Jump to content


Photo

HiJackLog after fixing and running scans


  • This topic is locked This topic is locked
10 replies to this topic

#1 gtswhitt

gtswhitt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 May 2004 - 09:58 PM

http://www.spywarein...showtopic=46920

Budfred,
The link above is to the old forum discussion. I downloaded spybot and updated adware and used those and also Norton and cleaned up everything except this in spybot that I could not get out. Do you know a way to work around this since Microsoft doesn't have a patch? Another site spybot lead me to said to change 1004 to 3, but I don't know how to do this and it scared me looking at it.

(Below this image is my new log) Please let me know anything else I should do concerning this and the original top about my problem with the confidential information. Thanks.

EDITED: See third message about OTHER information that Budfred told me to get for him..............

Posted Image

Logfile of HijackThis v1.97.7
Scan saved at 10:19:40 PM, on 5/15/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ATRACK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\S3APPHK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\REGISTER\REMIND32.EXE
C:\PROGRAM FILES\SPYBOT\TEATIMER.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT\SDHELPER.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Adaware Bootup] C:\PROGRAM FILES\LAVASOFT AD-AWARE\AD-AWARE.EXE /Auto /Log "C:\PROGRAM FILES\LAVASOFT AD-AWARE\"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: HP OfficeJet Series 500 StartUp.lnk = C:\Program Files\HP OfficeJet Series 500\bin\HPOstart.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {DC5DD24E-567B-11D5-8997-00104BD12D94} (pcdr Class) - http://www.pcpitstop...ess/pcdrCom.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co....cab?4,0,1009,0
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7588.5539236111
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB

Edited by gtswhitt, 16 May 2004 - 07:38 AM.


#2 gtswhitt

gtswhitt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 07:16 AM

Please could somebody look at this?

#3 gtswhitt

gtswhitt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 07:46 AM

This is the right hand side of the SPYBOT screen. (picture below)

This is the greymagic website that talks about this and the registry change that I am unsure of if I should do or how to do it. This is the site that is listed on the right hand side of the SPYBOT screen. The DSO exploit will not delete/fix.

http://www.greymagic...ories/gm001-ie/

Solution: There is no configuration-tweaking workaround for this bug, it will work as long as the browser parses HTML. The only possible solution must come in the form of a patch from Microsoft.
Update - 3 Mar 2002
Since the injected <object> runs in the "My Computer" Zone changing the Internet Zone's settings didn't affect it, but changing the correct zone's settings will prevent this exploit from running.
Here is the registry information:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]Change the value of "1004" (DWORD) to 3.



Posted Image

Edited by gtswhitt, 16 May 2004 - 07:49 AM.


#4 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 16 May 2004 - 07:53 AM

Your log looks clean except for this. It is probably benign, but fix it anyway:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Next, please have a little patience... we are volunteers here and do need to sleep at times....

Then, are you sure that Spybot didn't already do the registry edit is question. The green checkmark usually means the problem is fixed. Also, this is simply a vulnerability, not an actual bit of malware, so it is not something that you absolutely have to fix... MS will probably eventually have a patch....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#5 gtswhitt

gtswhitt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 09:13 AM

I was patient to begin with and then started seeing those posting their hijacklogs being helped that very day while mine ended up on page five. It's been 8 days and my first log hasn't even been looked at. Now that my system has changed and there's a new log, I didn't want to wait 8 more days so bumped it like this site told me to do. Sorry about the impatience but I didn't want to hang out on this site for another week while others were being helped that same day.

Thanks for the help. I still have the email issue. It's still stuck there.

#6 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 16 May 2004 - 10:36 AM

I am sorry for the long wait, I will send you a full refund of your fee immediately..... And BTW, the FAQ suggests bumping the thread after waiting for 12 hours with no response. If you had stayed to one thread, you would not even have needed to do that.

Now getting back to the problem at hand.... What email issue??
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#7 gtswhitt

gtswhitt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 11:49 AM

I told you before I had different issues and have more than one thread. The email issue is on the other thread, but you should already know that since you're keeping track so closely of what I post and then telling me not to. I can't open another thread to talk about the email issue that was on the other server because you won't allow me to. As a matter of fact, I'm not even allowed to discuss it on this one, since I'm thinking you're allowing me to at least post here, but within the topic of discussion, but the email issue is a different topic, therefore on another thread. (on the old server). So we can go round and round about this, but I'll just assume you're a hostile host and will start over some other way.

Are we only allowed to post under one topic? Can we not all of a sudden think that something within one discussion really may be a whole new discussion and open that thought up elsewhere? Give me a break and go pick on someone else.

#8 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 16 May 2004 - 11:58 AM

I am not trying to pick on you... I have asked you to keep all the information together because it generally all relates to each other... There is absolutely no reason why you can't post the relevant information in this thread with links to whatever you are referring to in the old SWI forum... I am trying to help, but I need you to share the information in a manner that allows me to do so. If you don't want that help, that is certainly your choice....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#9 gtswhitt

gtswhitt

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 02:44 PM

Yes, I would like help. I did not think it was sensible to post this into the same thread. But here's where I need the help.

http://www.spywarein...=ST&f=5&t=47069

#10 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 16 May 2004 - 03:20 PM

Are you still getting the warning from Norton occasionally about "Trois de something" or did that stop after the HJT fixes you did??

For the email that you can't delete, try turning off that function in Norton, deleting the emails and then turn it back on...

For the point about saving numbers in Nortons vault... this is only necessary if you keep those numbers somewhere else on your computer and you don't want any programs to access them. If the only place you have them stored is in Norton, you can empty that vault. If you have them elsewhere, I would urge you to consider purging them from there and from Norton. I don't keep any sensitive info like that on my computer because I don't trust the security programs to properly protect them anyway...

Norton 2004 Security suite is known to have even more bugs than usual, so it is quite possible that this is the main problem. You might want to check with Norton to see what they say about it...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#11 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 October 2004 - 01:55 AM

Due to the time passed without a response in this thread - I am closing it.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button