Hijack This Log
-
Hijack This Log
I have run Spybot, addaware, and cwshredder- only read about not running this one after the fact.
My dial up connection still resets itself with new number, password and user number. Here's the log:
Thanks for any help!
Mark D.
Logfile of HijackThis v1.99.0
Scan saved at 10:33:55 AM, on 1/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Visioneer OneTouch\OneTouchMon.exe
D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
D:\WINDOWS\system32\usbn.exe
D:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Mightyfax\MFNTCTL.EXE
D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\palmOne\HOTSYNC.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
D:\Documents and Settings\M Denoncourt\Desktop\Hijackthis\hijackthis\HijackThi s.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OneTouch Monitor] D:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [usbn] D:\WINDOWS\system32\usbn.exe -go -c7 -w1
O4 - HKCU\..\Run: [PPWebCap] D:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: MightyFAX Controller.lnk = D:\Program Files\Mightyfax\MFNTCTL.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Color Calibration.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{255482CB-7659-4B6D-80F1-463DD12A0E78}: NameServer = 216.192.223.21 216.192.63.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{255482CB-7659-4B6D-80F1-463DD12A0E78}: NameServer = 216.192.223.21 216.192.63.69
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
-
That will be on account of the Adult Content Dialler you've managed to pick up. 
Uninstall that version of Sun Java on your machine via Add/Remove Programs. It has a known security issue with it. Download and install the latest version from here.
Run HJT again and checkmark the boxes next to the following:-
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [usbn] D:\WINDOWS\system32\usbn.exe -go -c7 -w1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
Now close ALL windows & browsers and click FIX CHECKED
Reboot into Safe Mode.
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear.
Set Windows to 'Show all files & folders'.
Click Start > My Computer> Tools> Folder Options>
On the View tab make sure that you:-
Select 'Show Hidden Files & Folders'
Uncheck 'Hide file extensions for known file types'.
Uncheck 'Hide protected operating system files'.
Click OK.
Delete the following file in bold:
C:\WINDOWS\system32\usbn.exe
Reboot and post a fresh log in this thread.
-
Deleted:
usbn.exe
also found and deleted:
usbn.exe-200c137b.pf
Will install the new Java software next.
New log:
Logfile of HijackThis v1.99.0
Scan saved at 2:24:46 PM, on 1/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Visioneer OneTouch\OneTouchMon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Mightyfax\MFNTCTL.EXE
D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
D:\Program Files\palmOne\HOTSYNC.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\Documents and Settings\M Denoncourt\Desktop\Hijackthis\hijackthis\HijackThi s.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OneTouch Monitor] D:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PPWebCap] D:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: MightyFAX Controller.lnk = D:\Program Files\Mightyfax\MFNTCTL.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Color Calibration.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe
Mark D.
-
You're clean now Mark. I suggest you immediately click on the 'Windows Update' link in my signature and download/install Service Pack 2 and ALL Critical Updates. Without these you're wide open to reinfection every minute you surf the internet and a magnet for malware. Once installed, don't forget to switch off the new SP2 firewall via Control Panel > Security Centre as it may conflict with your current ZoneAlarm.
These other small programs are essential in further protecting yourself:
SpywareBlaster
Protects against bad ActiveX and prevents Spyware being installed in the first place. Check for updates once a fortnight.
SpywareGuard
Alerts you to any attempted change to your browser settings.
Acts like an anti-virus program but for Spyware.
IE-SPYAD
Adds over 7000 sites to your IE Restricted Zone protecting you when visiting innocent-looking sites that aren't innocent at all.
* Keep your anti virus software updated and scan weekly with Spybot and Ad-Aware.
Safe Surfing.
HJM
-
HJM,
Thanks for the help, All's well now. I've added the several programs that you suggested also.
Mark D.
-
You're welcome 
Newbie
