Please help hijack this log. Don't know how to check spywares and malwares.

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View

Dear All,

Good day!

My computer is running slower than usual. Can anyone please tell me
what are the possible harmfull things that are here in my computer? I
have run hijack this in normal mode and i've got the following logs:

Running processes:
C:\\WINDOWS\\SYSTEM\\KERNEL32.DLL
C:\\WINDOWS\\SYSTEM\\MSGSRV32.EXE
C:\\WINDOWS\\SYSTEM\\mmtask.tsk
C:\\WINDOWS\\SYSTEM\\MPREXE.EXE
C:\\WINDOWS\\SYSTEM\\MSTASK.EXE
C:\\WINDOWS\\SYSTEM\\SSDPSRV.EXE
C:\\PROGRAM FILES\\COMMON FILES\\SYSTEM\\MOSEARCH\\BIN\\MOSEARCH.EXE
C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\VS7DEBUG\\MDM.EXE
C:\\WINDOWS\\EXPLORER.EXE
C:\\WINDOWS\\SYSTEM\\RESTORE\\STMGR.EXE
C:\\WINDOWS\\SYSTEM\\PSTORES.EXE
C:\\WINDOWS\\TASKMON.EXE
C:\\WINDOWS\\SYSTEM\\SYSTRAY.EXE
C:\\WINDOWS\\SYSTEM\\IRMON.EXE
C:\\PROGRAM FILES\\U-STORAGE TOOLS2.65\\USTORAGE.EXE
C:\\PROGRAM FILES\\ISTSVC\\ISTSVC.EXE
C:\\WINDOWS\\RACPWKOF.EXE
C:\\PROGRAM FILES\\INTERNET OPTIMIZER\\OPTIMIZE.EXE
C:\\WINDOWS\\SYSTEM\\5GBO6COB.EXE
C:\\WINDOWS\\SYSTEM\\CTFMON.EXE
C:\\WINDOWS\\SYSTEM\\WMIEXE.EXE
C:\\PROGRAM FILES\\WINZIP\\WZQKPICK.EXE
C:\\WINDOWS\\SYSTEM\\DDHELP.EXE
C:\\PROGRAM FILES\\WINZIP\\WINZIP32.EXE
C:\\WINDOWS\\TEMP\\HIJACKTHIS.EXE

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb /*http://www.yahoo.com/search/ie.html
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp /*http://www.yahoo.com
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page =
http://linemon/scripts/lmmain.exe?Refresh=5
R1 - HKCU\\Software\\Microsoft\\Internet Connection Wizard,ShellNext =
http://www.yahoo.com /
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings,ProxyServer = proxy.sdp.shindengen.co.jp:8080
R3 - URLSearchHook: (no name) - _
- (no file)
O2 - BHO: AcroIEHlprObj Class -
- C:\\PROGRAM FILES\\ADOBE\\ACROBAT 5.0\\READER\\ACTIVEX\\ACROIEHELPER.OCX
O2 - BHO: BHObj Class - -
C:\\WINDOWS\\NEM220.DLL
O2 - BHO: BAHelper Class - -
C:\\PROGRAM FILES\\SIDEFIND\\SFBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
- C:\\WINDOWS\\SYSTEM\\MSDXM.OCX
O3 - Toolbar: YourSiteBar - -
C:\\PROGRAM FILES\\YOURSITEBAR\\YSB.DLL
O4 - HKLM\\..\\Run: [ScanRegistry] C:\\WINDOWS\\scanregw.exe /autorun
O4 - HKLM\\..\\Run: [TaskMonitor] C:\\WINDOWS\\taskmon.exe
O4 - HKLM\\..\\Run: [PCHealth] C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe
-s
O4 - HKLM\\..\\Run: [SystemTray] SysTray.Exe
O4 - HKLM\\..\\Run: [IrMon] irmon.exe
O4 - HKLM\\..\\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\\..\\Run: [USTORAG] c:\\program files\\u-storage
tools2.65\\ustorage.exe sys_auto_run C:\\PROGRAM FILES\\U-STORAGE
TOOLS2.65
O4 - HKLM\\..\\Run: [IST Service] C:\\Program Files\\ISTsvc\\istsvc.exe
O4 - HKLM\\..\\Run: [kiSFspV] C:\\WINDOWS\\RACPWKOF.EXE
O4 - HKLM\\..\\Run: [Internet Optimizer] "C:\\Program Files\\Internet
Optimizer\\optimize.exe"
O4 - HKLM\\..\\Run: [5gbo6cob] C:\\WINDOWS\\SYSTEM\\5gbo6cob.exe
O4 - HKLM\\..\\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\\..\\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\\..\\RunServices: [SSDPSRV] C:\\WINDOWS\\SYSTEM\\ssdpsrv.exe
O4 - HKLM\\..\\RunServices: [*StateMgr]
C:\\WINDOWS\\System\\Restore\\StateMgr.exe
O4 - HKLM\\..\\RunServices: [MOSearch]
C:\\PROGRA~1\\COMMON~1\\SYSTEM\\MOSEARCH\\BIN\\MOSEARCH.EXE
O4 - HKLM\\..\\RunServices: [MDM7] "C:\\PROGRAM FILES\\COMMON
FILES\\MICROSOFT SHARED\\VS7DEBUG\\MDM.EXE"
O4 - HKCU\\..\\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\\Program Files\\Microsoft
Office\\Office10\\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\\Program
Files\\WinZip\\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\\PROGRA~1\\MICROS~1\\OFFICE10\\EXCEL.EXE/3000
O9 - Extra button: Related - -
C:\\WINDOWS\\web\\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
- C:\\WINDOWS\\web\\related.htm
O9 - Extra button: SideFind - -
C:\\PROGRAM FILES\\SIDEFIND\\SIDEFIND.DLL
O12 - Plugin for .spop: C:\\PROGRA~1\\INTERN~1\\Plugins\\NPDocBox.dll
O16 - DPF: (Installer Class) -
http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002245.cab
O17 - HKLM\\System\\CCS\\Services\\VxD\\MSTCP: Domain = shindengen.co.jp
O17 - HKLM\\System\\CCS\\Services\\VxD\\MSTCP: NameServer = 10.52.7.200

