Jump to content


Photo

hijack this log


  • Please log in to reply
3 replies to this topic

#1 fool

fool

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 17 June 2004 - 08:48 AM

Logfile of HijackThis v1.97.7
Scan saved at 9:44:54 AM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Webroot\My Personal Favorites\pbmarks.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Gordoware\connectto.exe
C:\Bentley\Program\Microstation\ustation.exe
C:\PROGRA~1\FTPSOF~1\ONNETH~1\tnvt\TNVT.EXE
C:\apps\fldview\CODE\FVIEW\BIN\FLDVIEW.EXE
C:\WINDOWS\System32\RUNDLL32.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\nhldaemn.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\iexplore.exe
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nwramsweb.ftw....gte.com/eposs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nwramsweb.ftw....gte.com/eposs/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.ver...gi-bin/getproxy
O1 - Hosts: icgsfl1.tampfl.tel.gte.com 136.151.95.134
O1 - Hosts: icgsfl1.tampfl.tel.gte.com 136.151.93.5
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Bookmarks] C:\Program Files\Webroot\My Personal Favorites\pbmarks.exe /S
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "v229125"
O4 - Global Startup: CheckMaps.lnk = C:\Program Files\Gordoware\CheckMaps.exe
O4 - Global Startup: connectto.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://nwramsweb.ftwyin.tel.gte.com/eposs/
O15 - Trusted Zone: http://www.srdunderground.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38028.600775463
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eposs1.verizon.com
O17 - HKLM\Software\..\Telephony: DomainName = eposs1.verizon.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E924730-4AAA-49AD-A35C-DF9C316081C7}: NameServer = 144.70.31.117,144.70.124.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eposs1.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = Verizon.com,Vznotes.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{4E924730-4AAA-49AD-A35C-DF9C316081C7}: NameServer = 144.70.31.117,144.70.124.35
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eposs1.verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = Verizon.com,Vznotes.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{4E924730-4AAA-49AD-A35C-DF9C316081C7}: NameServer = 144.70.31.117,144.70.124.35
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = Verizon.com,Vznotes.com

Edited by fool, 17 June 2004 - 09:54 AM.


#2 fool

fool

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 17 June 2004 - 08:49 AM

--==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Thu 06/17/2004
09:39 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (E839:D3B0) - FS:NTFS clusters:4k
Total: 119 957 479 424 [112G] - Free: 113 088 073 728 [105G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;



Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
If not file is listed than Dllfix may not Help.
in this case please post the contents of Windows.txt to the appinit
entry can be checked. You will find it in the dllfix folder after findall completes.


Scanning for main Hijacker:


Dllfix must have the Hijackerfiles in system32 to fix properly.
If there are no protocal keys text/html and text/plain
then dllfix may not work. This fix targets this type Hijack Entry.
that keeps reoccuring with different filenames.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:

If error than registry may need to be restored from option 4.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

#3 fool

fool

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 17 June 2004 - 09:56 AM

I cleaned a lil more in hijack this and updated my original post. The hosts are still there but most are used for work. I just removed them from the logfile. I'm still coming up with a cws jksearch remove in cwshredder. Anyone have any ideas what I can do to remove this problem?

#4 fool

fool

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 21 June 2004 - 12:48 PM

any ideas on this problem?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button