Archived from groups: comp.security.firewalls (More info?)

Dear All,

Good day!

My computer is running slower than usual. Can anyone please tell me
what are the possible harmfull things that are here in my computer? I
have run hijack this in normal mode and i've got the following logs:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\U-STORAGE TOOLS2.65\USTORAGE.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\RACPWKOF.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\WINDOWS\SYSTEM\5GBO6COB.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/y [...] ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/y [...] .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://linemon/scripts/lmmain.exe?Refresh=5
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = proxy.sdp.shindengen.co.jp:8080
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
- (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} -
C:\WINDOWS\NEM220.DLL
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} -
C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} -
C:\PROGRAM FILES\YOURSITEBAR\YSB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe
-s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [USTORAG] c:\program files\u-storage
tools2.65\ustorage.exe sys_auto_run C:\PROGRAM FILES\U-STORAGE
TOOLS2.65
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [kiSFspV] C:\WINDOWS\RACPWKOF.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
Optimizer\optimize.exe"
O4 - HKLM\..\Run: [5gbo6cob] C:\WINDOWS\SYSTEM\5gbo6cob.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MOSearch]
C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON
FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} -
C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -
http://www.ysbweb.com/ist/software [...] 002245.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = shindengen.co.jp
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.52.7.200

I have also run jijack this in Safe Mode and I've got the following
logs:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/y [...] ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/y [...] .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://linemon/scripts/lmmain.exe?Refresh=5
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = proxy.sdp.shindengen.co.jp:8080
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
- (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} -
C:\WINDOWS\NEM220.DLL
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} -
C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} -
C:\PROGRAM FILES\YOURSITEBAR\YSB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe
-s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [USTORAG] c:\program files\u-storage
tools2.65\ustorage.exe sys_auto_run C:\PROGRAM FILES\U-STORAGE
TOOLS2.65
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [kiSFspV] C:\WINDOWS\RACPWKOF.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
Optimizer\optimize.exe"
O4 - HKLM\..\Run: [5gbo6cob] C:\WINDOWS\SYSTEM\5gbo6cob.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr]
C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MOSearch]
C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON
FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} -
C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -
http://www.ysbweb.com/ist/software [...] 002245.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = shindengen.co.jp
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.52.7.200

Please help me which of these things should I remove, and how do I
remove it. Somebody told me that I should run and save a log file both
on normal and safe modes. But the problem is, I don't know how to
distinguish a potential spyware and malware.

Please help. Thanks!

--
racer
------------------------------------------------------------------------
racer's Profile: http://forums.techarena.in/member.php?userid=5275
View this thread: http://forums.techarena.in/showthread.php?t=349855
Visit - http://www.techarena.in | http://forums.techarena.in | http://gallery.techarena.in

Archived from groups: comp.security.firewalls (More info?)

