HijackThis Logs - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 08-24-2006, 01:48 PM   #1 (permalink)
Banned
 
Join Date: Sep 2005
Posts: 5,191
Post HijackThis Logs

Okay I have two HijackThis logs I need help with (these are two different computers):

Logfile of HijackThis v1.99.1
Scan saved at 10:24:55 AM, on 8/24/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\zqskw.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Tom Roddy\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [{D7CC80D4-376C-4586-B023-4F35C2CEB28E} Deskbar UNINSTALL] regsvr32 /s /u "C:\Program Files\Deskbar\deskbar.dll"
O4 - HKLM\..\RunOnce: [wXsX56B0n] "C:\WINDOWS\System32\iqqr.exe" -SASg
O4 - HKLM\..\RunOnce: [ruYnm8] cmd /c IF EXIST "C:\WINDOWS\System32\bez6n4r21.exe" del /s /q "C:\WINDOWS\System32\bez6n4r21.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\webhdll.dll' missing
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe











And the second one is this:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:48 AM, on 8/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\eFax Messenger 4.1\J2GTray.exe
C:\Program Files\Hp\digital imaging\bin\hpqtra08.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Thomas Roddy\My Documents\Downloads\Firefox_Portable_1.5.0.6_en-us.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Thomas Roddy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsel.dll
O2 - BHO: (no name) - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.1.lnk = C:\Program Files\eFax Messenger 4.1\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hp\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavili on&pf=laptop
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://public.mapping.floridadisaste...s/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141667096872
O17 - HKLM\System\CCS\Services\Tcpip\..\{035A45E7-58A0-4A48-92F7-E0E9C658D528}: NameServer = 192.168.1.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{035A45E7-58A0-4A48-92F7-E0E9C658D528}: NameServer = 192.168.1.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{035A45E7-58A0-4A48-92F7-E0E9C658D528}: NameServer = 192.168.1.133
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
__________________

The General is offline  
Old 08-24-2006, 01:52 PM   #2 (permalink)
Ultra Techie
 
Join Date: Feb 2006
Posts: 829
Send a message via ICQ to Jam3s-Zer0 Send a message via AIM to Jam3s-Zer0 Send a message via Yahoo to Jam3s-Zer0
Default

Maybes you should of posted it here :

http://techist.com/forumdisplay.php?forumid=126

Also, are you having problems? If yes, what?
__________________

Jam3s-Zer0 is offline  
Old 08-24-2006, 01:55 PM   #3 (permalink)
Banned
 
Join Date: Sep 2005
Posts: 5,191
Default

Okay, then move it there. But if this doesn't apply to Windows Operating System and Software, then I don't know what does.

And yes, I forgot to bring Firefox Portable with me today and used I.E. for 5 minutes and my computer was infected with some kind of malicious software that I'd never encountered before... Perhaps it's because I don't use Windows...

But yeah, I followed Warez Monster's usual "fix your infection" directions and it seems to be working fine now, I just don't know what to have fixed and what to not have fixed from these logs.

The second one is my boss's laptop, figured if I was downloading all this stuff for my computer, I'd run HijackThis on his computer to, and it was a really long log so I thought maybe there was stuff to fix.
The General is offline  
Old 08-24-2006, 01:56 PM   #4 (permalink)
Ultra Techie
 
Join Date: Feb 2006
Posts: 829
Send a message via ICQ to Jam3s-Zer0 Send a message via AIM to Jam3s-Zer0 Send a message via Yahoo to Jam3s-Zer0
Default

I think it applies to 'HijackThis Logs (analyze)' more tho.

While running through Warez guide, which program detected something and what did it say?
Jam3s-Zer0 is offline  
Old 08-24-2006, 01:58 PM   #5 (permalink)
Banned
 
Join Date: Sep 2005
Posts: 5,191
Default

My god, I have to stop editing my posts right after I post them.
The General is offline  
Old 08-24-2006, 02:01 PM   #6 (permalink)
Banned
 
Join Date: May 2005
Posts: 7,915
Send a message via Yahoo to talldude123
Default

M'kay General, looks like i'll analyze your HJT logs for you.

Computer 1:

1. Update the Service Pack, if possible.

2. Fix the following entries using HiJackthis:


C:\WINDOWS\System32\zqskw.exe

O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll (file missing)

O4 - HKLM\..\RunOnce: [wXsX56B0n] "C:\WINDOWS\System32\iqqr.exe" -SASg

O4 - HKLM\..\RunOnce: [ruYnm8] cmd /c IF EXIST "C:\WINDOWS\System32\bez6n4r21.exe" del /s /q "C:\WINDOWS\System32\bez6n4r21.exe"

O10 - Broken Internet access because of LSP provider 'c:\windows\webhdll.dll' missing

O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll


[b]Computer #2:

Fix the following entries using HiJackThis:

O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsel.dll

O2 - BHO: (no name) - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - (no file)


That's all General


P.S. = My signature has some HJT download and help links in it, feel free to browse.
talldude123 is offline  
Old 08-24-2006, 02:02 PM   #7 (permalink)
Ultra Techie
 
Join Date: Feb 2006
Posts: 829
Send a message via ICQ to Jam3s-Zer0 Send a message via AIM to Jam3s-Zer0 Send a message via Yahoo to Jam3s-Zer0
Default

Ok if your going to be like that I won't help.
I was only giving you the heads up of the forum and you tell me to 'STFU'
Jam3s-Zer0 is offline  
Old 08-24-2006, 02:04 PM   #8 (permalink)
Banned
 
Join Date: Sep 2005
Posts: 5,191
Default

Thanks, talldude123. :classic:
The General is offline  
Old 08-24-2006, 02:05 PM   #9 (permalink)
Banned
 
Join Date: May 2005
Posts: 7,915
Send a message via Yahoo to talldude123
Default

I don't really think it matters where this is posted. If you really think it offends you to have it posted here instead of the Virus section, tell a MOD
talldude123 is offline  
Old 08-24-2006, 02:06 PM   #10 (permalink)
Banned
 
Join Date: May 2005
Posts: 7,915
Send a message via Yahoo to talldude123
Default

Quote:
Originally posted by The General
Thanks, talldude123. :classic:

NP General

Did you get the two logs fixed?
__________________

talldude123 is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 10:24 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.