galacon Posted March 18, 2009 ID:65303 Share Posted March 18, 2009 Hey- my laptop has developed a weird condition...When I use a browser, all I get back from Google is a cryptic "Hi"Here's my log from HJT- can anyone tell me what I need to nuke?Thanks in advance!!GlennLogfile of Trend Micro HijackThis v2.0.2Scan saved at 6:57:50 PM, on 3/17/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\00THotkey.exeC:\WINDOWS\System32\igfxtray.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\ltmoh\Ltmoh.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Analog Devices\SoundMAX\PmProxy.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\TOSHIBA\TouchED\TouchED.ExeC:\WINDOWS\system32\TFNF5.exeC:\WINDOWS\system32\TPWRTRAY.EXEC:\WINDOWS\System32\ezSP_Px.exeC:\toshiba\ivp\ism\pinger.exeC:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\RAMASST.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exeC:\WINDOWS\system32\DRIVERS\CDANTSRV.EXEC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exeC:\WINDOWS\System32\tcpsvcs.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Documents and Settings\admin\Application Data\U3\000199701021368C\LaunchPad.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O1 - Hosts: 92.62.101.129 google.co.ukO1 - Hosts: 92.62.101.129 google.co.inO1 - Hosts: 92.62.101.129 google.comO1 - Hosts: 92.62.101.129 google.ruO1 - Hosts: 92.62.101.129 google.deO1 - Hosts: 92.62.101.129 google.caO1 - Hosts: 92.62.101.129 google.frO1 - Hosts: 92.62.101.129 google.itO1 - Hosts: 92.62.101.129 google.esO1 - Hosts: 92.62.101.129 google.plO1 - Hosts: 92.62.101.129 google.nlO1 - Hosts: 92.62.101.129 www.google.co.ukO1 - Hosts: 92.62.101.129 www.google.co.inO1 - Hosts: 92.62.101.129 www.google.comO1 - Hosts: 92.62.101.129 www.google.ruO1 - Hosts: 92.62.101.129 www.google.deO1 - Hosts: 92.62.101.129 www.google.caO1 - Hosts: 92.62.101.129 www.google.frO1 - Hosts: 92.62.101.129 www.google.itO1 - Hosts: 92.62.101.129 www.google.esO1 - Hosts: 92.62.101.129 www.google.plO1 - Hosts: 92.62.101.129 www.google.nlO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exeO4 - HKLM\..\Run: [000StTHK] 000StTHK.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.ExeO4 - HKLM\..\Run: [TFNF5] TFNF5.exeO4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXEO4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exeO4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /runO4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exeO4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersionsO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\admin\Local Settings\Temp\{1589DC6C-E2FB-48EF-B8D1-B03EEBF29123}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.comO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?966672926193O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?966672919072O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cabO23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXEO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exeO23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe --End of file - 6407 bytes Link to post Share on other sites More sharing options...
galacon Posted March 18, 2009 Author ID:65336 Share Posted March 18, 2009 Any help?? Link to post Share on other sites More sharing options...
