1
   

PLease look at this Hijack Log

 
 
Reply Fri 9 Apr, 2004 05:03 am
I wonder if there is a genius out there who could take a look at my Hijack log and see if they see anything strange. I had a spyware attack and have done triple back flips to rid myself of the pests. Adaware, Norton anti-virus, Spywareblaster, X Cleaner, BHOCOP, Spysweeper, Spybot Search and Destroy. After all this, I still get an issue with "cursor lag": a jerky cursor movement, especially in IE, but really everywhere, as if the machine was super busy. Same kind of thing with text ... there's a typing delay, especially in form windows.

It seems to get progressively worse the longer the machine has been on after a reboot.

Anyway, if you could glance at this log and let me know if you see poison, I would be most grateful!

Logfile of HijackThis v1.97.7
Scan saved at 6:51:31 AM, on 4/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
C:\Program Files\sony\giga pocket\reservemodule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\BHODemon\BHODemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
C:\Program Files\MobiPocket.com\MobiPocket Reader\webcomp.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\adobe\acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\POWERPNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Sony\Local Settings\Temp\Temporary Directory 1 for hijackthis1977[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\ps804\Shared\App\cleanup.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [edmj] C:\WINDOWS\edmj.exe
O4 - HKLM\..\Run: [SpyCop ScanCheck] C:\Program Files\Internet Explorer\setup.exe /LASTSCAN
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Startup: Mobipocket Web Companion.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OpenMG Jukebox Startup.lnk = C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
O4 - Global Startup: Timer Recording Manager.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: =>English - http:\\wordreference.com\it\en\j\0300.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aibosite.com/images/tds.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {25D91F13-96F6-420F-98F3-81C2984460A6} (BAVCharting.ctlMain) - https://www.yrbav.com/bavChartingTool/BAVChart_v3.CAB
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www1.priv.socal.xmlsweb.com/XMLSearch/XMLCache.CAB
O16 - DPF: {763C10EE-E4C6-49AA-9325-F15ABF1C52B0} (X1 DownloadControl Class) - http://www.x1.com/download/X1WebInstall.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortcore.cab
O16 - DPF: {86A889A6-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics VRML Automation Driver v3.0) - http://www.parallelgraphics.com/bin/cortauto.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/ItalianToEnglish.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 1,226 • Replies: 12
No top replies

 
timberlandko
 
  1  
Reply Fri 9 Apr, 2004 08:19 am
For help with spyware and similar problems, CLICK THIS LINK.

Now to your cursor lag ... the problem most likely is way too much stuff starting with Windows. See THIS for a comprehensive look at startup management.
0 Replies
 
Monger
 
  1  
Reply Fri 9 Apr, 2004 12:45 pm
Re: PLease look at this Hijack Log
giudecca wrote:
I wonder if there is a genius out there who could take a look at my Hijack log and see if they see anything strange. I had a spyware attack and have done triple back flips to rid myself of the pests. Adaware, Norton anti-virus, Spywareblaster, X Cleaner, BHOCOP, Spysweeper, Spybot Search and Destroy. After all this, I still get an issue with "cursor lag": a jerky cursor movement, especially in IE, but really everywhere, as if the machine was super busy. Same kind of thing with text ... there's a typing delay, especially in form windows.

It seems to get progressively worse the longer the machine has been on after a reboot.

Anyway, if you could glance at this log and let me know if you see poison, I would be most grateful!


Close all programs including Windows Explorer & IE windows, then fix the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (disabled by BHODemon)
O4 - HKLM\..\Run: [edmj] C:\WINDOWS\edmj.exe
O4 - Startup: Mobipocket Web Companion.lnk = ?
O4 - Startup: Mobipocket Web Companion.lnk = ?
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?

Then reboot & delete:

C:\WINDOWS\edmj.exe


Other than that, well, remove as many programs as possible from your startup list. You've got tons of programs needlessly set to run every time Windows starts. In effect your machine IS always super busy. Timber's link above regarding startup management looks like a good page for info 'bout that.
0 Replies
 
timberlandko
 
  1  
Reply Fri 9 Apr, 2004 01:54 pm
Quote:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (disabled by BHODemon)

All should be dumped.

I'm pretty sure the "MobiPocket" stuff is OK ... its related to PDA/PC Synch and Transfer stuff. I dunno if I'd get rid of that.


I differ on these, too:
Quote:
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?

These all turn up on a known-to-be-malwate-free Vaio, so I don't suspect them ... they're just Sony bloatware, as far as I can determine. They don't need to be in the startup folder, though, and the major probnlem here seems to be an overloaded startup. That needs some serious whittling.

