Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack This Log


  • Please log in to reply

#1
Moggy

Moggy

    Member

  • Member
  • PipPip
  • 11 posts
My log is posted below, but first a little background. I installed SP 2 last night, and, aside form things being a bit slower, have experienced no major problems. However, when starting or restarting my computer, the Spybot S&D resident asks me to allow or deny two registry changes. Here are my most recent decisions about them (made after the HJT scan):

9/12/2004 12:00:39 PM Allowed value "{8E718888-423F-11D2-876E-00A0C9082467}" (new data: "") deleted in Global browser toolbar!

9/12/2004 12:01:26 PM Denied value "Local Page" (new data: "C:\WINDOWS\system32\blank.htm") changed in Browser page!

Should I allow or deny them permanently?

Here is the log. Ran Spybot S&D, Ad-Aware and CWS Shredder beforehand:

Logfile of HijackThis v1.98.2
Scan saved at 11:54:43 AM, on 9/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKEN\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adelphia.com
O15 - Trusted Zone: *.adelphiapowerpage.com
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.antivirus.com
O15 - Trusted Zone: *.blackcode.com
O15 - Trusted Zone: *.coldwatercreek.com
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: *.dslreports.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: *.historychannel.com
O15 - Trusted Zone: *.ifilm.com
O15 - Trusted Zone: *.irs.gov
O15 - Trusted Zone: *.java.com
O15 - Trusted Zone: *.security.kolla.com
O15 - Trusted Zone: *.lavasoft.de
O15 - Trusted Zone: *.lavasoft.nu
O15 - Trusted Zone: *.lavasoftsupport.com
O15 - Trusted Zone: *.macromedia.com
O15 - Trusted Zone: *.markusjansson.net
O15 - Trusted Zone: *.michiganpreps.com
O15 - Trusted Zone: *.windowsupdate.microsoft.com
O15 - Trusted Zone: *.mlive.com
O15 - Trusted Zone: *.hotmail.msn.com
O15 - Trusted Zone: *.napster.com
O15 - Trusted Zone: *.netscape.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.pcpitstop.com
O15 - Trusted Zone: *.real.com
O15 - Trusted Zone: *.richardthelionhearted.com
O15 - Trusted Zone: *.rivals.com
O15 - Trusted Zone: *.1.spywareinfo.com
O15 - Trusted Zone: *.stanford.edu
O15 - Trusted Zone: *.java.sun.com
O15 - Trusted Zone: *.thehistorychannel.com
O15 - Trusted Zone: *.theinsiders.com
O15 - Trusted Zone: *.library.toledo.oh.us
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.tucows.com
O15 - Trusted Zone: *.vanguard.com
O15 - Trusted Zone: *.vivisimo.com
O15 - Trusted Zone: *.windowsecurity.com
O15 - Trusted Zone: *.windowsmedia.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

Thanks in advance for any assistance.
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts

9/12/2004 12:00:39 PM Allowed value "{8E718888-423F-11D2-876E-00A0C9082467}" (new data: "") deleted in Global browser toolbar!

9/12/2004 12:01:26 PM Denied value "Local Page" (new data: "C:\WINDOWS\system32\blank.htm") changed in Browser page!

Your log is clear, but those entries are very suspicious. I'd deny the changes permanently, but I'm also curious what's responsible for them. <_<
  • 0

#3
Moggy

Moggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks for your prompt reply, Admin.

Unless something piggybacked on the SP2 download, I'm not sure how anything bad got in. Despite the reference to IE in my log, I use Mozilla.

I did a search on 8E718888-423F-11D2-876E-00A0C9082467 and found conflicting info on it. I'll research it some more. If I get definitive information about it, I'll post it FYI. Interestingly, I tried to deny it several times last night, but the system wouldn't allow it. Perhaps it is important to allow. Again, I'll research further.
  • 0

#4
tempratlief

tempratlief

    New Member

  • Member
  • Pip
  • 4 posts
Couldn't find c:\windows\wupdt.exe. Everything is working great! <_<

Logfile of HijackThis v1.98.2
Scan saved at 8:33:02 AM, on 9/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Desktop\Definitely Not Burned Yet\Spyware info\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.surfbest.net/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -cb
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\RunOnce: [untd_recovery] C:\Program Files\NetZero\qsacc\x1exec.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17229449-ED39-489B-9407-54E504F1BF62}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{17229449-ED39-489B-9407-54E504F1BF62}: NameServer = 64.136.20.121 64.136.28.121
  • 0

#5
Moggy

Moggy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Well, it appears that 8E718888-423F-11D2-876E-00A0C9082467 is this microsoft entity:

Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

It appeared on several HJT posts that I found, and only one person recommended zotting it and he was overrruled:

http://forums.techgu...threadid=191043
(4th post down)

This forum indicates that it would be wise not to do anything to it:

http://computercops....postp34269.html

I also searched on C:\WINDOWS\system32\blank.htm. It, too, appeared in HJT logs, but rarely drew comment from the person analyzing it. Although one or two did suggest getting rid of it after doing some more serious cleanup.

So, I guess I'll see what happens when I boot up tonight. Looks like I'll ask SB/SD to permamnently allow the toolbar change. Not sure what to do about the system32 issue, however.
  • 0

#6
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts

Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

That entry is certainly legitimate.

C:\WINDOWS\system32\blank.htm

Doesn't mean much on it's own, but often indicates a hijacked homepage.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP