Jump to content


Photo

Spyware victim? - First time Hijack This log post


  • Please log in to reply
4 replies to this topic

#1 baabaa

baabaa

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 July 2004 - 06:19 AM

I am getting many pop-ups, and defaults to unusual home pages. I have run, cwshredder, ad-aware & spy-bot but they have not fixed my problem.

I am also getting the message that windows installer is configuring powerpoint2002 for the first program (only once per computer start up) which is opened. It can be, an office program or NAV or IE etc.

I also am unable to view my NAV virus avtivity report. I keep getting the message that common client log viewer has encountered a problem.

Can someone review my log and help please?


Logfile of HijackThis v1.98.0
Scan saved at 8:07:47 PM, on 15/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ipdu32.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\addpo32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ftdhc.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.attbusiness.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ftdhc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ftdhc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ftdhc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ftdhc.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6818C993-D3C4-9CB8-5FF2-04EAC7FEB4D4} - C:\WINDOWS\syssh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [addpo32.exe] C:\WINDOWS\addpo32.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunOnce: [ipdw32.exe] C:\WINDOWS\ipdw32.exe
O4 - HKLM\..\RunOnce: [crzy32.exe] C:\WINDOWS\crzy32.exe
O4 - HKLM\..\RunOnce: [ipdu32.exe] C:\WINDOWS\ipdu32.exe
O4 - HKLM\..\RunOnce: [javaom.exe] C:\WINDOWS\javaom.exe
O4 - HKLM\..\RunOnce: [appbe.exe] C:\WINDOWS\system32\appbe.exe
O4 - HKLM\..\RunOnce: [atlxs.exe] C:\WINDOWS\system32\atlxs.exe
O4 - HKLM\..\RunOnce: [javaby32.exe] C:\WINDOWS\system32\javaby32.exe
O4 - HKLM\..\RunOnce: [mspe.exe] C:\WINDOWS\mspe.exe
O4 - HKLM\..\RunOnce: [crgp32.exe] C:\WINDOWS\crgp32.exe
O4 - HKLM\..\RunOnce: [msyx.exe] C:\WINDOWS\msyx.exe
O4 - HKLM\..\RunOnce: [atlip32.exe] C:\WINDOWS\atlip32.exe
O4 - HKLM\..\RunOnce: [crol32.exe] C:\WINDOWS\crol32.exe
O4 - HKLM\..\RunOnce: [d3sv.exe] C:\WINDOWS\system32\d3sv.exe
O4 - HKLM\..\RunOnce: [winve.exe] C:\WINDOWS\system32\winve.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#2 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 15 July 2004 - 09:44 AM

Download About:buster from http://downloads.sub...AboutBuster.zip and unzip it to your desktop.

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds. It should give you a log, copy this to a text file and save it.

Run about:buster again, and save the second log as well.

Reboot your computer in normal mode.

Put Hijackthis in it's own permanent folder, or it will scatter backups on your desktop.

Then post a new HJT log and the logs from about:buster.

#3 baabaa

baabaa

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 July 2004 - 06:58 PM

Thanks expertec for your reply.

I have followed all of your recommendations and posted the 2 logs from About:buster and the new HJT log - also, have put it in its own folder.

Note: I was interested to know if the BHO starting with (no name) and ending in "syssh.dll" was supposed to be there. I looked in the list of BHO's but couldn't find it. As I am new at this, I didn't want to delete it if I wasn't supposed to.


