• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
baabaa

Spyware victim? - First time Hijack This log post

5 posts in this topic

I am getting many pop-ups, and defaults to unusual home pages. I have run, cwshredder, ad-aware & spy-bot but they have not fixed my problem.

 

I am also getting the message that windows installer is configuring powerpoint2002 for the first program (only once per computer start up) which is opened. It can be, an office program or NAV or IE etc.

 

I also am unable to view my NAV virus avtivity report. I keep getting the message that common client log viewer has encountered a problem.

 

Can someone review my log and help please?

 

 

Logfile of HijackThis v1.98.0

Scan saved at 8:07:47 PM, on 15/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\ipdu32.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\WINDOWS\System32\TFNF5.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\addpo32.exe

C:\WINDOWS\System32\00THotkey.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ftdhc.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.attbusiness.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ftdhc.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ftdhc.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ftdhc.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ftdhc.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {6818C993-D3C4-9CB8-5FF2-04EAC7FEB4D4} - C:\WINDOWS\syssh.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client

O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [addpo32.exe] C:\WINDOWS\addpo32.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\RunOnce: [ipdw32.exe] C:\WINDOWS\ipdw32.exe

O4 - HKLM\..\RunOnce: [crzy32.exe] C:\WINDOWS\crzy32.exe

O4 - HKLM\..\RunOnce: [ipdu32.exe] C:\WINDOWS\ipdu32.exe

O4 - HKLM\..\RunOnce: [javaom.exe] C:\WINDOWS\javaom.exe

O4 - HKLM\..\RunOnce: [appbe.exe] C:\WINDOWS\system32\appbe.exe

O4 - HKLM\..\RunOnce: [atlxs.exe] C:\WINDOWS\system32\atlxs.exe

O4 - HKLM\..\RunOnce: [javaby32.exe] C:\WINDOWS\system32\javaby32.exe

O4 - HKLM\..\RunOnce: [mspe.exe] C:\WINDOWS\mspe.exe

O4 - HKLM\..\RunOnce: [crgp32.exe] C:\WINDOWS\crgp32.exe

O4 - HKLM\..\RunOnce: [msyx.exe] C:\WINDOWS\msyx.exe

O4 - HKLM\..\RunOnce: [atlip32.exe] C:\WINDOWS\atlip32.exe

O4 - HKLM\..\RunOnce: [crol32.exe] C:\WINDOWS\crol32.exe

O4 - HKLM\..\RunOnce: [d3sv.exe] C:\WINDOWS\system32\d3sv.exe

O4 - HKLM\..\RunOnce: [winve.exe] C:\WINDOWS\system32\winve.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

Share this post


Link to post
Share on other sites

Download About:buster from http://downloads.subratam.org/AboutBuster.zip and unzip it to your desktop.

 

Click here for instructions on how to boot into safe mode.

 

Boot up in safe mode.

 

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds. It should give you a log, copy this to a text file and save it.

 

Run about:buster again, and save the second log as well.

 

Reboot your computer in normal mode.

 

Put Hijackthis in it's own permanent folder, or it will scatter backups on your desktop.

 

Then post a new HJT log and the logs from about:buster.

Share this post


Link to post
Share on other sites

Thanks expertec for your reply.

 

I have followed all of your recommendations and posted the 2 logs from About:buster and the new HJT log - also, have put it in its own folder.

 

Note: I was interested to know if the BHO starting with (no name) and ending in "syssh.dll" was supposed to be there. I looked in the list of BHO's but couldn't find it. As I am new at this, I didn't want to delete it if I wasn't supposed to.

 

 

AB First Scan

 

