Re: HijackThisLog Analysis - Firecadman

Date: Sunday, 10 October, 2004 4:13 AM

Remember DO NOT run hijackthis.exe inside the zip file.  Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Here is what you should do.

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} - website: one2one.com / static / class / one2oneSvc.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - website: streamp.babenet.com / cabs / videox.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - website: pussyharem.com / stream / mmp.cab

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 3:07:17 PM, on 10 / 9 / 2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ BroadJump \ Client Foundation \ CFD.exe
C: \ Program Files \ Visual Networks \ Visual IP InSight \ SBC \ IPClient.exe
C: \ Program Files \ Visual Networks \ Visual IP InSight \ SBC \ IPMon32.exe
C: \ PROGRA~1 \ NORTON~1 \ NORTON~4 \ GHOSTS~2.EXE
C: \ Program Files \ Norton SystemWorks \ Norton Antivirus \ navapsvc.exe
C: \ PROGRA~1 \ NORTON~1 \ NORTON~2 \ NPROTECT.EXE
C: \ PROGRA~1 \ ZONELA~1 \ ZONEAL~1 \ zlclient.exe
C: \ WINDOWS \ System32 \ nvsvc32.exe
C: \ Program Files \ Norton SystemWorks \ Norton Antivirus \ SAVScan.exe
C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe
C: \ Program Files \ Common Files \ Symantec Shared \ Security Center \ UsrPrmpt.exe
C: \ PROGRA~1 \ NORTON~1 \ NORTON~2 \ SPEEDD~1 \ NOPDB.EXE
C: \ Program Files \ Common Files \ Symantec Shared \ CCPD-LC \ symlcsvc.exe
C: \ WINDOWS \ system32 \ ZoneLabs \ vsmon.exe
C: \ WINDOWS \ System32 \ wuauclt.exe
C: \ Program Files \ Messenger \ msmsgs.exe
C: \ Temp Install \ HijackThis.exe

