Results 1 to 2 of 2

Thread: spyware

  1. 08-29-2005, 11:29 PM #1
    numba1xclusive
    numba1xclusive is offline
    numba1xclusive's Avatar Xclusive Gangsta
    Join Date
    Jan 2004
    Posts
    208
    hijack this log.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:17:45 PM, on 8/29/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\sfita.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    C:\PROGRA~1\COMMON~1\WinTools\WSup.exe
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\DOCUME~1\MLNORT~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50212
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50212
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\system32\replaceSearch.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
    O2 - BHO: Cas - {B5F3970B-745E-46AC-B890-E08F69777D80} - C:\WINDOWS\system32\ca2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\system32\sfi2.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\pxckdla.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\Update\WToolsA.exe update
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
    O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezStub.exe
    O4 - Startup: AdDestroyer.lnk = ?
    O4 - Startup: Virtual Bouncer.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar3.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .NPSSView: c:\program files\netscape\netscape\plugins\NPssView.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net...b/Ud3rT0n5.cab
    O16 - DPF: {028518E1-9FA8-44FC-92D7-5C54244B5F36} - http://activex.microsoft.com/objects/ocget.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {75D2080B-4857-4B96-9B7D-732634FBD01F} - http://activex.microsoft.com/objects/ocget.dll
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50212/QDow_AS2.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield....rol/avxnew.dll
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
    O16 - DPF: {AA218328-0EA8-4D70-8972-E987A9190FF4} - http://activex.microsoft.com/objects/ocget.dll
    O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cths.fcps.edu
    O17 - HKLM\Software\..\Telephony: DomainName = cths.fcps.edu
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2AE8C093-7710-4766-8E65-84810CB6E164}: NameServer = 151.188.1.150,151.188.5.116
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cths.fcps.edu
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

    help/
    Last edited by numba1xclusive; 08-29-2005 at 11:30 PM.

    Da Numba1Xclusive King
    Reply With Quote Reply With Quote
  3. 08-30-2005, 12:09 AM Software & Hardware   -   #2
    tesco
    tesco is offline
    tesco's Avatar woowoo
    Join Date
    Aug 2003
    Location
    Canadia
    Posts
    21,669
    A great site to analyze the logs is here: http://hijackthis.de

    I've done this for you and ehre are the 'nasty' results.
    Code:
    C:\PROGRA~1\Toolbar\PIB.exe Check with an antivirus scanner  	   	Nasty
Nasty 	  	running process. (PIB.exe)
PIB Toolbar Spyware
Visitor's assessment: 1 (Definitively malware) 	  	This is a nasty process! You should fix it and try to delete it manually!
  	C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe Check with an antivirus scanner 	  	Nasty
Nasty 	  	running process. (WToolsA.exe)

Currently there is no visitor's assessment! 	  	This is a nasty process! You should fix it and try to delete it manually!
Probably safe.! According to our database this process runs normally in c:\programme\gemeinsame dateien\wintools\! Check if you know this process and arrange a viruscheck where required.
  	C:\PROGRA~1\COMMON~1\WinTools\WSup.exe Check with an antivirus scanner 	  	Nasty
Nasty 	  	running process. (WSup.exe)

Currently there is no visitor's assessment! 	  	This is a nasty process! You should fix it and try to delete it manually!
Probably safe.! According to our database this process runs normally in c:\programme\gemeinsame dateien\wintools\! Check if you know this process and arrange a viruscheck where required.
  	C:\PROGRA~1\Toolbar\TBPS.exe Check with an antivirus scanner 	  	Nasty
Nasty 	  	running process. (TBPS.exe)
WebSearch toolbar, HuntBar parasite variant
Currently there is no visitor's assessment! 	  	This is a nasty process! You should fix it and try to delete it manually! 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50212  	   	Nasty
Nasty 	  	This entry should be fixed by HijackThis!
Currently there is no visitor's assessment! 	  	This entry should be fixed by HijackThis!
  	R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50212 	  	Nasty
Nasty 	  	This entry should be fixed by HijackThis!
Currently there is no visitor's assessment! 	  	This entry should be fixed by HijackThis!

