Can someone take a look at a hi-jack this log for me?

Discussion in 'OT Technology' started by cmsurfer, Oct 6, 2004.

  1. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
    I ran it this morning on a users machine at work (W2K). It seems everytime she goes IE and either goes to print someting or close it she gets a few popups.

    I ran hi-jack this and took a bunch of stuff out, but I'm still seeing the popups.


    Logfile of HijackThis v1.98.2
    Scan saved at 9:23:12 AM, on 10/6/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\WINNT\updatetc.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINNT\System32\ndqaov.exe
    C:\Program Files\AIM\aim.exe
    C:\WINNT\System32\PPN.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Documents and Settings\maria\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.graber-rogg.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [tpcupdater] C:\WINNT\updatetc.exe
    O4 - HKLM\..\Run: [faokmiyb] C:\WINNT\System32\ndqaov.exe
    O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
    O4 - HKLM\..\Run: [PPN] C:\WINNT\System32\PPN.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...0e686da2c52a:eba71fc54f16cc5285c47c437eb9360a
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = graber-rogg.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DCAD2905-9772-434F-823E-ED8AE9E1BDA9}: NameServer = 10.1.1.7,10.1.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = graber-rogg.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{DCAD2905-9772-434F-823E-ED8AE9E1BDA9}: NameServer = 10.1.1.7,10.1.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = graber-rogg.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{DCAD2905-9772-434F-823E-ED8AE9E1BDA9}: NameServer = 10.1.1.7,10.1.1.1

    Thanks,
     
  2. Wolf68k

    Wolf68k OT Supporter

    Joined:
    Dec 18, 2003
    Messages:
    4,861
    Likes Received:
    2
    Location:
    Houston, Texas
    Remove:
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)

    Spyware: (run Adaware AND Spybot first)
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll

    The rest seems ok. I'm guessing you work for Graber-Rogg...other wise you can remove the last 6 entries as well
     
  3. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    holy crap

    one web ref says:
    "Conscorr.exe is not a random name. It is TrojanDownloader.Win32.Stubby.c."

    i don't care for those other .exe's either. and 4 multimedia .exe's for a keyboard? sheesh
     
  4. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
    Hey man, not my PC... It's one of those Dell keyboards with the multimedia buttons on it.

    I'll take those out and I'll see what happens.

    Thanks for the heads up on the Trojan thing...

    I have been having problems running Spybot on that machine. Half-way through when it's fixing the problems it stops responding. I'll run adaware later if I still have problems.

    Thanks,
     
  5. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,499
    Likes Received:
    310
    Location:
    Northwest Mejicooooooo
    Try running them in safe mode with system restore disabled.
     
  6. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
    I'll try that...

    Thanks,
     

Share This Page