racer wrote:
> Dear All,
>
> Good day!
>
> My computer is running slower than usual. Can anyone please tell me
> what are the possible harmfull things that are here in my computer? I
> have run hijack this in normal mode and i've got the following logs:
>
> Running processes:
> C:\WINDOWS\SYSTEM\KERNEL32.DLL
> C:\WINDOWS\SYSTEM\MSGSRV32.EXE
> C:\WINDOWS\SYSTEM\mmtask.tsk
> C:\WINDOWS\SYSTEM\MPREXE.EXE
> C:\WINDOWS\SYSTEM\MSTASK.EXE
> C:\WINDOWS\SYSTEM\SSDPSRV.EXE
> C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
> C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
> C:\WINDOWS\EXPLORER.EXE
> C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
> C:\WINDOWS\SYSTEM\PSTORES.EXE
> C:\WINDOWS\TASKMON.EXE
> C:\WINDOWS\SYSTEM\SYSTRAY.EXE
> C:\WINDOWS\SYSTEM\IRMON.EXE
> C:\PROGRAM FILES\U-STORAGE TOOLS2.65\USTORAGE.EXE
> C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
> C:\WINDOWS\RACPWKOF.EXE
> C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
> C:\WINDOWS\SYSTEM\5GBO6COB.EXE
> C:\WINDOWS\SYSTEM\CTFMON.EXE
> C:\WINDOWS\SYSTEM\WMIEXE.EXE
> C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
> C:\WINDOWS\SYSTEM\DDHELP.EXE
> C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
> C:\WINDOWS\TEMP\HIJACKTHIS.EXE
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://us.rd.yahoo.com/customize/y [...] ch/ie.html
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://us.rd.yahoo.com/customize/y [...] .yahoo.com
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://linemon/scripts/lmmain.exe?Refresh=5
> R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
> http://www.yahoo.com/
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings,ProxyServer = proxy.sdp.shindengen.co.jp:8080
> R3 - URLSearchHook: (no name) -
> _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
> - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
> O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} -
> C:\WINDOWS\NEM220.DLL
> O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} -
> C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
> O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
> {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
> O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} -
> C:\PROGRAM FILES\YOURSITEBAR\YSB.DLL
> O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
> O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
> O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe
> -s
> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
> O4 - HKLM\..\Run: [IrMon] irmon.exe
> O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
> powrprof.dll,LoadCurrentPwrScheme
> O4 - HKLM\..\Run: [USTORAG] c:\program files\u-storage
> tools2.65\ustorage.exe sys_auto_run C:\PROGRAM FILES\U-STORAGE
> TOOLS2.65
> O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
> O4 - HKLM\..\Run: [kiSFspV] C:\WINDOWS\RACPWKOF.EXE
> O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
> Optimizer\optimize.exe"
> O4 - HKLM\..\Run: [5gbo6cob] C:\WINDOWS\SYSTEM\5gbo6cob.exe
> O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
> powrprof.dll,LoadCurrentPwrScheme
> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
> O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
> O4 - HKLM\..\RunServices: [*StateMgr]
> C:\WINDOWS\System\Restore\StateMgr.exe
> O4 - HKLM\..\RunServices: [MOSearch]
> C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
> O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON
> FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
> O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
> O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O4 - Startup: WinZip Quick Pick.lnk = C:\Program
> Files\WinZip\WZQKPICK.EXE
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
> O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
> C:\WINDOWS\web\related.htm
> O9 - Extra 'Tools' menuitem: Show &Related Links -
> {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
> O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} -
> C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
> O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
> O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -
> http://www.ysbweb.com/ist/software [...] 002245.cab
> O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = shindengen.co.jp
> O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.52.7.200
>
> I have also run jijack this in Safe Mode and I've got the following
> logs:
>
> Running processes:
> C:\WINDOWS\SYSTEM\KERNEL32.DLL
> C:\WINDOWS\SYSTEM\MSGSRV32.EXE
> C:\WINDOWS\SYSTEM\MPREXE.EXE
> C:\WINDOWS\EXPLORER.EXE
> C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
> C:\WINDOWS\SYSTEM\DDHELP.EXE
> C:\WINDOWS\SYSTEM\STIMON.EXE
> C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
> C:\WINDOWS\TEMP\HIJACKTHIS.EXE
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://us.rd.yahoo.com/customize/y [...] ch/ie.html
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://us.rd.yahoo.com/customize/y [...] .yahoo.com
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://linemon/scripts/lmmain.exe?Refresh=5
> R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
> http://www.yahoo.com/
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings,ProxyServer = proxy.sdp.shindengen.co.jp:8080
> R3 - URLSearchHook: (no name) -
> _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
> - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
> O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} -
> C:\WINDOWS\NEM220.DLL
> O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} -
> C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
> O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
> {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
> O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} -
> C:\PROGRAM FILES\YOURSITEBAR\YSB.DLL
> O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
> O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
> O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe
> -s
> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
> O4 - HKLM\..\Run: [IrMon] irmon.exe
> O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
> powrprof.dll,LoadCurrentPwrScheme
> O4 - HKLM\..\Run: [USTORAG] c:\program files\u-storage
> tools2.65\ustorage.exe sys_auto_run C:\PROGRAM FILES\U-STORAGE
> TOOLS2.65
> O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
> O4 - HKLM\..\Run: [kiSFspV] C:\WINDOWS\RACPWKOF.EXE
> O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
> Optimizer\optimize.exe"
> O4 - HKLM\..\Run: [5gbo6cob] C:\WINDOWS\SYSTEM\5gbo6cob.exe
> O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
> powrprof.dll,LoadCurrentPwrScheme
> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
> O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
> O4 - HKLM\..\RunServices: [*StateMgr]
> C:\WINDOWS\System\Restore\StateMgr.exe
> O4 - HKLM\..\RunServices: [MOSearch]
> C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
> O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON
> FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
> O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
> O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O4 - Startup: WinZip Quick Pick.lnk = C:\Program
> Files\WinZip\WZQKPICK.EXE
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
> O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
> C:\WINDOWS\web\related.htm
> O9 - Extra 'Tools' menuitem: Show &Related Links -
> {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
> O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} -
> C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
> O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
> O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -
> http://www.ysbweb.com/ist/software [...] 002245.cab
> O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = shindengen.co.jp
> O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.52.7.200
>
> Please help me which of these things should I remove, and how do I
> remove it. Somebody told me that I should run and save a log file both
> on normal and safe modes. But the problem is, I don't know how to
> distinguish a potential spyware and malware.
>
> Please help. Thanks!