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll  	   	Nasty
Nasty 	  	Should be fixed if you do not know the application or if no application is mentioned.
Currently there is no visitor's assessment! 	  	This entry should be fixed.
  	O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL 	  	Nasty
Nasty 	  	Entries found in this registry zone are potentially nasty. This application ([00000EF1-0786-4633-87C6-1AA7A44296DA] - Result: 00000EF1-0786-4633-87C6-1AA7A44296DA) has been checked. Hit rate: 99 %
Currently there is no visitor's assessment! 	  	Must be fixed!

O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\system32\replaceSearch.dll  	   	Nasty
Nasty 	  	Entries found in this registry zone are potentially nasty. This application ([832BEBED-C3DA-4534-A2C2-B2FFF220C820] - Result: 832BEBED-C3DA-4534-A2C2-B2FFF220C820) has been checked. Hit rate: 99 %
Currently there is no visitor's assessment! 	  	Must be fixed!
  	O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll 	  	Nasty
Nasty 	  	Entries found in this registry zone are potentially nasty. This application ([87766247-311C-43B4-8499-3D5FEC94A183] - Result: 87766247-311C-43B4-8499-3D5FEC94A183) has been checked. Hit rate: 99 %
Currently there is no visitor's assessment! 	  	Must be fixed!
  	O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll 	  	Nasty
Nasty 	  	Entries found in this registry zone are potentially nasty. This application ([8952A998-1E7E-4716-B23D-3DBE03910972] - Result: 8952A998-1E7E-4716-B23D-3DBE03910972) has been checked. Hit rate: 99 %
Currently there is no visitor's assessment! 	  	Must be fixed!

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll  	   	Nasty
Nasty 	  	Entries found in this registry zone are potentially nasty. This application ([339BB23F-A864-48C0-A59F-29EA915965EC] - Result: 339BB23F-A864-48C0-A59F-29EA915965EC) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %
Currently there is no visitor's assessment! 	  	Must be fixed!
  	O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\system32\sfi2.dll 	  	Nasty
Nasty 	  	Entries found in this registry zone are potentially nasty. This application ([C109664B-CEB1-420b-B353-D55A561536DD] - Result: C109664B-CEB1-420b-B353-D55A561536DD) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %
Currently there is no visitor's assessment! 	  	Must be fixed!

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"  	   	Nasty
Nasty 	  	TrojanDownloader.Win32. Agent.y
Hit rate: 99 % (result)
Currently there is no visitor's assessment! 	  	Must be fixed!

 	O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe  	   	Nasty
Nasty 	  	WebSearch toolbar, HuntBar parasite variant
Hit rate: 99 % (result)
Visitor's assessment: 1 (Definitively malware) 	  	Must be fixed!
  	O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\Update\WToolsA.exe update 	  	Nasty
Nasty 	  	WinTools adware
Hit rate: 99 % (result)
Currently there is no visitor's assessment! 	  	Must be fixed!

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.ne...ab/Ud3rT0n5.cab  	   	Nasty
Nasty 	  	This entry is possibly nasty.
Currently there is no visitor's assessment! 	  	Should be fixed.
  	O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe 	  	Nasty
Nasty 	  	This entry is possibly nasty.
Currently there is no visitor's assessment! 	  	Should be fixed.
  	O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx 	  	Nasty
Nasty 	  	This entry is possibly nasty.
Currently there is no visitor's assessment! 	  	Should be fixed.

  	O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab 	  	Nasty
Nasty 	  	This entry is possibly nasty.
Visitor's assessment: 5 (Very safe) 	  	Should be fixed.  	
  	O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50212/QDow_AS2.cab 	  	Nasty
Nasty 	  	This entry is possibly nasty.
Currently there is no visitor's assessment! 	  	Should be fixed.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

Page Generation Time
0.09
Number of Queries
15
Links: Talkgold Forum | AdServices