AB First Scan

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\addpo32.exe
Removed! : C:\WINDOWS\aicsuu.dat
Removed! : C:\WINDOWS\arpqbl.dat
Removed! : C:\WINDOWS\atlip32.exe
Removed! : C:\WINDOWS\bcamwr.dat
Removed! : C:\WINDOWS\bmgjnd.dat
Removed! : C:\WINDOWS\bmjfdp.dat
Removed! : C:\WINDOWS\cnaou.dat
Removed! : C:\WINDOWS\cqrfak.dat
Removed! : C:\WINDOWS\crgp32.exe
Removed! : C:\WINDOWS\crol32.exe
Removed! : C:\WINDOWS\crzy32.exe
Removed! : C:\WINDOWS\cuuoga.dat
Removed! : C:\WINDOWS\dgvdqi.dat
Removed! : C:\WINDOWS\diuedc.dat
Removed! : C:\WINDOWS\dpcby.dat
Removed! : C:\WINDOWS\dpcbyw.dat
Removed! : C:\WINDOWS\eoflde.dat
Removed! : C:\WINDOWS\eormcs.dat
Removed! : C:\WINDOWS\fjgalp.dat
Removed! : C:\WINDOWS\fwyvix.dat
Removed! : C:\WINDOWS\fzpzpk.dat
Removed! : C:\WINDOWS\gzjapz.dat
Removed! : C:\WINDOWS\ipdu32.exe
Removed! : C:\WINDOWS\ipdw32.exe
Removed! : C:\WINDOWS\javaom.exe
Removed! : C:\WINDOWS\kaafko.dat
Removed! : C:\WINDOWS\lddwqv.dat
Removed! : C:\WINDOWS\mspe.exe
Removed! : C:\WINDOWS\mssb.exe
Removed! : C:\WINDOWS\msyx.exe
Removed! : C:\WINDOWS\n_derjsa.dat
Removed! : C:\WINDOWS\n_ggopgn.dat
Removed! : C:\WINDOWS\n_pyrfhf.dat
Removed! : C:\WINDOWS\n_vzwozd.dat
Removed! : C:\WINDOWS\n_yrgxgb.dat
Removed! : C:\WINDOWS\oweixw.dat
Removed! : C:\WINDOWS\ozlqeo.dat
Removed! : C:\WINDOWS\ptljci.dat
Removed! : C:\WINDOWS\qkvnrv.dat
Removed! : C:\WINDOWS\qzpfkd.dat
Removed! : C:\WINDOWS\rhfftl.dat
Removed! : C:\WINDOWS\rpjhzs.dat
Removed! : C:\WINDOWS\sdkiw.exe
Removed! : C:\WINDOWS\syssh.dll
Removed! : C:\WINDOWS\vvehhc.dat
Removed! : C:\WINDOWS\wcpsuq.dat
Removed! : C:\WINDOWS\xdsvam.dat
Removed! : C:\WINDOWS\xypduj.dat
Removed! : C:\WINDOWS\ygaphx.dat
Removed! : C:\WINDOWS\ywerth.dat
Removed! : C:\WINDOWS\zhxngn.dat
Removed! : C:\WINDOWS\zwkoi.dat
Removed! : C:\WINDOWS\System32\appbe.exe
Removed! : C:\WINDOWS\System32\atlxs.exe
Removed! : C:\WINDOWS\System32\d3sv.exe
Removed! : C:\WINDOWS\System32\ftdhc.dll
Removed! : C:\WINDOWS\System32\itgos.dat
Removed! : C:\WINDOWS\System32\javaby32.exe
Removed! : C:\WINDOWS\System32\jhhho.dat
Removed! : C:\WINDOWS\System32\winve.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


AB Second scan

-- Scan 1 --------
About:Buster Version 1.30
Attempted Clean Of Temp folder.
Pages Reset... Done!


New HJT Scan
Logfile of HijackThis v1.98.0
Scan saved at 9:38:51 AM, on 16/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Administrator\My Documents\Hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6818C993-D3C4-9CB8-5FF2-04EAC7FEB4D4} - C:\WINDOWS\syssh.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#4 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 16 July 2004 - 03:11 AM

Run Hijackthis again, scan and tick these two:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {6818C993-D3C4-9CB8-5FF2-04EAC7FEB4D4} - C:\WINDOWS\syssh.dll (file missing)


And these as well if you want, they aren't necessary but they do use up resources

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Close all windows except Hijackthis and click "Fix Checked".

Should be clean then, and you should check out this article http://www.spywarein...ked/prevent.php to prevent it happening again. :)

#5 baabaa

baabaa

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 July 2004 - 07:11 PM

It worked perfectly, everything is fixed and working in order!

Thanks expertec for all your help, it is greatly appreciated.
:D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button