-- Scan 1 --------

About:Buster Version 1.30

Removed! : C:\WINDOWS\addpo32.exe

Removed! : C:\WINDOWS\aicsuu.dat

Removed! : C:\WINDOWS\arpqbl.dat

Removed! : C:\WINDOWS\atlip32.exe

Removed! : C:\WINDOWS\bcamwr.dat

Removed! : C:\WINDOWS\bmgjnd.dat

Removed! : C:\WINDOWS\bmjfdp.dat

Removed! : C:\WINDOWS\cnaou.dat

Removed! : C:\WINDOWS\cqrfak.dat

Removed! : C:\WINDOWS\crgp32.exe

Removed! : C:\WINDOWS\crol32.exe

Removed! : C:\WINDOWS\crzy32.exe

Removed! : C:\WINDOWS\cuuoga.dat

Removed! : C:\WINDOWS\dgvdqi.dat

Removed! : C:\WINDOWS\diuedc.dat

Removed! : C:\WINDOWS\dpcby.dat

Removed! : C:\WINDOWS\dpcbyw.dat

Removed! : C:\WINDOWS\eoflde.dat

Removed! : C:\WINDOWS\eormcs.dat

Removed! : C:\WINDOWS\fjgalp.dat

Removed! : C:\WINDOWS\fwyvix.dat

Removed! : C:\WINDOWS\fzpzpk.dat

Removed! : C:\WINDOWS\gzjapz.dat

Removed! : C:\WINDOWS\ipdu32.exe

Removed! : C:\WINDOWS\ipdw32.exe

Removed! : C:\WINDOWS\javaom.exe

Removed! : C:\WINDOWS\kaafko.dat

Removed! : C:\WINDOWS\lddwqv.dat

Removed! : C:\WINDOWS\mspe.exe

Removed! : C:\WINDOWS\mssb.exe

Removed! : C:\WINDOWS\msyx.exe

Removed! : C:\WINDOWS\n_derjsa.dat

Removed! : C:\WINDOWS\n_ggopgn.dat

Removed! : C:\WINDOWS\n_pyrfhf.dat

Removed! : C:\WINDOWS\n_vzwozd.dat

Removed! : C:\WINDOWS\n_yrgxgb.dat

Removed! : C:\WINDOWS\oweixw.dat

Removed! : C:\WINDOWS\ozlqeo.dat

Removed! : C:\WINDOWS\ptljci.dat

Removed! : C:\WINDOWS\qkvnrv.dat

Removed! : C:\WINDOWS\qzpfkd.dat

Removed! : C:\WINDOWS\rhfftl.dat

Removed! : C:\WINDOWS\rpjhzs.dat

Removed! : C:\WINDOWS\sdkiw.exe

Removed! : C:\WINDOWS\syssh.dll

Removed! : C:\WINDOWS\vvehhc.dat

Removed! : C:\WINDOWS\wcpsuq.dat

Removed! : C:\WINDOWS\xdsvam.dat

Removed! : C:\WINDOWS\xypduj.dat

Removed! : C:\WINDOWS\ygaphx.dat

Removed! : C:\WINDOWS\ywerth.dat

Removed! : C:\WINDOWS\zhxngn.dat

Removed! : C:\WINDOWS\zwkoi.dat

Removed! : C:\WINDOWS\System32\appbe.exe

Removed! : C:\WINDOWS\System32\atlxs.exe

Removed! : C:\WINDOWS\System32\d3sv.exe

Removed! : C:\WINDOWS\System32\ftdhc.dll

Removed! : C:\WINDOWS\System32\itgos.dat

Removed! : C:\WINDOWS\System32\javaby32.exe

Removed! : C:\WINDOWS\System32\jhhho.dat

Removed! : C:\WINDOWS\System32\winve.exe

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

AB Second scan

 

-- Scan 1 --------

About:Buster Version 1.30

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

 

New HJT Scan

Logfile of HijackThis v1.98.0

Scan saved at 9:38:51 AM, on 16/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

C:\WINDOWS\System32\TFNF5.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\00THotkey.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Documents and Settings\Administrator\My Documents\Hijackthis\HijackThis.exe

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {6818C993-D3C4-9CB8-5FF2-04EAC7FEB4D4} - C:\WINDOWS\syssh.dll (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client

O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

Share this post


Link to post
Share on other sites

Run Hijackthis again, scan and tick these two:

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {6818C993-D3C4-9CB8-5FF2-04EAC7FEB4D4} - C:\WINDOWS\syssh.dll (file missing)

 

And these as well if you want, they aren't necessary but they do use up resources

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

Close all windows except Hijackthis and click "Fix Checked".

 

Should be clean then, and you should check out this article http://www.spywareinfo.com/articles/hijacked/prevent.php to prevent it happening again. :)

Share this post


Link to post
Share on other sites

It worked perfectly, everything is fixed and working in order!

 

Thanks expertec for all your help, it is greatly appreciated.

:D

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0