Jump to content


Hijack this log file

  • This topic is locked This topic is locked
2 replies to this topic

#1 lynchjo


    Advanced Member

  • Full Member
  • PipPipPip
  • 138 posts

Posted 07 June 2007 - 02:05 PM

A friend of mine gave me his laptop stating he could no longer get into IE. Laptop has Windows XP Pro. I cleaned a number of malwares with Spybot but it did not clean all of them. Could someone take a look at this log file from hijack this and tell me what to delete? Thanks in advance:

Logfile of HijackThis v1.99.1
Scan saved at 12:36:52 PM, on 6/7/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\Documents and Settings\ESH\Application Data\Mozilla\Profiles\default\u0x3p9n4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ESH\Application Data\Mozilla\Profiles\default\u0x3p9n4.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O2 - BHO: (no name) - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: winapi32.MyBHO - {7A533235-A128-434B-9F8A-9300A544D191} - C:\WINDOWS\System32\winapi32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [W.PornTrojan] C:\WINDOWS\System32\porntrojan.exe
O4 - HKLM\..\Run: [X.32 Keylogger] C:\WINDOWS\System32\keylogger32.exe
O4 - HKLM\..\Run: [Universal Porn Dialer] C:\WINDOWS\System32\xxxdialer.exe
O4 - HKLM\..\Run: [Popup Maker] C:\WINDOWS\System32\popups.exe
O4 - HKLM\..\Run: [GlobalWorm.Z.32] C:\WINDOWS\System32\worm32/exe
O4 - HKLM\..\Run: [keylogger32.exe] C:\WINDOWS\System32\keylogger32.exe
O4 - HKLM\..\Run: [Porn.Popup.666] C:\WINDOWS\System32\popup_666.exe
O4 - HKLM\..\Run: [0cc20223.exe] C:\WINDOWS\System32\0cc20223.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [0cc20223.exe] C:\Documents and Settings\ESH\Local Settings\Application Data\0cc20223.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Dell Home - {6167DD60-721A-11D4-A6F5-D04B52C183C4} - http://education.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .com/itw/infomark/246/809/43307485w3/purl=rc13_RBW_0_BI8240864&dyn=3!yrn_BI8240864?sw_aep=emory_main: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: directpt - C:\WINDOWS\SYSTEM32\directpt.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Service Manager (WSCM) - Unknown owner - C:\WINDOWS\System32\service.exe

#2 miekiemoes


    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 08 June 2007 - 02:47 AM


Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

You are dealing with some very nasty pieces of malware...

These allow hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans may be identified and can be killed, because of it's backdoor functionality, your PC is compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.
Also, in your case, the damage it already caused is huge - so it is already too late to clean this up. As we say - it's "game over" here.

Especially the fact that this is an unpatched Windows (no service packs present) and no Virusprotection and Firewall present makes it almost impossible to clean this up.
And because of the lack of security, the malware already damaged A LOT and cannot be repaired, because nothing was preventing it previously.
Actually, when I look at this log, there's more malware present than anything else - very nasty pieces of malware.

That's why a format and reinstall is the only solution for the moment... the fastest and especially the safest solution.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I wish you good luck and when you reinstall Windows, first thing you should do is installing a firewall, antivirus and then update your windows. Because without these patches, Antivirus and firewall, you'll get reinfected in no time.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#3 miekiemoes


    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 05:11 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here
This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button