Friend's HiJackThis log.

[weezcake]

This is my friend's hijackthis log that she sent me. She said she was having some problems, and maybe someone could find something?

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

 

 

 

Scan saved at 10:51:27 AM, on 1/10/2006

 

 

 

Platform: Windows XP SP1 (WinNT 5.01.2600)

 

 

 

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

 

 

 

 

 

 

Running processes:

 

 

 

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\services[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\Explorer[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

 

 

 

C:\Program Files\Java\j2re1.4.2_03\bin\jusched[Caution: ExecutableFile]

 

 

 

C:\windows\system\hpsysdrv[Caution: ExecutableFile]

 

 

 

C:\Program Files\HP\hpcoretech\hpcmpmgr[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\hphmon05[Caution: ExecutableFile]

 

 

 

C:\HP\KBD\KBD[Caution: ExecutableFile]

 

 

 

C:\Program Files\iTunes\iTunesHelper[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\VTTimer[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\AGRSMMSG[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\ALCXMNTR[Caution: ExecutableFile]

 

 

 

C:\Program Files\BroadJump\Client Foundation\CFD[Caution: ExecutableFile]

 

 

 

C:\Program Files\Yahoo!\browser\ybrwicon[Caution: ExecutableFile]

 

 

 

C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\AOL\1136763830\ee\AOLSoftware[Caution: ExecutableFile]

 

 

 

C:\Program Files\Yahoo!\Antivirus\CAVTray[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\Yahoo!\browser\ycommon[Caution: ExecutableFile]

 

 

 

C:\Program Files\Yahoo!\Antivirus\CAVRID[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\Yahoo!\YOP\yop[Caution: ExecutableFile]

 

 

 

C:\Program Files\Yahoo!\Antivirus\ISafe[Caution: ExecutableFile]

 

 

 

C:\Program Files\HP\Digital Imaging\bin\hpqtra08[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\gearsec[Caution: ExecutableFile]

 

 

 

C:\Program Files\LimeWire\LimeWire 4.2.3\LimeWire[Caution: ExecutableFile]

 

 

 

c:\program files\common files\aol\1136763830\ee\aim6[Caution: ExecutableFile]

 

 

 

C:\Program Files\Updates from HP\137903\Program\BackWeb-137903[Caution: ExecutableFile]

 

 

 

C:\Program Files\SBC Self Support Tool\bin\mpbtn[Caution: ExecutableFile]

 

 

 

C:\Program Files\iPod\bin\iPodService[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\wuauclt[Caution: ExecutableFile]

 

 

 

C:\Program Files\Yahoo!\Antivirus\VetMsg[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager[Caution: ExecutableFile]

 

 

 

C:\PROGRA~1\Yahoo!\browser\ybrowser[Caution: ExecutableFile]

 

 

 

C:\Documents and Settings\Owner\Desktop\HijackThis[Caution: ExecutableFile]

 

 

 

 

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

 

 

 

http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

 

 

 

http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

 

 

 

http://red.clientapps.yahoo.com/customi ... ch/ie.html

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

 

 

 

http://red.clientapps.yahoo.com/customi ... .yahoo.com

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

 

 

 

http://yahoo.sbc.com/dsl

 

 

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

 

 

 

http://yahoo.sbc.com/dsl

 

 

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

 

 

 

http://red.clientapps.yahoo.com/customi ... .yahoo.com

 

 

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

 

 

 

http://red.clientapps.yahoo.com/customi ... ch/ie.html

 

 

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

 

 

 

http://red.clientapps.yahoo.com/customi ... .yahoo.com

 

 

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

 

 

 

http://yahoo.sbc.com/dsl

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

 

 

 

http://red.clientapps.yahoo.com/customi ... .yahoo.com

 

 

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

 

 

 

Settings,ProxyOverride = localhost

 

 

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

 

 

 

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

 

 

 

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

 

 

 

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

 

 

 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

 

 

 

C:\WINDOWS\System32\msdxm.ocx

 

 

 

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program

 

 

 

Files\HP\Digital Imaging\bin\hpdtlk02.dll

 

 

 

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

 

 

 

C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll

 

 

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program

 

 

 

Files\Java\j2re1.4.2_03\bin\jusched[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program

 

 

 

