HiJack This Log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kenny, May 19, 2004.

  1. kenny

    kenny Private E-2

    Below I have added a log after running Hijack on my Cousins computer. We ran Spybot & Adaware & found many items of spyware which have now been cleaned off Also have ran her Virus scan which is always kept updated. Her problem started last weekend when she was unable to shut down her computer & had to pull the plug from the wall. Also when she logged on to Yahoo with her username & password a welcome message came up but it wasn,t her name, but someone else She shut down then signed on again with Yahoo & another name came up different from the first This is what prompted me to think she had either spyware or worst A Hacker on her system I should add also that her computer started running very slow Her Email even stopped flowing but now is ok because I re done all the settings again She is running XP Home. After all this had been done I decided to run HiJack & post it here hoping that someone could look at it for us & tell iff it is OK or if something else is still there that shouldn,t be
    Thanks for any help someone can give,
    Kenny


    Logfile of HijackThis v1.97.7
    Scan saved at 3:17:57 PM, on 19/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Windows\system32\HpSrvUI.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Washer\washer.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RDSHOST.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for HIJACK THIS (anti hijacker tool).zip\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au4.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.iprimus.com.au
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
    O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CACHE
    O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.SH! C:\DOCUME~1\Owner\LOCALS~1\History\History.SH!
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Privacy Bar (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-au/4,0,0,76/mcinsctl.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/286/webolr/OCX/FlashAX.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7692FD42-00B6-4AA3-9B93-C18B45CC6736}: NameServer = 203.134.24.70 203.134.26.70
     
    kenny, May 19, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not have time to check through you complete log right now but have to wonder whether you enabled Remote Desktop Help for some reason. See this link: http://www.answersthatwork.com/Tasklist_pages/tasklist_s.htm

    and the Sessmgr task. It states:

    [font=Verdana, Arial]Remote Desktop Help Session Manager. This service manages and controls Remote Assistance, a “named‑for‑lay‑persons” subset of Microsoft’s Remote Desktop Sharing technology. Introduced in Windows XP and also present in Windows 2003 server, but not present, by design, in Windows XP 64-bit. As per Microsoft : “Remote Assistance is a technology in Windows XP which enables Windows XP users to help each other over an internal network or over the Internet. With this tool, one user, called the "Expert," can view the desktop of another user, the "Novice.". With the Novice's permission, the Expert can even share control of the Novice's computer to resolve issues remotely. With Remote Assistance, a Help Desk can assist users on the network, which is known as the Offer Remote Assistance feature.”.

    Recommendation :
    We do not see this feature ever taking off. The mechanics for an end-user to invite assistance from an Expert are too long-winded and involve too many steps and programs. In this day and age of speed, speed, and speed, it is faster to drop a quick email, or pick up the phone, to the Help Desk, so we really do not see Microsoft’s Remote Assistance feature getting anywhere fast ! Irrespective of our views, unless Remote Assistance has been set up on your PC by your network manager, or you set it up, then it is 99% certain that you do not need to have this service running. To disable this service go into “Control Panel \ Administrative Tools \ Services”, look for the Remote Desktop Help Session Manager service and set it to Disabled.    [/font]

    Also note you have quite a few applications running at startup which are going to require significant system resources. If you are still running slow, bring up Task Manager (by hitting CTRL-ALT-DEL) and look at the processes tab. See which applications are using all of your CPU's time.
     
    chaslang, May 19, 2004
    #2
  3. kenny

    kenny Private E-2

    Chaslang,

    Thanks for your response. When I ran Hijack my cousin & me were using remote because she is not computer smart & also very nervy about changing things so thats why you prob see that remote is enabled on the log. As far as running a number of programs at startup yes there are spyware, MRU blaster, McAfee etc, all that start running then. I thought it would be better doing it this way but would welcome any advice of another way she can be protected If I should stop them running at start up please advise me the best way to do this
    Thanks again,
    Kenny
     
    kenny, May 19, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Protection is a good idea! You just have to be careful you do not go overboard with it. That is why I said in my last message to:

    "bring up Task Manager (by hitting CTRL-ALT-DEL) and look at the processes tab. See which applications are using all of your CPU's time."

    You indicated that the PC was running slow. I wanted you to try to identify what could be causing it to be slow.
     
    chaslang, May 19, 2004
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds