Jump to content

HJT Log- Help please?


Recommended Posts

Hey- my laptop has developed a weird condition...

When I use a browser, all I get back from Google is a cryptic "Hi"

Here's my log from HJT- can anyone tell me what I need to nuke?

Thanks in advance!!

Glenn

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:57:50 PM, on 3/17/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: Normal
Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\00THotkey.exeC:\WINDOWS\System32\igfxtray.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\ltmoh\Ltmoh.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Analog Devices\SoundMAX\PmProxy.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\TOSHIBA\TouchED\TouchED.ExeC:\WINDOWS\system32\TFNF5.exeC:\WINDOWS\system32\TPWRTRAY.EXEC:\WINDOWS\System32\ezSP_Px.exeC:\toshiba\ivp\ism\pinger.exeC:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\RAMASST.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exeC:\WINDOWS\system32\DRIVERS\CDANTSRV.EXEC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exeC:\WINDOWS\System32\tcpsvcs.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Documents and Settings\admin\Application Data\U3\000199701021368C\LaunchPad.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O1 - Hosts: 92.62.101.129 google.co.ukO1 - Hosts: 92.62.101.129 google.co.inO1 - Hosts: 92.62.101.129 google.comO1 - Hosts: 92.62.101.129 google.ruO1 - Hosts: 92.62.101.129 google.deO1 - Hosts: 92.62.101.129 google.caO1 - Hosts: 92.62.101.129 google.frO1 - Hosts: 92.62.101.129 google.itO1 - Hosts: 92.62.101.129 google.esO1 - Hosts: 92.62.101.129 google.plO1 - Hosts: 92.62.101.129 google.nlO1 - Hosts: 92.62.101.129 www.google.co.ukO1 - Hosts: 92.62.101.129 www.google.co.inO1 - Hosts: 92.62.101.129 www.google.comO1 - Hosts: 92.62.101.129 www.google.ruO1 - Hosts: 92.62.101.129 www.google.deO1 - Hosts: 92.62.101.129 www.google.caO1 - Hosts: 92.62.101.129 www.google.frO1 - Hosts: 92.62.101.129 www.google.itO1 - Hosts: 92.62.101.129 www.google.esO1 - Hosts: 92.62.101.129 www.google.plO1 - Hosts: 92.62.101.129 www.google.nlO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exeO4 - HKLM\..\Run: [000StTHK] 000StTHK.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.ExeO4 - HKLM\..\Run: [TFNF5] TFNF5.exeO4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXEO4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exeO4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /runO4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exeO4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersionsO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\admin\Local Settings\Temp\{1589DC6C-E2FB-48EF-B8D1-B03EEBF29123}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.comO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?966672926193O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?966672919072O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cabO23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXEO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exeO23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--End of file - 6407 bytes
Link to post
Share on other sites

Got a browser hijack going, I think- could you guys take a look and tell me what I should kill?

Thanks so much...

Glenn

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:57:50 PM, on 3/17/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\WINDOWS\system32\TFNF5.exe

C:\WINDOWS\system32\TPWRTRAY.EXE

C:\WINDOWS\System32\ezSP_Px.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Documents and Settings\admin\Application Data\U3\000199701021368C\LaunchPad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 92.62.101.129 google.co.uk

O1 - Hosts: 92.62.101.129 google.co.in

O1 - Hosts: 92.62.101.129 google.com

O1 - Hosts: 92.62.101.129 google.ru

O1 - Hosts: 92.62.101.129 google.de

O1 - Hosts: 92.62.101.129 google.ca

O1 - Hosts: 92.62.101.129 google.fr

O1 - Hosts: 92.62.101.129 google.it

O1 - Hosts: 92.62.101.129 google.es

O1 - Hosts: 92.62.101.129 google.pl

O1 - Hosts: 92.62.101.129 google.nl

O1 - Hosts: 92.62.101.129 www.google.co.uk

O1 - Hosts: 92.62.101.129 www.google.co.in

O1 - Hosts: 92.62.101.129 www.google.com

O1 - Hosts: 92.62.101.129 www.google.ru

O1 - Hosts: 92.62.101.129 www.google.de

O1 - Hosts: 92.62.101.129 www.google.ca

O1 - Hosts: 92.62.101.129 www.google.fr

O1 - Hosts: 92.62.101.129 www.google.it

O1 - Hosts: 92.62.101.129 www.google.es

O1 - Hosts: 92.62.101.129 www.google.pl

O1 - Hosts: 92.62.101.129 www.google.nl

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe

O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\admin\Local Settings\Temp\{1589DC6C-E2FB-48EF-B8D1-B03EEBF29123}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...ab?966672926193

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...ab?966672919072

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 6407 bytes

Link to post
Share on other sites

Sorry for opening a second topic- I didn't think the first one went through!!

Here's some supplemental info: a MBAM full scan log we just finished on this box. We went ahead and fixed all these problems, but we still have the "hi" thing going from Google B)

Malwarebytes' Anti-Malware 1.34

Database version: 1825

Windows 5.1.2600 Service Pack 2

3/17/2009 7:52:52 PM

mbam-log-2009-03-17 (19-51-50).txt

Scan type: Full Scan (C:\|)

Objects scanned: 110406

Time elapsed: 33 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Rogue.Installer) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP258\A0152189.DLL (Adware.FunWeb) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157213.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157193.dll (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157194.scr (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157201.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157206.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157208.SCR (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157210.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157216.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157217.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157218.EXE (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157224.DLL (Adware.MyWebSearch) -> No action taken.

C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157225.EXE (Adware.MyWebSearch) -> No action taken.

C:\WINDOWS\system32\Macromed\Download\Install.exe (Rogue.Installer) -> No action taken.

Link to post
Share on other sites

  • Root Admin

Please update MBAM and scan again.

YOUR VERSION

Malwarebytes' Anti-Malware 1.34

Database version: 1825

CURRENT VERSION

Malwarebytes' Anti-Malware 1.34

Database version: 1866

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Hi :(

AdvancedSetup is currently unavailable and I will now be assisting your good self.

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.