hijackthis log

[rolanaj]

Well I cleaned up my Dad's computer with adaware, spybots, manually removed some the ia.dll file and now I am wondering if there is anything else suspicious here. One thing

O4 - HKLM\..\Run: [OIUEZNXJ] c:\windows\system32\oiueznxj.exe /install

looks a little weird to me but I'm hoping someone here knows. At any rate this is the log from hijack this:

Logfile of HijackThis v1.98.0Scan saved at 7:51:30 PM, on 7/25/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Internet Call Manager\ICM.EXEC:\Program Files\Messenger\msmsgs.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL=http://lc1.law13.hotmail.passport.com/cgi-bin/login]http://lc1.law13.hotmail.passport.com/cgi-bin/login[/URL]O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnectO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [OIUEZNXJ] c:\windows\system32\oiueznxj.exe /installO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: Yahoo! Chat - [URL=http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab]http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab[/URL]O16 - DPF: Yahoo! MahJong Solitaire - [URL=http://download.games.yahoo.com/games/clients/y/mjst3_x.cab]http://download.games.yahoo.com/games/clients/y/mjst3_x.cab[/URL]O16 - DPF: Yahoo! Pool 2 - [URL=http://download.games.yahoo.com/games/clients/y/potc_x.cab]http://download.games.yahoo.com/games/clients/y/potc_x.cab[/URL]O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - [URL=http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1046_pack_XP.cab]http://akamai.downloadv3.com/binaries/Dial...046_pack_XP.cab[/URL]O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [URL=http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab]http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab[/URL]O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - [URL=http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab]http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab[/URL]O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - [URL=http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cab]http://aft.ancestry.com/aftfiles/files/ins...yFamilyTree.cab[/URL]O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [URL=http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab]http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab[/URL]O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

Any help would be greatly appreciated as always Editted as requested

[nlinecomputers]

Rolanaj,First can you edit your post(or can a mod do so) and change your quote tags into [C0DE] tags. code tags do not post urls as hyperlinks as quote tags do. It make for a dangerous post as someone might click your link and the forum software truncates URL and it makes it hard to review a hijackthis log.You still have several problems.Reboot your system in to safe mode and then remove:

O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnectO4 - HKLM\..\Run: [OIUEZNXJ] c:\windows\system32\oiueznxj.exe /installO4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXEO16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/Dial...046_pack_XP.cabO16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

You should then uninstall if you can Internet Call Manager. It is a known popup source.You should then goto the C:\Program Files\Internet Call Manager directory and remove the entire directory.

[rolanaj]

nlinecomputers,Thanks for the help I will do as you suggested except the Internet Call Manager is a program you download from Aliant the local phone company and ISP it is used to let you know when you run dialup if you have an incoming call is that the same internet call manager you are talking about?

[nlinecomputers]

nlinecomputers,Thanks for the help I will do as you suggested except the Internet Call Manager is a program you download from Aliant the local phone company and ISP it is used to let you know when you run dialup if you have an incoming call is that the same internet call manager you are talking about?

Only if you are certain of the source of it. There is a spyware program by the same name that is a porn dailer and delivers porn popups.

[rolanaj]

Ok I did everything as you suggested, even the ICM just in case and here is the new hijack this log

Logfile of HijackThis v1.98.0Scan saved at 9:55:36 PM, on 7/25/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Internet Call Manager\ICM.EXEC:\Program Files\Messenger\msmsgs.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lc1.law13.hotmail.passport.com/cgi-bin/loginO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cabO16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cabO16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cabO16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cabO16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cabO16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

So does this look better, I hope so this has been really time consuming :">

[nlinecomputers]

Looks clean to me.

[rolanaj]

Thanks nline I appreciate the help a lot :"> I did another scan with spybots and it brought up two more items one of them is DSO exploits which I found out is actually a bug with spybots. Apparantly this DSO exploit is a vulnerability in IE that has been fixed. The other item is Connect MFC Application, I found some hits on google but none that explained to me what this is. I'm just curious as it is one that seems to keep coming back.

[zlim]

You may want to install Spyware Blaster http://www.javacoolsoftware.com/spywareblaster.htmlor Spyware Guard http://www.javacoolsoftware.com/spywareguard.html on your Dad's computer. Either one of these will work well on preventing spyware from getting in the computer so you'll have a lot less clean-up to do.

[rolanaj]

Thanks for the links I will make sure to put one of them on his system next time I am out to visit. Actually I should probably visit a few more family members and install it , might save me some time next time they call

[Ozidave]

The other item is Connect MFC Application, I found *some* hits on google but none that explained to me what this is.  I'm just curious as it is one that seems to keep coming back.

Go to google and type MFC APPLICATION, there are 283,000 results for this, and as it is a Linux thing, I'm out of here! Ozi.

[striker]

Could it be Microsoft Foundation Class Application? The "connect ..." in there is just an interface to connect to it, i.e. an interface to connect to Powerpoint.

[rolanaj]

Could it be Microsoft Foundation Class Application? The "connect ..." in there is just an interface to connect to it, i.e. an interface to connect to Powerpoint.

Would this be something you would get if you didn't have powerpoint on your system? You know it has been over two weeks and his system seems to be doing ok, he has adaware running at boot and he has been running spybots a couple times a week. Probably should knock on wood or something after having said that.