New to Hijk This, any input on this log?

[rdrysda]

Logfile of HijackThis v1.98.0
Scan saved at 5:44:52 PM, on 7/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Oak Technology\Oak SimpliCD\OAKTASK.EXE
C:\documents and settings\rob\local settings\temp\2Xc01.exe
C:\WINDOWS\System32\loaon.exe
C:\WINDOWS\System32\sniycyk.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.EXE
O4 - HKLM\..\Run: [OAKTASK] C:\Program Files\Oak Technology\Oak SimpliCD\OAKTASK.EXE NOPOP
O4 - HKLM\..\Run: [2Xc01] C:\documents and settings\rob\local settings\temp\2Xc01.exe
O4 - HKLM\..\Run: [4@RBHS73HK@JF3] C:\WINDOWS\System32\XlwA.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [q85U36i] loaon.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [bwontexfs] C:\WINDOWS\System32\sniycyk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} -

http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -

https://components.viewpoint.com/MT...ing/3d-files/presario_2500/presario_2500.html

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF0D8318-69BB-43AA-8217-0DA2A6D8064B}: NameServer = 66.79.193.10 66.79.193.11
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\msero.dll

Something is generating annoying popups and I see a few suspicious processes. Any input would be appreciated.

Rob

 

[vop]

Unfamiliar EXEs - know what they are or do or find out:

C:\documents and settings\rob\local settings\temp\2Xc01.exe
C:\WINDOWS\System32\loaon.exe
C:\WINDOWS\System32\sniycyk.exe
C:\WINDOWS\System32\CMMON32.EXE


O4 - HKLM\..\Run: [2Xc01] C:\documents and settings\rob\local settings\temp\2Xc01.exe


An EXE running from a 'TEMP' folder - NEVER!!!


O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll

- a known malware item.

 

[jrbarnett]

See FAQ760-4897

John

 

[diogenes10]

Hi Rob.
You've got a number of issues there.

Get the peper fix tool here (#11):

http://www.subratam.org/?page=removal

Reboot in safe mode, run the tool twice.
Empty your temp folder (If there is anything in there you are saving, move it to its own folder first).
Empty your temporary internet files folder.

Install Hijackthis in its own folder such as c:\hjt to preserve its backups.

Run it and fix these items:
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} -

http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -

https://components.viewpoint.com/MT...ing/3d-files/presario_2500/presario_2500.html

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0)

Run spybot and adaware:

http://www.cjwd.demon.co.uk/spybot-adaware.html

Then post another log and we can work on what is left.

Regards.

http://www.bleepingcomputer.com/forums/index.php?showtutorial=48

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[bfralia]

Guys, how about throwing some thoughts in on things to look far. I'm sure AdAware or Spybot will find most of this stuff some food for thought.

First off, nothing legitimate should ever be running out a profile temp folder. The rare exception might be one of installs where a zip.exe file extracts to a temp folder during installation. That process should quit pretty soon.

(I know vop, you pretty much said that).

Be wary of any weird program names like:

2Xc01.exe
loaon.exe
sniycyk.exe
CMMON32.EXE

About the only company that has program names like they took alphabet soup characters and put them in a bag, shook them up then drew them out and named the program in that order is HP. HP programs usually start with XP.

Use the google search engine, put in the whole program name and see what turns up.

2XC01.EXE - gets one hit on a Japanese website - some kind of converter.

loaon.exe doesn't get any hits at all!

SNIYCYK.EXE doesn't get any hits at all!

CMMON32.EXE get's lots of hits but no one seems to have any comments on it.


Point is: If Adaware doesn't show something up on these, or a virus scanner then I still wouldn't hesitate to at least halt the process and see what happens. After you reload the operating system a couple of times you'll have a real good idea of what's important and what's not.

I'm not trying to be a smart ass but I keep seeing hijack this logs all over the internet but what I don't see is anyone trying to explain to the newbies how to start analyzing things themselves.

 

[bfralia]

Oops, I missed the link to the faq above, sorry about that..