Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HJT Log

Status
Not open for further replies.
sdgman500

sdgman500

Technical User
Dec 8, 2003
41
US
Can somebody decipher this for me? Point me to the place were I can compare it and find out what is bad and needs to be deleleted?

Thanks for any help given!!!
Shane

Logfile of HijackThis v1.97.7
Scan saved at 4:53:56 PM, on 7/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\iW DM\Program\Tsscdl.exe
C:\Program Files\Canon\iW DM\Program\IMSvr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\WINNT\Explorer.EXE
C:\exchsrvr\bin\exmgmt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
K:\twmgr2002.exe
C:\WINNT\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\docume~1\sgardner\locals~1\temp\a9nfa.exe
C:\documents and settings\sgardner\local settings\temp\ISAL.exe
C:\WINNT\system32\h32drv.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\prirans.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\sgardner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.0.105:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {E48ED093-DB62-6948-FEC8-8002AA9CB782} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [scanfile2002 TIFFWriter] K:\twmgr2002.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\system32\pc32.exe bg
O4 - HKLM\..\Run: [a9nfa.exe] C:\docume~1\sgardner\locals~1\temp\a9nfa.exe
O4 - HKLM\..\Run: [ISAL.exe] C:\documents and settings\sgardner\local settings\temp\ISAL.exe
O4 - HKLM\..\Run: [t7tg33Q] h32drv.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [cw2mRTc3e] prirans.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} (PrintScreen Class) - O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bbpsd.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4FBA02E-CA4B-4A91-ADBE-7AFDF5C11A8D}: Domain = bbpsd.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4FBA02E-CA4B-4A91-ADBE-7AFDF5C11A8D}: NameServer = 10.10.0.150,10.10.0.105
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bbpsd.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bbpsd.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bbpsd.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bbpsd.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bbpsd.com
 
Sort by date Sort by votes
EXEs running in a TEMP folder - these are almost always guaranteed to be bogus:

C:\docume~1\sgardner\locals~1\temp\a9nfa.exe
C:\documents and settings\sgardner\local settings\temp\ISAL.exe

The following two (2) items look suspect when you at the [corresponding registry name tags below]. Nothing in google on any of the four (4) EXEs:

C:\WINNT\system32\h32drv.exe
C:\WINNT\system32\prirans.exe

See if you can terminate each running process, one at a time, without consequence. Thereafter, fix each item below and subsequently (later) delete corresponding files. Registry entries in HJT would be recoverable:

O4 - HKLM\..\Run: [a9nfa.exe] C:\docume~1\sgardner\locals~1\temp\a9nfa.exe
O4 - HKLM\..\Run: [ISAL.exe] C:\documents and settings\sgardner\local settings\temp\ISAL.exe

O4 - HKLM\..\Run: [t7tg33Q] h32drv.exe
O4 - HKCU\..\Run: [cw2mRTc3e] prirans.exe
 
Upvote 0 Downvote
Also remove the following items:

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {E48ED093-DB62-6948-FEC8-8002AA9CB782} - (no file)

John
 
Upvote 0 Downvote
The ones in my post are browser helper objects (BHOs) - you have to tick the items in HijackThis and have it fix them.

A browser helper object provides extra functionality to a browser, as the name suggests. While most are good (such as the Google toolbar or the MSN messenger button) some viruses/malware use this as a method of reloading themselves if they have not been reloaded properly.

Oh and I forgot, you should remove this one as well.

O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\system32\pc32.exe bg

John
 
Upvote 0 Downvote
When you completed your due diligence, close all 'browser' windows. Check the 02 and 04 entries noted above and select the 'fix checked' button in HJT.

What are they? Who knows. There certainly is no Google discussion on them. They definitely appear to be very unfamiliar or odd. Yet caution is always advised. That is why test killing each running process (and/or controlling process) is always adviseable to ascertain any possible negative side effects.

Also, you should know how to recover any of the above 'fixed' entries. Check out the restore button trail 'Config'> 'Backups' > 'Restore' in HJT. Practice the recovery process on one of the TEMP entries to get the hang of it.
 
Upvote 0 Downvote
Here is my latest log, how does that look?