I have also run jijack this in Safe Mode and I've got the following
logs:

Running processes:
C:\\WINDOWS\\SYSTEM\\KERNEL32.DLL
C:\\WINDOWS\\SYSTEM\\MSGSRV32.EXE
C:\\WINDOWS\\SYSTEM\\MPREXE.EXE
C:\\WINDOWS\\EXPLORER.EXE
C:\\WINDOWS\\SYSTEM\\RESTORE\\STMGR.EXE
C:\\WINDOWS\\SYSTEM\\DDHELP.EXE
C:\\WINDOWS\\SYSTEM\\STIMON.EXE
C:\\PROGRAM FILES\\WINZIP\\WINZIP32.EXE
C:\\WINDOWS\\TEMP\\HIJACKTHIS.EXE

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb /*http://www.yahoo.com/search/ie.html
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp /*http://www.yahoo.com
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page =
http://linemon/scripts/lmmain.exe?Refresh=5
R1 - HKCU\\Software\\Microsoft\\Internet Connection Wizard,ShellNext =
http://www.yahoo.com /
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings,ProxyServer = proxy.sdp.shindengen.co.jp:8080
R3 - URLSearchHook: (no name) - _
- (no file)
O2 - BHO: AcroIEHlprObj Class -
- C:\\PROGRAM FILES\\ADOBE\\ACROBAT 5.0\\READER\\ACTIVEX\\ACROIEHELPER.OCX
O2 - BHO: BHObj Class - -
C:\\WINDOWS\\NEM220.DLL
O2 - BHO: BAHelper Class - -
C:\\PROGRAM FILES\\SIDEFIND\\SFBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
- C:\\WINDOWS\\SYSTEM\\MSDXM.OCX
O3 - Toolbar: YourSiteBar - -
C:\\PROGRAM FILES\\YOURSITEBAR\\YSB.DLL
O4 - HKLM\\..\\Run: [ScanRegistry] C:\\WINDOWS\\scanregw.exe /autorun
O4 - HKLM\\..\\Run: [TaskMonitor] C:\\WINDOWS\\taskmon.exe
O4 - HKLM\\..\\Run: [PCHealth] C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe
-s
O4 - HKLM\\..\\Run: [SystemTray] SysTray.Exe
O4 - HKLM\\..\\Run: [IrMon] irmon.exe
O4 - HKLM\\..\\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\\..\\Run: [USTORAG] c:\\program files\\u-storage
tools2.65\\ustorage.exe sys_auto_run C:\\PROGRAM FILES\\U-STORAGE
TOOLS2.65
O4 - HKLM\\..\\Run: [IST Service] C:\\Program Files\\ISTsvc\\istsvc.exe
O4 - HKLM\\..\\Run: [kiSFspV] C:\\WINDOWS\\RACPWKOF.EXE
O4 - HKLM\\..\\Run: [Internet Optimizer] "C:\\Program Files\\Internet
Optimizer\\optimize.exe"
O4 - HKLM\\..\\Run: [5gbo6cob] C:\\WINDOWS\\SYSTEM\\5gbo6cob.exe
O4 - HKLM\\..\\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\\..\\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\\..\\RunServices: [SSDPSRV] C:\\WINDOWS\\SYSTEM\\ssdpsrv.exe
O4 - HKLM\\..\\RunServices: [*StateMgr]
C:\\WINDOWS\\System\\Restore\\StateMgr.exe
O4 - HKLM\\..\\RunServices: [MOSearch]
C:\\PROGRA~1\\COMMON~1\\SYSTEM\\MOSEARCH\\BIN\\MOSEARCH.EXE
O4 - HKLM\\..\\RunServices: [MDM7] "C:\\PROGRAM FILES\\COMMON
FILES\\MICROSOFT SHARED\\VS7DEBUG\\MDM.EXE"
O4 - HKCU\\..\\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\\Program Files\\Microsoft
Office\\Office10\\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\\Program
Files\\WinZip\\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\\PROGRA~1\\MICROS~1\\OFFICE10\\EXCEL.EXE/3000
O9 - Extra button: Related - -
C:\\WINDOWS\\web\\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
- C:\\WINDOWS\\web\\related.htm
O9 - Extra button: SideFind - -
C:\\PROGRAM FILES\\SIDEFIND\\SIDEFIND.DLL
O12 - Plugin for .spop: C:\\PROGRA~1\\INTERN~1\\Plugins\\NPDocBox.dll
O16 - DPF: (Installer Class) -
http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002245.cab
O17 - HKLM\\System\\CCS\\Services\\VxD\\MSTCP: Domain = shindengen.co.jp
O17 - HKLM\\System\\CCS\\Services\\VxD\\MSTCP: NameServer = 10.52.7.200

