1
   

How to get rid of HereToFind

Forums: Computers
Email this Topic Print this Page
 
 
forum
 
Reply Thu 17 Feb, 2005 06:45 pm
Hello;

I have been hit by this worm for some time and I can't shake it.

Anyone has any idea on how to get rid of it?

Her is the LOG
##########################

Logfile of HijackThis v1.99.0
Scan saved at 7:34:29 PM, on 2/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\JavaSoft\JRE\1.3\bin\javaw.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Program Files\Support.com\bin\tgsrvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\S3Mon.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Citianywhere\CAPing.exe
C:\Program Files\Citianywhere\CA\IPInsight\IPClient.exe
C:\Program Files\Citianywhere\CA\IPInsight\IPMon32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\root\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.wamu.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy:8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Sun_JavaPlugin_1.3.0_Any_W2K Install Properties] "C:\program files\javasoft\jre\cpprop.bat"
O4 - HKLM\..\Run: [S3MON] S3Mon.exe
O4 - HKLM\..\Run: [EZCD Reg Import] C:\WINDOWS\System32\reg import "C:\program files\adaptec\easy cd creator 5\easy cd creator\ezcd.reg"
O4 - HKLM\..\Run: [dllInit ibmasstw.dll] "C:\Program Files\UMS\utils\DLLINIT.EXE" ibmasstw.dll
O4 - HKLM\..\Run: [smbdpmi] C:\PROGRA~1\UMS\utils\smbdpmi.exe
O4 - HKLM\..\Run: [wordup] C:\Program Files\Microsoft Office\Office10\wordup.vbs
O4 - HKLM\..\Run: [killWAB] %windir%\Options\delShortcuts.vbs
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [wWw0.exe] c:\documents and settings\u149177\local settings\temp\wWw0.exe
O4 - HKLM\..\Run: [jRVEbC5ry.exe] C:\documents and settings\u149177\local settings\temp\jRVEbC5ry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cyberfree.exe] C:\DOCUME~1\WaMuSRVC\LOCALS~1\Temp\nfpb.dat
O4 - HKLM\..\Run: [CAPing] C:\Program Files\Common Files\Citianywhere\CAPing.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Citianywhere\CA\IPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Citianywhere\CA\IPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Corel Network monitor worker - {CCDDEF7B-9F16-4D89-812A-B61B4B553036} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {CCDDEF7B-9F16-4D89-812A-B61B4B553036} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.wamu.net
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {1d2a8890-3083-11d6-b649-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093072218218
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.wamu.net
O17 - HKLM\Software\..\Telephony: DomainName = us.wamu.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.wamu.net
O20 - AppInit_DLLs: TwgProc.DLL
O23 - Service: AutoExNT - Unknown - C:\WINDOWS\System32\AutoExNT.Exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Hummingbird Inetd - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Hummingbird Jconfig Daemon - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: Event Log Watch - Unknown - C:\WINDOWS\LogWatNT.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: OracleORA920_HOMEManagementServer - Unknown - C:\Oracle\920\bin\OMSNTsrv.exe (file missing)
O23 - Service: OracleORA920_HOMEPagingServer - Unknown - C:\oracle\920/bin/pagntsrv.exe (file missing)
O23 - Service: OracleORA920_HOMESNMPPeerEncapsulator - Unknown - C:\oracle\920\BIN\ENCSVC.EXE (file missing)
O23 - Service: OracleORA920_HOMESNMPPeerMasterAgent - Unknown - C:\oracle\920\BIN\AGNTSVC.EXE (file missing)
O23 - Service: OracleORA920_HOMETNSListener - Unknown - C:\oracle\920\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceO920V64A - Unknown - c:\oracle\920\bin\ORACLE.EXE (file missing)
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Support.com Repair Service - SupportSoft, Inc. - C:\Program Files\Support.com\bin\tgsrvc.exe
O23 - Service: Director Support Program - IBM Corporation - C:\PROGRA~1\UMS\Director\bin\twgipcsv.exe
O23 - Service: Director Remote Control Service - Unknown - C:\PROGRA~1\UMS\Director\bin\TWGRMTWC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thank you for your help.
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 627 • Replies: 1
No top replies

 
Don77
 
  1  
Reply Thu 17 Feb, 2005 08:22 pm
Hi forum and welcome to A2K
Have a run through the steps outlined in this Post
Post back a log from HJT please
Ignor the section on updating HJT you have the current version
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » How to get rid of HereToFind
Copyright © 2025 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 12/27/2025 at 12:14:20