Logfile of HijackThis v1.97.7
Scan saved at 9:02:18 AM, on 7/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\iW DM\Program\Tsscdl.exe
C:\Program Files\Canon\iW DM\Program\IMSvr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\exchsrvr\bin\exmgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
K:\twmgr2002.exe
C:\WINNT\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\mcavices.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\sgardner\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.0.105:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [scanfile2002 TIFFWriter] K:\twmgr2002.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\system32\pc32.exe bg
O4 - HKLM\..\Run: [t7tg33Q] mcavices.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} (PrintScreen Class) - O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bbpsd.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4FBA02E-CA4B-4A91-ADBE-7AFDF5C11A8D}: Domain = bbpsd.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4FBA02E-CA4B-4A91-ADBE-7AFDF5C11A8D}: NameServer = 10.10.0.150,10.10.0.105
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bbpsd.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bbpsd.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bbpsd.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bbpsd.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bbpsd.com
 
Upvote 0 Downvote
You have a completely new suspect EXE and entry:

C:\WINNT\system32\mcavices.exe


O4 - HKLM\..\Run: [t7tg33Q] mcavices.exe



I would suggest that you run Process Explorer. Sort on company name and look for any EXE that might be unfamiliar and hence a spawning source.

Also, any unfamiliar 016 CAB files might be the source for delivering hidden (compressed content) payloads. If in doubt delete any suspect CAB entries:

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -

See the following link for discussion on this one:

 
Upvote 0 Downvote
You definitely have some funny business going on:

O4 - HKLM\..\Run: [t7tg33Q] h32drv.exe



The tag {name] is the same but different EXE.
 
Upvote 0 Downvote
Terminate mcavices.exe and K:\twmgr2002.exe with task manager or Process Explorer from before going ahead with the removal, now remove the following:

O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\system32\pc32.exe bg
O4 - HKLM\..\Run: [t7tg33Q] mcavices.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\system32\pc32.exe bg
O4 - HKLM\..\Run: [t7tg33Q] mcavices.exe
O4 - HKLM\..\Run: [scanfile2002 TIFFWriter] K:\twmgr2002.exe

John
 
Upvote 0 Downvote
Holy crap....I'm feel like I'm fighting a losing battle. Should I just rebuild my PC? Is that a smarter/easier move?

Anyhow, until then, I'll keep "Fixing" with your suggestions. Thanks guys.
 
Upvote 0 Downvote
The PC unwellness battles are unending (estimated at 6-10 days a year). How many times do we really want to be faced with a rebuilding possibility? This is a learning opportunity less we make the same avoidable or recurring mistakes over and over again. We increasingly need to better prepare ourselves and PCs for the next battles to come. The bad guys are getting better at this. Maybe we need to get better and more diligent at this too.


Was it something you did or didn't do? Was it just bad luck? Do guests or childeren ever use your PC? Do you run (updated) anti-malware tools on a regular basis? Is there a need for some new preventative or alert tools (such as Teatimer and SpywareGuard)? Are you behind a router and/or firewall (using SPI or WAN Blocking)?

Once you have a stable system, try placing all the HJT entries on the Ignorlist. Next time you have a problem, you will find yourself looking at a very short list of likely possible suspects.
 
Upvote 0 Downvote
sdgman500,

There's an FAQ in this forum I wrote on how to understand HijackThis log entries, you may find it helpful to read.

John
 
Upvote 0 Downvote
Well I seem to have defeat the monster. I appreciate all your help. Between Adware and Sybot to clean and spywareblast to stop at the front end, seems to be staying clean right now.

Thanks guys and gals
Shane
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheAceMan1
  • Locked
  • Question
Another HJT Log 2
Replies
5
Views
108
BadBigBen
BadBigBen
electricpete
  • Locked
  • Question
ComboFix log 2
Replies
15
Views
273
electricpete
electricpete
electricpete
  • Locked
  • Question
Rootkit Reveal Log 1
Replies
2
Views
74
goombawaho
goombawaho
MarkZK
  • Locked
  • Question
Another HJT log 1
Replies
3
Views
71
BadBigBen
BadBigBen
lancekidd
  • Locked
  • Question
Hijack Log
Replies
7
Views
105
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top