Please help me which of these things should I remove, and how do I
remove it. Somebody told me that I should run and save a log file both
on normal and safe modes. But the problem is, I don't know how to
distinguish a potential spyware and malware.

Please help. Thanks!


--
racer
------------------------------------------------------------------------
racer's Profile: http://forums.techarena.in/member.php?userid=5275
View this thread: http://forums.techarena.in/showthread.php?t=349855
Visit -  http://www.techarena.in | http://forums.techarena.in |
http://gallery.techarena.in



Re: Please help hijack this log. Don't know how to check spywares and malwares.
racer wrote:
Quoted text here. Click to load it
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb /*http://www.yahoo.com/search/ie.html
Quoted text here. Click to load it
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb /*http://www.yahoo.com/search/ie.html
Quoted text here. Click to load it

racer,

This is the wrong site for posting your "HijackThis" log file. Please visit;

http://forum.hijackthis.de/forumdisplay.php?f=10&guestlanguageid=4

There is also a self analysis site;

http://hijackthis.de/index.php?langselect=english

NOT RECOMMENDED FOR NOVICE USERS!.

--
Sir_George





Re: Please help hijack this log. Don't know how to check spywares and malwares.
wrote:

Quoted text here. Click to load it

TUTORIALS/HELP FILES:
<http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
<http://www.aumha.org/a/hjttutor.htm

DO IT YOURSELF:
<http://www.help2go.com/modules.php?name=HJTDetective
<http://www.hijackthis.de/en
<http://hjt.iamnotageek.com/

GET EXPERT HELP:
*NOTE: Registration is REQUIRED before posting a log*
*NOTE: Web sites NOT listed in any particular order*
<http://aumha.net/viewforum.php?f=30
<http://www.bleepingcomputer.com/forums/forum22.html
<http://www.dslreports.com/forum/security
<http://castlecops.com/forum67.html
<http://www.wilderssecurity.com/forumdisplay.php?f=24
<http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
<http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
<http://gladiator-antivirus.com/forum/index.php?showforum=170
<http://forum.iamnotageek.com/f-130.html
<http://forums.maddoktor2.com/index.php?showforum=17
<http://www.spywarewarrior.com/viewforum.php?f=5
<http://forums.spywareinfo.com/index.php?showforum=18
<http://forums.techguy.org/f54-s.html
<http://forums.tomcoyote.org/index.php?showforum=27
<http://forums.subratam.org/index.php?showforum=7
<http://boards.cexx.org/viewforum.php?f=1
<http://www.malwarebytes.biz/forums/index.php?showforum=5

--
 dak
 My SpywareBlaster Custom Blocking List:
 <http://customblockinglist.cjb.net/


Site Timeline