hijack this log file

[Lisa Goodman]

We have been having terrible problems, we'd greatly appreciate any
help on which file to delete. Here is the log file:

Logfile of HijackThis v1.97.7
Scan saved at 9:04:52 PM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\System32\Ftei.exe
C:\windows\System32\PskA2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lisa\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) -
_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60873C5E-9742-2CC3-8755-615579D37A48} -
C:\windows\System32\xacgr.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EM_EXEC]
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [2HZA8XS597ZPDN] C:\windows\System32\Szg9524W.exe
O4 - Startup: SBC Yahoo! DSL.lnk = C:\WINDOWS\system32\rasphone.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office
Template and Media Control) -
http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://public.windupdates.com/get_f...05f72cb55925:0db69b72ff39cfe5e585d7b34e81015d
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) -
http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37805.692662037
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class)
- http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{371A1B21-F0B8-4923-8095-D97F460DD6D6}:
NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{371A1B21-F0B8-4923-8095-D97F460DD6D6}:
NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CS2\Services\Tcpip\..\{371A1B21-F0B8-4923-8095-D97F460DD6D6}:
NameServer = 66.73.20.40 206.141.193.55

 

[Heather]

Lisa.....you would be far better off to post this on a Spyforum. I will
give you a list of them.....pick any one of them.

Aumha: <http://forum.aumha.org/index.php>
Net-Integration: <http://forums.net-integration.net/>
Spyware Info: <http://forums.spywareinfo.com/>
Spyware Warrior: <http://spywarewarrior.com/index.php>
Tom Coyote: <http://forums.tomcoyote.org/>

Heather

 

[Bart Bailey]

We have been having terrible problems, we'd greatly appreciate any
help on which file to delete. Here is the log file:

Not sure what constitutes a terrible problem for you, but if it were my
machine, I'd yank (fix) all the 02's and maybe some of those 09's.

 

[Heather]

Not sure what constitutes a terrible problem for you, but if it were my
machine, I'd yank (fix) all the 02's and maybe some of those 09's.

No way, Jose.....have a look and you will see Spybot in there.....a
perfectly legit BHO. Or have her *yank* Norton?? Not to mention her
toolbars, which I personally think are a PITA!!

And as for the 09's.....they are all her *chat groups*.....grin.

Heather )

 

[Gabriele Neukam]

On that special day, Lisa Goodman, ([email protected]) said...

C:\windows\System32\Ftei.exe
C:\windows\System32\PskA2.exe

What are these? Examine the files. Right click them, choose properties
and read the version info (if there is any)

R3 - URLSearchHook: (no name) -
_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

No description and no file? Where does that come from?

O2 - BHO: (no name) - {60873C5E-9742-2CC3-8755-615579D37A48} -
C:\windows\System32\xacgr.dll

Google can't tell what it is - examine this file, too.

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx

Something connected to Windows Media Player, an ActiveX control. This
could be ok, but nowadays, some malware hooks the media player or even
replaces it, to hijack your computer.

O4 - HKLM\..\Run: [2HZA8XS597ZPDN] C:\windows\System32\Szg9524W.exe

This one looks rather fishy. Examine it.

O17 - HKLM\System\CCS\Services\Tcpip\..\{371A1B21-F0B8-4923-8095-D97F460DD6D6}:
NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{371A1B21-F0B8-4923-8095-D97F460DD6D6}:
NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CS2\Services\Tcpip\..\{371A1B21-F0B8-4923-8095-D97F460DD6D6}:
NameServer = 66.73.20.40 206.141.193.55

66.73.20.40 is Ameritech, part of SouthWestern Bell. Is this your ISP?
206.141.193.55 too


Gabriele Neukam

(e-mail address removed)

 

[discogail]

For one thing......you have the peper trojan......run this uninstaller:
http://www.memorywatcher.com/uninst.exe
Remain online & connected to the internet when you do

Don't .."fix".."yank"..or delete anything ........

Then follow Heather's advice.... & post your log at one of the forums she
suggested.........it's a much better way to deal with this......