racer,

This is the wrong site for posting your "HijackThis" log file. Please visit;

http://forum.hijackthis.de/forumdi [...] nguageid=4

There is also a self analysis site;

http://hijackthis.de/index.php?langselect=english

NOT RECOMMENDED FOR NOVICE USERS!.

--
Sir_George

Archived from groups: comp.security.firewalls (More info?)

On Fri, 26 Aug 2005 14:30:26 +0530, racer <racer.1ud7xq@DoNotSpam.com>
wrote:

>My computer is running slower than usual. Can anyone please tell me
>what are the possible harmfull things that are here in my computer? I
>have run hijack this in normal mode and i've got the following logs:

TUTORIALS/HELP FILES:
<http://www.bleepingcomputer.com/forums/index.php?showtutorial=42>
<http://www.aumha.org/a/hjttutor.htm>

DO IT YOURSELF:
<http://www.help2go.com/modules.php?name=HJTDetective>
<http://www.hijackthis.de/en>
<http://hjt.iamnotageek.com/>

GET EXPERT HELP:
*NOTE: Registration is REQUIRED before posting a log*
*NOTE: Web sites NOT listed in any particular order*
<http://aumha.net/viewforum.php?f=30>
<http://www.bleepingcomputer.com/forums/forum22.html>
<http://www.dslreports.com/forum/security>
<http://castlecops.com/forum67.html>
<http://www.wilderssecurity.com/forumdisplay.php?f=24>
<http://www.cybertechhelp.com/forums/forumdisplay.php?f=25>
<http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html>
<http://gladiator-antivirus.com/forum/index.php?showforum=170>
<http://forum.iamnotageek.com/f-130.html>
<http://forums.maddoktor2.com/index.php?showforum=17>
<http://www.spywarewarrior.com/viewforum.php?f=5>
<http://forums.spywareinfo.com/index.php?showforum=18>
<http://forums.techguy.org/f54-s.html>
<http://forums.tomcoyote.org/index.php?showforum=27>
<http://forums.subratam.org/index.php?showforum=7>
<http://boards.cexx.org/viewforum.php?f=1>
<http://www.malwarebytes.biz/forums/index.php?showforum=5>

--
dak
My SpywareBlaster Custom Blocking List:
<http://customblockinglist.cjb.net/>