Files\HP\hpcoretech\hpcmpmgr[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [HPHUPD05] c:\Program

 

 

 

Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

 

 

 

Files\Real\Update_OB\realsched[Caution: ExecutableFile]" -osboot

 

 

 

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [VTTimer] VTTimer[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]"

 

 

 

-atboottime

 

 

 

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

 

 

 

Files\AOL\1136763830\ee\AOLSoftware[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop[Caution: ExecutableFile] /autostart

 

 

 

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager[Caution: ExecutableFile]"

 

 

 

-quiet

 

 

 

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common

 

 

 

Files\AOL\Launch\AOLLaunch[Caution: ExecutableFile]" /d locale=en-US ee://aol/imApp

 

 

 

O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart[Caution: ExecutableFile]

 

 

 

O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinqsaw[Caution: ExecutableFile]

 

 

 

O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

 

 

 

Files\HP\Digital Imaging\bin\hpqtra08[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: LimeWire 4.2.3.lnk = C:\Program Files\LimeWire\LimeWire

 

 

 

4.2.3\LimeWire[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program

 

 

 

Files\Quicken\bagent[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self

 

 

 

Support Tool\bin\matcli[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from

 

 

 

HP\137903\Program\BackWeb-137903[Caution: ExecutableFile]

 

 

 

O8 - Extra context menu item: E&xport to Microsoft Excel -

 

 

 

res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL[Caution: ExecutableFile]/3000

 

 

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

 

 

 

C:\WINDOWS\System32\msjava.dll

 

 

 

O9 - Extra 'Tools' menuitem: Sun Java Console -

 

 

 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

 

 

 

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -

 

 

 

C:\Program Files\Yahoo!\common\ylogin.dll

 

 

 

O9 - Extra 'Tools' menuitem: Yahoo! Login -

 

 

 

{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

 

 

 

Files\Yahoo!\common\ylogin.dll

 

 

 

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

 

 

 

C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

 

 

 

O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

 

 

 

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

 

 

 

Files\Yahoo!\Messenger\yhexbmes.dll

 

 

 

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

 

 

 

C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

 

 

 

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

 

 

 

C:\WINDOWS\web\related.htm

 

 

 

O9 - Extra 'Tools' menuitem: Show &Related Links -

 

 

 

{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

 

 

 

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

 

 

 

C:\Program Files\Yahoo!\common\yinsthelper.dll

 

 

 

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -

 

 

 

http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

 

 

 

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

 

 

 

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program

 

 

 

Files\Yahoo!\Antivirus\ISafe[Caution: ExecutableFile]

 

 

 

O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software -

 

 

 

C:\WINDOWS\System32\gearsec[Caution: ExecutableFile]

 

 

 

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

 

 

 

Files\iPod\bin\iPodService[Caution: ExecutableFile]

 

 

 

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates

 

 

 

International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg[Caution: ExecutableFile]

 

 

 

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1[Caution: ExecutableFile]

[weezcake]

I was looking at the log last night and I saw this:

 

 

 

 

 

 

 

O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinqsaw.e3e (CAUTION - executable file)

 

 

 

O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.e3e (CAUTION - executable file)

 

 

 

 

 

 

 

Any suggestions on what to do with this log? :?

[coltm4carbine]

has your friend ran the basic stuff (ad-aware, spybot etc)?

 

 

 

 

 

 

 

as for the 2 entries they are part of the ZenoSearch adware.

[cheese_lord]

Platform: Windows XP SP1 (WinNT 5.01.2600)

 

 

 

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

 

 

Here are a few. Use Firefox or something else, and for the love of god update to SP2.

[Mercifull]

Its got some basic adware which would be cleaned by ad-aware, spybot or some other main anti spy program quite easily. the main issues here are the fact your friend is running a VERY outdated version of windows and is vulnerable to a horde of different exploits.

 

 

 

 

 

 

 

Tell her to visit http://www.windowsupdate.com and upgrade immediatly.

[weezcake]

I told her to scan with adaware and spybot (though I think she already did, but I'm not sure how long ago) and to update her windows. I told her to send me a new log after she does so.

 

 

 

 

 

 

 

I'll post the new one here and have you guys look over it.

 

 

 

 

 

 

 

Thanks! :)