galacon Posted March 18, 2009 Author ID:65395 Share Posted March 18, 2009 Got a browser hijack going, I think- could you guys take a look and tell me what I should kill?Thanks so much...GlennLogfile of Trend Micro HijackThis v2.0.2Scan saved at 6:57:50 PM, on 3/17/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\00THotkey.exeC:\WINDOWS\System32\igfxtray.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\ltmoh\Ltmoh.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Analog Devices\SoundMAX\PmProxy.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\TOSHIBA\TouchED\TouchED.ExeC:\WINDOWS\system32\TFNF5.exeC:\WINDOWS\system32\TPWRTRAY.EXEC:\WINDOWS\System32\ezSP_Px.exeC:\toshiba\ivp\ism\pinger.exeC:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\RAMASST.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exeC:\WINDOWS\system32\DRIVERS\CDANTSRV.EXEC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exeC:\WINDOWS\System32\tcpsvcs.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Documents and Settings\admin\Application Data\U3\000199701021368C\LaunchPad.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O1 - Hosts: 92.62.101.129 google.co.ukO1 - Hosts: 92.62.101.129 google.co.inO1 - Hosts: 92.62.101.129 google.comO1 - Hosts: 92.62.101.129 google.ruO1 - Hosts: 92.62.101.129 google.deO1 - Hosts: 92.62.101.129 google.caO1 - Hosts: 92.62.101.129 google.frO1 - Hosts: 92.62.101.129 google.itO1 - Hosts: 92.62.101.129 google.esO1 - Hosts: 92.62.101.129 google.plO1 - Hosts: 92.62.101.129 google.nlO1 - Hosts: 92.62.101.129 www.google.co.ukO1 - Hosts: 92.62.101.129 www.google.co.inO1 - Hosts: 92.62.101.129 www.google.comO1 - Hosts: 92.62.101.129 www.google.ruO1 - Hosts: 92.62.101.129 www.google.deO1 - Hosts: 92.62.101.129 www.google.caO1 - Hosts: 92.62.101.129 www.google.frO1 - Hosts: 92.62.101.129 www.google.itO1 - Hosts: 92.62.101.129 www.google.esO1 - Hosts: 92.62.101.129 www.google.plO1 - Hosts: 92.62.101.129 www.google.nlO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exeO4 - HKLM\..\Run: [000StTHK] 000StTHK.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.ExeO4 - HKLM\..\Run: [TFNF5] TFNF5.exeO4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXEO4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exeO4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /runO4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exeO4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersionsO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\admin\Local Settings\Temp\{1589DC6C-E2FB-48EF-B8D1-B03EEBF29123}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.comO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...ab?966672926193O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...ab?966672919072O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cabO23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXEO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exeO23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe--End of file - 6407 bytes Link to post Share on other sites More sharing options...
galacon Posted March 18, 2009 Author ID:65413 Share Posted March 18, 2009 Sorry for opening a second topic- I didn't think the first one went through!!Here's some supplemental info: a MBAM full scan log we just finished on this box. We went ahead and fixed all these problems, but we still have the "hi" thing going from Google B)Malwarebytes' Anti-Malware 1.34Database version: 1825Windows 5.1.2600 Service Pack 23/17/2009 7:52:52 PMmbam-log-2009-03-17 (19-51-50).txtScan type: Full Scan (C:\|)Objects scanned: 110406Time elapsed: 33 minute(s), 56 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 14Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Rogue.Installer) -> No action taken.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP258\A0152189.DLL (Adware.FunWeb) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157213.DLL (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157193.dll (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157194.scr (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157201.DLL (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157206.DLL (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157208.SCR (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157210.DLL (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157216.DLL (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157217.DLL (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157218.EXE (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157224.DLL (Adware.MyWebSearch) -> No action taken.C:\System Volume Information\_restore{3C631B64-D9BE-43AD-BB6D-8E3923619CA5}\RP263\A0157225.EXE (Adware.MyWebSearch) -> No action taken.C:\WINDOWS\system32\Macromed\Download\Install.exe (Rogue.Installer) -> No action taken. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 19, 2009 Root Admin ID:65751 Share Posted March 19, 2009 Please update MBAM and scan again.YOUR VERSIONMalwarebytes' Anti-Malware 1.34Database version: 1825CURRENT VERSIONMalwarebytes' Anti-Malware 1.34Database version: 1866Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen post back the MBAM log and a new Hijackthis log. Link to post Share on other sites More sharing options...
Dakeyras Posted March 21, 2009 ID:66346 Share Posted March 21, 2009 Hi AdvancedSetup is currently unavailable and I will now be assisting your good self.Do you still need help with your machine?If the instructions are unclear or something isn't working, please let me know before proceeding. Link to post Share on other sites More sharing options...
Recommended Posts