rolanaj Posted July 25, 2004 Share Posted July 25, 2004 Well I cleaned up my Dad's computer with adaware, spybots, manually removed some the ia.dll file and now I am wondering if there is anything else suspicious here. One thing O4 - HKLM\..\Run: [OIUEZNXJ] c:\windows\system32\oiueznxj.exe /install looks a little weird to me but I'm hoping someone here knows. At any rate this is the log from hijack this:Logfile of HijackThis v1.98.0Scan saved at 7:51:30 PM, on 7/25/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Internet Call Manager\ICM.EXEC:\Program Files\Messenger\msmsgs.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL=http://lc1.law13.hotmail.passport.com/cgi-bin/login]http://lc1.law13.hotmail.passport.com/cgi-bin/login[/URL]O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnectO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [OIUEZNXJ] c:\windows\system32\oiueznxj.exe /installO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: Yahoo! Chat - [URL=http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab]http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab[/URL]O16 - DPF: Yahoo! MahJong Solitaire - [URL=http://download.games.yahoo.com/games/clients/y/mjst3_x.cab]http://download.games.yahoo.com/games/clients/y/mjst3_x.cab[/URL]O16 - DPF: Yahoo! Pool 2 - [URL=http://download.games.yahoo.com/games/clients/y/potc_x.cab]http://download.games.yahoo.com/games/clients/y/potc_x.cab[/URL]O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - [URL=http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1046_pack_XP.cab]http://akamai.downloadv3.com/binaries/Dial...046_pack_XP.cab[/URL]O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [URL=http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab]http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab[/URL]O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - [URL=http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab]http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab[/URL]O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - [URL=http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cab]http://aft.ancestry.com/aftfiles/files/ins...yFamilyTree.cab[/URL]O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [URL=http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab]http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab[/URL]O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - Any help would be greatly appreciated as always Editted as requested Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted July 26, 2004 Share Posted July 26, 2004 Rolanaj,First can you edit your post(or can a mod do so) and change your quote tags into [C0DE] tags. code tags do not post urls as hyperlinks as quote tags do. It make for a dangerous post as someone might click your link and the forum software truncates URL and it makes it hard to review a hijackthis log.You still have several problems.Reboot your system in to safe mode and then remove: O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnectO4 - HKLM\..\Run: [OIUEZNXJ] c:\windows\system32\oiueznxj.exe /installO4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXEO16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/Dial...046_pack_XP.cabO16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - You should then uninstall if you can Internet Call Manager. It is a known popup source.You should then goto the C:\Program Files\Internet Call Manager directory and remove the entire directory. Quote Link to comment Share on other sites More sharing options...
rolanaj Posted July 26, 2004 Author Share Posted July 26, 2004 nlinecomputers,Thanks for the help I will do as you suggested except the Internet Call Manager is a program you download from Aliant the local phone company and ISP it is used to let you know when you run dialup if you have an incoming call is that the same internet call manager you are talking about? Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted July 26, 2004 Share Posted July 26, 2004 nlinecomputers,Thanks for the help I will do as you suggested except the Internet Call Manager is a program you download from Aliant the local phone company and ISP it is used to let you know when you run dialup if you have an incoming call is that the same internet call manager you are talking about?Only if you are certain of the source of it. There is a spyware program by the same name that is a porn dailer and delivers porn popups. Quote Link to comment Share on other sites More sharing options...
rolanaj Posted July 26, 2004 Author Share Posted July 26, 2004 Ok I did everything as you suggested, even the ICM just in case and here is the new hijack this log Logfile of HijackThis v1.98.0Scan saved at 9:55:36 PM, on 7/25/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Internet Call Manager\ICM.EXEC:\Program Files\Messenger\msmsgs.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lc1.law13.hotmail.passport.com/cgi-bin/loginO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cabO16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cabO16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cabO16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cabO16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cabO16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab So does this look better, I hope so this has been really time consuming :"> Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted July 26, 2004 Share Posted July 26, 2004 Looks clean to me. Quote Link to comment Share on other sites More sharing options...
rolanaj Posted July 26, 2004 Author Share Posted July 26, 2004 Thanks nline I appreciate the help a lot :"> I did another scan with spybots and it brought up two more items one of them is DSO exploits which I found out is actually a bug with spybots. Apparantly this DSO exploit is a vulnerability in IE that has been fixed. The other item is Connect MFC Application, I found some hits on google but none that explained to me what this is. I'm just curious as it is one that seems to keep coming back. Quote Link to comment Share on other sites More sharing options...
zlim Posted July 26, 2004 Share Posted July 26, 2004 You may want to install Spyware Blaster http://www.javacoolsoftware.com/spywareblaster.htmlor Spyware Guard http://www.javacoolsoftware.com/spywareguard.html on your Dad's computer. Either one of these will work well on preventing spyware from getting in the computer so you'll have a lot less clean-up to do. Quote Link to comment Share on other sites More sharing options...
rolanaj Posted July 27, 2004 Author Share Posted July 27, 2004 Thanks for the links I will make sure to put one of them on his system next time I am out to visit. Actually I should probably visit a few more family members and install it , might save me some time next time they call Quote Link to comment Share on other sites More sharing options...
Ozidave Posted July 28, 2004 Share Posted July 28, 2004 The other item is Connect MFC Application, I found *some* hits on google but none that explained to me what this is. I'm just curious as it is one that seems to keep coming back.Go to google and type MFC APPLICATION, there are 283,000 results for this, and as it is a Linux thing, I'm out of here! Ozi. Quote Link to comment Share on other sites More sharing options...
striker Posted July 28, 2004 Share Posted July 28, 2004 Could it be Microsoft Foundation Class Application? The "connect ..." in there is just an interface to connect to it, i.e. an interface to connect to Powerpoint. Quote Link to comment Share on other sites More sharing options...
rolanaj Posted August 14, 2004 Author Share Posted August 14, 2004 Could it be Microsoft Foundation Class Application? The "connect ..." in there is just an interface to connect to it, i.e. an interface to connect to Powerpoint.Would this be something you would get if you didn't have powerpoint on your system? You know it has been over two weeks and his system seems to be doing ok, he has adaware running at boot and he has been running spybots a couple times a week. Probably should knock on wood or something after having said that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.