I don't think it'll hurt to delete C:\WINDOWS\edmj.exe; that's related to usenet/newsgroup/newsreader stuff. I might check to see where on the tree it is in relation to the MobiPocket stuff, though ... it could be part of that.

Current AdAware and Spybot both should nail Clearsearch on their own, if run while in safemode as suggested in the general yuckwear removal instructions referrenced earlier. Prolly would be a good idea to then find-and-delete any file or folder containing the textstring "clearsearch*" - without the quotes but with the asterisk, (other than AdAware, Spybot, or BHODaemon files or folders, of course)
0 Replies
 
Monger
 
  1  
Reply Fri 9 Apr, 2004 02:15 pm
timberlandko wrote:
I'm pretty sure the "MobiPocket" stuff is OK ... its related to PDA/PC Synch and Transfer stuff. I dunno if I'd get rid of that.

I did not make any mention of mobipocket other than that what appear to be dead shortcuts to it should be removed.

Quote:
I differ on these, too:
Quote:
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?

These all turn up on a known-to-be-malwate-free Vaio, so I don't suspect them ... they're just Sony bloatware, as far as I can determine. They don't need to be in the startup folder, though, and the major probnlem here seems to be an overloaded startup. That needs some serious whittling.

I am aware that those files are not malicious. The reason I mentioned fixing those startup items it particular, and not the large amount of startup links to other software, is because those appear to be dead shortcuts that link nowhere.

Quote:
I don't think it'll hurt to delete C:\WINDOWS\edmj.exe; that's related to usenet/newsgroup/newsreader stuff. I might check to see where on the tree it is in relation to the MobiPocket stuff, though ... it could be part of that.

Because I'm not sure where you are getting this info about it from, I suspect it is incorrect. I can find only one reference to the file on the internet & it is within a long listing of porn sites.
0 Replies
 
timberlandko
 
  1  
Reply Fri 9 Apr, 2004 02:31 pm
I know edmj turns up in usenet filter lists (which I think is the "long lists" you mention. I don't find it anywhere else either, but I don't have Mobipcket, so I don't know if its part of that ... I suspect it isn't, and I'm pretty sure deleting it will do no harm.
I dropped a query on some usenet admin, security, and help boards, and I'll update you with whatever I find out.

My bad re the broken shortcuts ... those oughtta go.
0 Replies
 
Monger
 
  1  
Reply Fri 9 Apr, 2004 02:54 pm
Why are you connecting it to Mobipocket at all?

I agree with you that deleting it is unlikely to cause any problems.

But if you find out more info about the file I'd be interested so yeah please do let us know.
0 Replies
 
timberlandko
 
  1  
Reply Fri 9 Apr, 2004 03:16 pm
Mostly the reason I wonder if there might be a connection is that it appears to be related somehow to usenet, and MobiPocket incorporates newsgroup reading. I don't know one way or the other, so far. That's why I wondered where in the tree it was.
0 Replies
 
timberlandko
 
  1  
Reply Fri 9 Apr, 2004 04:25 pm
Oh, BTW ... those "long lists" are from update lists for a program used by some corporate or institutional SysAdmins and by some ISPs to filter particular UseNet newsgroups and/or UseNet posts originating from particlar domains or specific eMail addresses from their servers ... similar to consumer-type stuff such as AdAware or SpyBot and such, only "Industrial Strength", so to speak. Not all of 'em are "Porn", just most of 'em; there are other categories which routinely are blocked by such means. If you're interested and want to know more about that, see: http://www.cm.org
0 Replies
 
timberlandko
 
  1  
Reply Fri 9 Apr, 2004 05:51 pm
Bingo - found out edmj.exe is a Java data miner: http://www.data-miner.com/edm.html

Definitely a get-rid-of.
0 Replies
 
Monger
 
  1  
Reply Fri 9 Apr, 2004 11:06 pm
So, basically you're saying giudecca should follow the instructions I posted then, and pretty much ignore our footnotes.... Wink
0 Replies
 
timberlandko
 
  1  
Reply Fri 9 Apr, 2004 11:58 pm
Yup. Guess so ...looks like we agree :wink:
Now, all thats left is to get that startup under control, and the cursor problem originally presented should be handled, and giudecca can have the 'puter back ... looks like you and I are just about done with it Laughing
0 Replies
 
msolga
 
  1  
Reply Sat 10 Apr, 2004 12:17 am
I wonder if this thread has made Craven cry? Smile
You guys are so clever!
0 Replies
 
 

Related Topics

Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » PLease look at this Hijack Log
Copyright © 2025 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 07/18/2025 at 10:35:40