dll

BC AdBot (Login to Remove)

 


#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:09:53 AM

Posted 10 December 2004 - 09:02 PM

I don't see anti-virus running.
=====================
Go here to download the free version of Grisoft's AVG AntiVirus program.

Install the program, check for updates and scan your system allowing it to remove whatever it finds.
=====================
If you do not have Ad-Aware SE

Go Here.

Start Ad-Aware and click Check for updates now.

After you have updated the definitions, click the gear icon in the toolbar, click Tweak, expand the Scanning Engine section and uncheck Unload recognized processes & modules during scan. Click Proceed. (If you miss this step your computer will shutdown during scan.
Alternatively you can prevent the shutdown by typing shutdown /a into Run when you get the message. You have 60 seconds time.)

Then post a new log.

Edited by raw, 10 December 2004 - 09:03 PM.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users