R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: yahoo.sbc.com / dsl
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: yahoo.sbc.com / dsl
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = website: red.clientapps.yahoo.com / customize / ie / defaults / su / sbcydsl / *website: yahoo.com
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: red.clientapps.yahoo.com / customize / ie / defaults / sb / sbcydsl / *website: yahoo.com / search / ie.html
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: red.clientapps.yahoo.com / customize / ie / defaults / sp / sbcydsl / *website: yahoo.com
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: yahoo.sbc.com / dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C: \ Program Files \ Yahoo! \ Common \ ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Reader \ ActiveX \ AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C: \ PROGRA~1 \ SPYBOT~1 \ SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c: \ program files \ google \ googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C: \ Program Files \ Norton SystemWorks \ Norton Antivirus \ NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c: \ program files \ google \ googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C: \ Program Files \ Norton SystemWorks \ Norton Antivirus \ NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ System32 \ msdxm.ocx
O4 - HKLM \ .. \ Run: [BJCFD] C: \ Program Files \ BroadJump \ Client Foundation \ CFD.exe
O4 - HKLM \ .. \ Run: [IPInSightLAN 01] "C: \ Program Files \ Visual Networks \ Visual IP InSight \ SBC \ IPClient.exe" -l
O4 - HKLM \ .. \ Run: [IPInSightMonitor 01] "C: \ Program Files \ Visual Networks \ Visual IP InSight \ SBC \ IPMon32.exe"
O4 - HKLM \ .. \ Run: [Motive SmartBridge] C: \ PROGRA~1 \ SBCSEL~1 \ SMARTB~1 \ MotiveSB.exe
O4 - HKLM \ .. \ Run: [Zone Labs Client] C: \ PROGRA~1 \ ZONELA~1 \ ZONEAL~1 \ zlclient.exe
O4 - HKLM \ .. \ Run: [ccApp] "C: \ Program Files \ Common Files \ Symantec Shared \ ccApp.exe"
O4 - HKLM \ .. \ Run: [SSC_UserPrompt] C: \ Program Files \ Common Files \ Symantec Shared \ Security Center \ UsrPrmpt.exe
O4 - HKLM \ .. \ Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM \ .. \ Run: [NvCplDaemon] RUNDLL32.EXE C: \ WINDOWS \ System32 \ NvCpl.dll,NvStartup
O4 - HKLM \ .. \ Run: [nwiz] nwiz.exe / install
O4 - HKLM \ .. \ Run: [NvMediaCenter] RUNDLL32.EXE C: \ WINDOWS \ System32 \ NvMcTray.dll,NvTaskbarInit
O4 - HKCU \ .. \ Run: [seticlient] C: \ Program Files \ SETI@home \ SETI@home.exe -min
O4 - Global Startup: SBC Self Support Tool.lnk = C: \ Program Files \ SBC Self Support Tool \ bin \ matcli.exe
O8 - Extra context menu item: &Google Search - res: / / c: \ program files \ google \ GoogleToolbar2.dll / cmsearch.html
O8 - Extra context menu item: Backward Links - res: / / c: \ program files \ google \ GoogleToolbar2.dll / cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res: / / c: \ program files \ google \ GoogleToolbar2.dll / cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file: / / C: \ Program Files \ Free Download Manager \ dlallhtm
O8 - Extra context menu item: Download by Free Download Manager - file: / / C: \ Program Files \ Free Download Manager \ dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file: / / C: \ Program Files \ Free Download Manager \ dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file: / / C: \ Program Files \ Free Download Manager \ dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~2 \ Office10 \ EXCEL.EXE / 3000
O8 - Extra context menu item: Similar Pages - res: / / c: \ program files \ google \ GoogleToolbar2.dll / cmsimilar.html
O8 - Extra context menu item: Translate into English - res: / / c: \ program files \ google \ GoogleToolbar2.dll / cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file: / / / C: \ Program Files \ Yahoo! \ Common / ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file: / / / C: \ Program Files \ Yahoo! \ Common / ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C: \ Program Files \ Yahoo! \ Common \ ylogin.dll
O9 - Extra ´Tools´ menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C: \ Program Files \ Yahoo! \ Common \ ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C: \ Program Files \ Yahoo! \ Messenger \ yhexbmes.dll
O9 - Extra ´Tools´ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C: \ Program Files \ Yahoo! \ Messenger \ yhexbmes.dll
O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} - website: one2one.com / static / class / one2oneSvc.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - website: streamp.babenet.com / cabs / videox.cab
O16 - DPF: {22D6F312-B0F6-0000-0000-000000000000} - website: activex.microsoft.com / activex / controls / mplayer / en / nsmp2inf.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C: \ Program Files \ Yahoo! \ common \ yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - website: a1540.g.akamai.net / 7 / 1540 / 52 / 20031216 / qtinstall.info.apple.com / mickey / us / win / QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - website: software-dl.real.com / 18cdf38c64fa59794220 / netzip / RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - website: v5.windowsupdate.microsoft.com / v5consumer / V5Controls / en / x86 / client / wuweb_site.cab?1093195731171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - website: security.symantec.com / sscv6 / SharedContent / common / bin / cabsa.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - website: secure2.comned.com / signuptemplates / ActiveSecurity.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file: / / C: \ Program Files \ AutoCAD 2002 \ AcDcToday.ocx
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - website: pussyharem.com / stream / mmp.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file: / / C: \ Program Files \ AutoCAD 2002 \ InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file: / / C: \ Program Files \ AutoCAD 2002 \ InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https: / / www-secure.symantec.com / techsupp / activedata / SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - website: photos.yahoo.com / ocx / us / yexplorer1_9us.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https: / / www-secure.symantec.com / techsupp / activedata / ActiveData.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file: / / C: \ Program Files \ AutoCAD 2002 \ AcPreview.ocx

SETI@home.exe 10-Oct-2004