OOOO Hijack this INFO!? [Archive] - The PC Guide Discussion Forums

View Full Version : OOOO Hijack this INFO!?

diurnal

04-27-2004, 05:35 PM

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\fblajayr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\MICK\Desktop\UNZIP PROGRAMS\SPYWARe\hijackthis1977\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [FinishEvidenceUninstall] c:\autoexecuted.bat
O4 - HKCU\..\RunOnce: [DeleteIESearchbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "c:\progra~1\iesearchbar\iesearchbar.dll"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: axscanner - [url]http://www.pestscan.com/scanner/axscanner.cab[/url]
O16 - DPF: axscannerruntime - [url]http://www.pestscan.com/scanner/axscannerruntime.cab[/url]
O16 - DPF: mscomctl - [url]http://www.pestscan.com/scanner/mscomctl.cab[/url]
O16 - DPF: msvcp71 - [url]http://download.pestpatrol.com/Downloads/Components/msvcp71.cab[/url]
O16 - DPF: msvcr71 - [url]http://download.pestpatrol.com/Downloads/Components/msvcr71.cab[/url]
O16 - DPF: ppctlcab - [url]http://www.pestscan.com/scanner/ppctlcab.cab[/url]
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - [url]http://tdserver.bitstream.com/tdserver.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - [url]http://pcpitstop.com/internet/pcpConnCheck.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://download.yahoo.com/dl/installs/yinst.cab[/url]
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - [url]http://office.microsoft.com/officeupdate/content/opuc.cab[/url]
O16 - DPF: {73F7A062-8829-11D1-B550-006097242D8D} (Voxware MetaSound Audio Decoder) - [url]http://support.ninthhouse.com/updates/installers/voxacm.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab[/url]
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - [url]http://www.installengine.com/engine/isetup.cab[/url]
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - [url]http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab[/url]
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - [url]http://fdl.msn.com/zone/datafiles/heartbeat.cab[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://active.macromedia.com/flash2/cabs/swflash.cab[/url]
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - [url]http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab[/url]

THanks and how do you find what to delete??

PrntRhd

04-27-2004, 06:38 PM

The top info of the log is missing?

diurnal

04-27-2004, 07:47 PM

Logfile of HijackThis v1.97.7
Scan saved at 3:31:17 PM, on 4/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\fblajayr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\MICK\Desktop\UNZIP PROGRAMS\SPYWARe\hijackthis1977\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [FinishEvidenceUninstall] c:\autoexecuted.bat
O4 - HKCU\..\RunOnce: [DeleteIESearchbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "c:\progra~1\iesearchbar\iesearchbar.dll"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: axscanner - [url]http://www.pestscan.com/scanner/axscanner.cab[/url]
O16 - DPF: axscannerruntime - [url]http://www.pestscan.com/scanner/axscannerruntime.cab[/url]
O16 - DPF: mscomctl - [url]http://www.pestscan.com/scanner/mscomctl.cab[/url]
O16 - DPF: msvcp71 - [url]http://download.pestpatrol.com/Downloads/Components/msvcp71.cab[/url]
O16 - DPF: msvcr71 - [url]http://download.pestpatrol.com/Downloads/Components/msvcr71.cab[/url]
O16 - DPF: ppctlcab - [url]http://www.pestscan.com/scanner/ppctlcab.cab[/url]
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - [url]http://tdserver.bitstream.com/tdserver.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - [url]http://pcpitstop.com/internet/pcpConnCheck.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://download.yahoo.com/dl/installs/yinst.cab[/url]
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - [url]http://office.microsoft.com/officeupdate/content/opuc.cab[/url]
O16 - DPF: {73F7A062-8829-11D1-B550-006097242D8D} (Voxware MetaSound Audio Decoder) - [url]http://support.ninthhouse.com/updates/installers/voxacm.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab[/url]
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - [url]http://www.installengine.com/engine/isetup.cab[/url]
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - [url]http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab[/url]
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - [url]http://fdl.msn.com/zone/datafiles/heartbeat.cab[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://active.macromedia.com/flash2/cabs/swflash.cab[/url]
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - [url]http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab[/url]

Steve

04-27-2004, 07:55 PM

You can have HJT fix the following:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll

I don't know what this item is, but I have seen it fixed in other HJT logs:

O4 - HKCU\..\RunOnce: [DeleteIESearchbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "c:\progra~1\iesearchbar\iesearchbar.dll"

You might want to wait to fix it until you can get more info on it.

This entry appears to be a randonly named file. I can find no info on it.

C:\WINDOWS\System32\fblajayr.exe

That usually indicates some sort of malware. You can go and find the file and check it's properties to see what it's associated with.

That's pretty much all I see. Others might see more.

malcore

04-27-2004, 08:20 PM

Not related to any malware, but cisvc.exe and cidaemon.exe are part of the Indexing Service in XP. A MAJOR resource hog.

You can uninstall it in Add/Remove Programs > Add/Remove Windows Components. Uncheck Indexing Service. Then disable it by running services.msc, right click Indexing Service, hit properties and disable.

Budfred

04-28-2004, 01:35 AM

You might want to check this about Internet Optimizer....

http://www.kephyr.com/spywarescanner/library/internetoptimizer/index.phtml

which is here:

C:\Program Files\Internet Optimizer\optimize.exe

Reboot and post a fresh log after you do the fixes...