TheTechGuide Forum

General Category => Tech Clinic => Topic started by: savagemoron on August 19, 2005, 03:08:43 PM

Title: hijackthis log file
Post by: savagemoron on August 19, 2005, 03:08:43 PM

Mom bought somekind of software over the net and now gets a pop-up every 5-10 minutes while on IE.  Also says computer running really slow.

Logfile of HijackThis v1.95.1
       Scan saved at 10:59:25 PM, on 8/17/2005
        Platform: Windows XP  (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 (6.00.2600.0000)
                Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\csrss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\Explorer.EXE
        C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
        C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
        C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
        C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
        C:\windows\system\hpsysdrv.exe
        C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
        C:\HP\KBD\KBD.EXE
        C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
        C:\WINDOWS\system32\dla\tfswctrl.exe
        C:\WINDOWS\System32\igfxtray.exe
        C:\WINDOWS\System32\hkcmd.exe
        C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
        C:\Program Files\Common Files\Real\Update_OB\realsched.exe
        C:\Program Files\Common Files\Symantec Shared\ccApp.exe
        C:\Program Files\Spyware Doctor\swdoctor.exe
        C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
        C:\Program Files\Jetico\BestCrypt\BCResident.exe
        c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
        C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
        C:\Program Files\palmOne\HOTSYNC.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\Norton AntiVirus\navapsvc.exe
        C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
        C:\WINDOWS\System32\svchost.exe
        C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
        C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
        C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
        C:\WINDOWS\System32\wuauclt.exe
        C:\Program Files\Outlook Express\msimn.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
                R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/ (http://\"http://srch-us6.hpwis.com/\")
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/ (http://\"http://srch-us6.hpwis.com/\")
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/ (http://\"http://us6.hpwis.com/\")
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/ (http://\"http://srch-us6.hpwis.com/\")
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/ (http://\"http://us6.hpwis.com/\")
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/ (http://\"http://srch-us6.hpwis.com/\")
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/ (http://\"http://srch-us6.hpwis.com/\")
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/ (http://\"http://us6.hpwis.com/\")
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/ (http://\"http://srch-us6.hpwis.com/\")
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/ (http://\"http://srch-us6.hpwis.com/\")
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us6.hpwis.com/ (http://\"http://srch-us6.hpwis.com/\")
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
        O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
        O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
        O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
        O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
        O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
        O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
        O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
        O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
        O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
        O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
        O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
        O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
        O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
        O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
        O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
        O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
        O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
        O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
        O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
        O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BestCrypt\BCWipeTM.exe" startup
        O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
        O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
        O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
        O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
        O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
        O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
        O4 - Global Startup: BestCrypt Auto Open.lnk = C:\Program Files\Jetico\BestCrypt\BestCrypt.exe
        O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
        O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
        O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
        O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
        O9 - Extra button: Spyware Doctor (HKLM)
        O9 - Extra button: Related (HKLM)
        O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
        O17 - HKLM\System\CCS\Services\Tcpip\..\{27A8144B-35A2-44E0-BD79-3CA538736E9B}: NameServer = 216.152.37.71 216.152.26.168

Title: hijackthis log file
Post by: guestolo on August 21, 2005, 11:25:17 AM

What software did Mom buy?
If you still need a hand with your log can you do the following please
Your way behind on Windows updates
This is crucial you update to keep your system secure

Can you for now
Go to this link
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx\")
Download and install Service Pack 1a
Don't install SP2 yet, we can install that once we know your clear of any malware

Afterwards
Please redownload Hijackthis from my Signature below and save it too a  permanent folder on your drive
From that new location
Run another scan with Hijackthis and post a fresh log

Title: hijackthis log file
Post by: savagemoron on August 22, 2005, 12:21:14 PM

ok, I'll have her to update to SP1a.  She's on 56k so it could take sometime.  As far as the software...I'll have to find out the name of it.  There is a certian pop-up you get using IE, which tells you that you may have a virus on your computer.  She clicked on this link and it goes to a site for buying software.  From what I know, all the problems happened after the software was installed.  

Thanx for your input