Suspect Hijack this log.

peter the piper · #1 (**permalink**) 08-10-2004, 12:01 AM

My daughter downloaded an mp3 player,slap wrist, and it brought the rest of its family with it. I've got rid of most of them but am unsure if I'm completely clear. Please could you look at this log and advise
.Logfile of HijackThis v1.98.2
Scan saved at 23:58:24, on 07/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Wt32exe.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
D:\Program Files\Norton Internet Security Professional\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton Internet Security Professional\SymPxSvc.exe
C:\WINDOWS\TBPanel.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\tblmouse.exe
D:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
D:\Program Files\TotRecSched.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
D:\program files\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
D:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Tweak-XP\popup.exe
C:\Program Files\Tweak-XP\blads.exe
C:\PROGRA~1\ashampoo\ASHAMP~1\PopUpKiller.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\twain_32\A4S2_32\WATCH.exe
D:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
D:\Program Files\Norton Internet Security Professional\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\user\Desktop\cleanup tools\hijackthis-1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [iamapp] D:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Program Files\TotRecSched.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [Desktop Calendar] D:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Pop-Up-Blocker] C:\Program Files\Tweak-XP\popup.exe
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 1.1.0.lnk = D:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_32\WATCH.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (no file)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myt: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/regi...upportutil.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab

owen · #2 (**permalink**) 08-10-2004, 05:08 PM

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)

Click Fix Checked

Nothing worrying in there. The only thing that is worrying is that you have a lack of protection and are extremely behind on Windows Updates. Have a read of this protection and info and pay close attention to the one about Windows Updates. Without Windows Updates, your system has many security holes which can be easily exploited.

Preventing it returning

After your problem has been resolved on the forum, it is an absoulute MUST to do the following steps to prevent the problem returning. Click on the link to get access to the software or webpage that I'm referring to.

1. Visit Windows Update
Pay a visit to Windows Update and scan for and download ALL Critical Updates and Service Packs. New updates are usually released monthly so check back to Windows Update every month.

2. Download Antivirus Software-
If you haven't already got Antivirus software, you should download and install AVG Antivirus. It is freeware and is updated nearly every 2 days (sometimes more frequently if there are a lot of new viruses) and in my opinion, is better than some Antivirus software such as Norton. Antivirus software will prevent viruses infecting your system and it is important that you update it every two days or every week at the most.

3. Download a Firewall-
If you haven't already got a firewall, it is Very important that you download one. Firewalls will prevent unauthorised access to your computer and stop data leaking out of your computer. You may think that it won't happen to you, but Hackers don't care who you are, what you do, where you live or what you had for tea last Sunday on your holiday in the Lake District, they want your data. Firewalls will keep these sneaks out and one of the best is Sygate Personal Firewall, which happens to be freeware.

4. Spyware Scanners-
It is important that as well as having real time spyware protection, you have a spyware scanning application. If you have not already been told to download one earlier in this thread, it is a good idea to download Spybot Search And Destroy and Ad-aware. They are both spyware scanners and will search for a remove spyware. It is recommended that you have both, because one will pick up entries that the other misses. It is even a good idea to download these if you have other programs such as ASE, Spysweeper, Pest Patrol, etc, because one spyware scanner will not pick up everything. Please remember to update your spyware scanners weekly/fortnightly.

5. Prevent Spyware slipping through Internet Explorer-
Quite a lot of spyware slips through Internet Explorer if your settings are not tight enough. Spyware Blaster will help you prevent spyware slipping through and installing tracking cookies. Simply run it via Start> Programs> Spyware Blaster and click Enable All Protection and it will protect you. It doesn't even have to be open! Remember to update weekly/fortnightly.

6. Constant Spyware Protection-
It is important to have constant spyware protection. Spyware Guard works like an antivirus program but detects Spyware instead. It will constantly protect your system. Check for updates monthly.

All Of these steps are very important and it is HIGHLY recommended that you download all of the programs mentioned for your own safety. Remember to Update everything (including Windows using Windows Update)! It is also a good idea to perform weekly/fortnightly scans with Spybot S&D, Ad-aware and your antivirus software.

And last of all, please remember, that common sense is your greatest tool. Without it, spyware and other related Malware would rule!

peter the piper · #3 (**permalink**) 08-10-2004, 05:40 PM

Thanks for your help, fixed checked items. However I am concerned about your comment ref updates. Apart from SP2 I do not have any further updates available. I won't be using SP2 as I completely B*****d up the computer with SP1. and have been updating regularly. I have Norton Anti virus and Firewall, Spybot S&D, Ad-aware, Spywareblaster and a modem/router on broadband, also Reg Supreme Pro and Ashampoo Winoptimiser Platinum. All are up to date or only one behind. What else do you suggest I do?

owen · #4 (**permalink**) 08-10-2004, 05:55 PM

I am sorry, I think I'm still half asleep. Your protection is adaquate. According to your Hijack This, you are running Windows XP with no service packs. It is very important you install Windows XP Service Pack 2. What mistakes did you make install Service Pack 1? According to your log you haven't got it installed.

You only have Windows XP Service Pack 2 in Windows Updates because Windows XP SP2 will be specially downloaded to suit your PC. It will incorporate all of the updates you are missing and thats why it is SO important.

peter the piper · #5 (**permalink**) 08-10-2004, 08:20 PM

I installed sp1 from the disk on the windows xp magazine and as far as I know I did not make any mistakes I followed the instructions to the letter. I was not able to start the computer after this, not even in safe mode. Needed a format and reinstall of original. I currently have 32 hotfixes downloaded which are for SP1 and according to the MS website there is only SP2 left. Not surprisingly I am very wary of this. I would hate to have to reinstall all I have on "c". If I had a guarantee SP2 would work I'd do it.
P.S I only use Firefox to browse and don't open any e-mail until I have checked who its from and if I'm expecting it.

owen · #6 (**permalink**) 08-10-2004, 08:28 PM

You can't just spend your whole life (I'm not saying you do, this is just a saying) saying What If. If we did we wouldn't step out of our doors in the morning or start our cars or even put toast in the toaster.

You install XP Service Pack 1 from a Magazine Cover Disk. I personally would never trust a magazine cover disk for such an important update. XP SP2 is only available from Microsoft because it is so important. I hope you do try to install XP SP2. I've installed it five times. Three times on my own machine (due to hard disk problems), one on another machine and one on another machine. All five of them went smoothly without any problems whatsoever.

peter the piper · #7 (**permalink**) 09-10-2004, 11:24 AM

I only installed SP1 from the Windows XP Magazine as I was on Dial-up, remember that with all its lovely beeps and whistles? Now that they've caught up with me I'll have to consider installing. Its a case of once bitten, twice shy. Still I know who to blame if it goes T*** up

owen · #8 (**permalink**) 09-10-2004, 10:02 PM

I'll have to write a disclaimer before then