Hijack this log help!

Discussion in 'OT Technology' started by Reznik, Jul 20, 2004.

  1. Reznik

    Reznik New Member

    Joined:
    Apr 3, 2004
    Messages:
    1,688
    Likes Received:
    0
    Logfile of HijackThis v1.97.7
    Scan saved at 4:28:52 PM, on 7/20/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    c:\winnt\system32\srvany.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\cdplayer.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Documents and Settings\administrator\Unzipped\HijackThis.exe

    O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\system32\cdplayer.exe -tray
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4903A89F-5640-48C6-B82D-28914F1BA1C6}: NameServer = 153.2.242.115,153.2.244.155


    Can you gurus help me with this?
     
    Last edited: Apr 22, 2005
  2. maczter

    maczter Life is trying things to see if they work.

    Joined:
    Sep 30, 2003
    Messages:
    3,622
    Likes Received:
    0
    Location:
    Austin, TX
    What kind of problems are you having?
     
  3. Reznik

    Reznik New Member

    Joined:
    Apr 3, 2004
    Messages:
    1,688
    Likes Received:
    0
    not exactly any problem, but I think sometimes I may have a window or two pop up. But I haven't really noticed it.

    Also while we are at it. What are some good precautions to take against spyware or malware? I have Adaware and HijackThis. I am running Win2K Pro.

    Thanks
     
    Last edited: Apr 22, 2005
  4. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    suspect processes:

    C:\WINNT\system32\stisvc.exe
    c:\winnt\system32\srvany.exe
    C:\WINNT\system32\wuauclt.exe

    suspect key:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4903A89F-5640-48C6-B82D-28914F1BA1C6}: NameServer = 153.2.242.115,153.2.244.155

    wtf is with the capital .EXE?
    C:\WINNT\Explorer.EXE

    run a virus scan while you are at it
     
  5. maczter

    maczter Life is trying things to see if they work.

    Joined:
    Sep 30, 2003
    Messages:
    3,622
    Likes Received:
    0
    Location:
    Austin, TX
  6. maczter

    maczter Life is trying things to see if they work.

    Joined:
    Sep 30, 2003
    Messages:
    3,622
    Likes Received:
    0
    Location:
    Austin, TX
    stisvc - stisvc.exe - Process Information

    Process File: stisvc or stisvc.exe
    Process Name: Still Image Service

    Description: Still Image Service, which handles scanners and digital cameras and is installed by Windows if a scanner or camera is connected to the computer. This is the equivalent of STIMON.exe, but for Windows 2000 and XP.
     
  7. maczter

    maczter Life is trying things to see if they work.

    Joined:
    Sep 30, 2003
    Messages:
    3,622
    Likes Received:
    0
    Location:
    Austin, TX
    wuauclt - wuauclt.exe - Process Information

    Process File: wuauclt or wuauclt.exe
    Process Name: AutoUpdate for WindowsME

    Description: Background process responsible for updates to Windows ME. Whenever you connect to the Internet, Wuauclt checks the Microsoft web site for updates to Windows ME.


    ...perhaps now used in Win2K as well?
     
  8. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    Windows Update Client (comes with ServicePack 3 for Windows 2000).

    Unless these are being used they are wasting resources, although very little:
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe (disable the service don't use hijack to do this)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4903A89F-5640-48C6-B82D-28914F1BA1C6}: NameServer = 153.2.242.115,153.2.244.155

    Is an interesting line. Is this your PERSONAL machine or does it belong to someone else? I cannot imagine why you would have UPS's NSA servers listed in your TCP/IP settings. If this was a company computer that would explain why it has remote management running. And if it is a company computer I would suggest you do not play with its system configuration without proper authorization...
     
  9. Reznik

    Reznik New Member

    Joined:
    Apr 3, 2004
    Messages:
    1,688
    Likes Received:
    0
    Thanks for the info! But is rather late, just last week, I did mess with this and our systems went down for a while while I had a panic attack trying to fix it, but I did in the end fix it :eek3: . I learnt a lesson. I work at the UPS store and having our systems down here is not a good thing.

    So I take it the rest of these files are harmless?

    Thanks a ton to everybody who replied.
     
    Last edited: Apr 22, 2005
  10. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    WTF? You posted the HiJackThis log 5:31pm yesterday and your telling me that I was late when you screwed up the machine last week? Am I missing the point of posting a log from your companies computer that you have already screwed with?
     
  11. Reznik

    Reznik New Member

    Joined:
    Apr 3, 2004
    Messages:
    1,688
    Likes Received:
    0
    I didn't mean to say that. I was refering to the part where you asked me not to touch my store computer without company authorization. I did mess with it last week and I posted a thread about this: http://forums.offtopic.com/showthread.php?t=1183905

    Last week: Basically, I deleted the results from both Hijack this and Adaware without saving the logs or asking anybodies opinion because I simply did not know. :uh:
    Then I came on here and posted my question. I still couldn't fix it, then I got some onsite help and they fixed it.

    NOW, the log I posted YESTERDAY is for a post fix check up...to see if any new spyware got on the machine. I wanted to make sure to get some advice from OT gurus before doing anything.
     
    Last edited: Apr 22, 2005

Share This Page