Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HijackThis log

Status
Not open for further replies.
colinrharris

colinrharris

Technical User
Oct 24, 2002
98
GB
Here is another HijackThis log. I have already removed some items that were suspicious but I have obviously missed some other entries.

Logfile of HijackThis v1.97.7
Scan saved at 09:07:52, on 02/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe Version 11\MiniMavis.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Spyware tools\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = syhg001:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Mavis Beacon Teaches Typing Deluxe Version 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe Version 11\MiniMavis.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - O17 - HKLM\System\CCS\Services\Tcpip\..\{09AE4FA6-FCA4-4A4D-9C43-8B786B71DA49}: NameServer = 194.72.6.57
O17 - HKLM\System\CS1\Services\Tcpip\..\{09AE4FA6-FCA4-4A4D-9C43-8B786B71DA49}: NameServer = 194.72.6.57

Thanks
 
Sort by date Sort by votes
Likely list of HJT 'fix' candidates:


Code: 
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

-  Delete C:\WINDOWS\System32\P2P Networking\P2P Networking.exe



Code: 
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer)


Code: 
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - [URL unfurl="true"]http://66.230.146.53/EPlugin_GB.cab[/URL]

Make sure you understand the legitimacy (whois search) of the IP address 194.72.6.57 registered to RIPE Network Coordination Centre - Amsterdam. Sometimes your ISP will have entries like this, but most of the time it's a hijacker. This looks like a hijacker and it's important to remove as it's running your DNS through a specified server (which could then point you where anyone wants when you type in addresses (e.g. take you to their own site instead of a bank and steal your passwords). :

Code: 
O17 - HKLM\System\CCS\Services\Tcpip\..\{09AE4FA6-FCA4-4A4D-9C43-8B786B71DA49}: NameServer = 194.72.6.57
O17 - HKLM\System\CS1\Services\Tcpip\..\{09AE4FA6-FCA4-4A4D-9C43-8B786B71DA49}: NameServer = 194.72.6.57


A BHO is generally an optional enhancement. In the case of strange item, I would consider fixing the following

Code: 
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
 
Upvote 0 Downvote
Last item above is user optional:

O {5CA3D70E-1895-11CF-8E15-001234567890}: tfswshx.dll - Hewlett-Packard/Veritas DLA software
 
Upvote 0 Downvote
I have obviously missed some other entries."

What leads to that statement? Are there still some symptoms which you are experiencing?



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Get the latest version of HijackThis too, you are 2 versions behind at this point. Repost a new log.

----------
Computer TIPs - Columbus Computer Consultants
 
Upvote 0 Downvote
Thanks for the comments.

This computer user has gone on holiday %- and I cant get to the computer until next week. I will post another log if there are still problems.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

electricpete
  • Locked
  • Question
ComboFix log 2
Replies
15
Views
397
electricpete
electricpete
electricpete
  • Locked
  • Question
Rootkit Reveal Log 1
Replies
2
Views
106
goombawaho
goombawaho
MarkZK
  • Locked
  • Question
Hijackthis Log 1
Replies
10
Views
127
BadBigBen
BadBigBen
TheAceMan1
  • Locked
  • Question
Another HJT Log 2
Replies
5
Views
141
BadBigBen
BadBigBen
lancekidd
  • Locked
  • Question
Hijack Log
Replies
7
Views
144
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top