TechSpot

Hijackthis log - what do i remove now?

By kimberly
Jan 2, 2005
  1. Hi I am new and have found this site very helpful. I seem to have removed the Begin2search toolbar by your recommendations. But I am still getting pop ups.

    This is my hijack log after I deleted some popupadserver. it obviously isn't enough as I just got some more popping up as I type this!!!

    I don't want to use my computer until I know it's ok. So I can turn back on my system restore thing.
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    For infection-reasons we won't open any .doc files.
    Post your HJT-file again as hijackthis.txt please.
     
  3. kimberly

    kimberly TS Rookie Topic Starter

    Thanks for looking at this. I've removed the popupsearchs.com one 2 times a day thru hijack but it seems there is something else that's causing it?

    Logfile of HijackThis v1.99.0
    Scan saved at 1:53:55 PM, on 1/2/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Tom&Kimbery\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by1fd.bay1.hotmail.msn.com/c...01&a=9bc4edd4f209f2cd217fa38a4a0a5ec0&fti=yes
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\system32\winb2s32.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [wcozauvvsqhql] C:\WINDOWS\system32\jofzmcfs.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] ??? \WkDetect.exe
    O4 - HKCU\..\Run: [NoAdware] "C:\Program Files\NoAdware\NoAdware.exe" /s
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1025_EN_XP.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093665486078
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  5. E_Saint

    E_Saint TS Rookie

    try ad-aware SE ... i tried i go and come ... proven to be gd but uncheck the the "search negligble risk entries" when scaning cos lotsa progam pop up askin u to del them :)
     
  6. kimberly

    kimberly TS Rookie Topic Starter

    Missed a step in procedure

    I followed all steps as instructed. I could not delete my temp internet files. All other users I could. It said it was in read only mode. I unchecked box but it wouldn't stay unchecked. The files are locked? I've tried deleting the whole file but that won't work. Any ideas as this is the only step I couldn't do.
    My computer "seems" to be free from problems. I attached my new scan.

    Thanks again for the great support.
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Kimberly

    Uninstall NoAdware, its rubbish and a waste of money.
    See also here: http://www.adwarereport.com/mt/archives/000023.html

    You still have a NASTY, in the form of ZServ.dll

    Run HJT in Safe Mode on its own and let it "fix" (if still around):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by1fd.bay1.hotmail.msn.com/c...01&a=9bc4edd4f209f2cd217fa38a4a0a5ec0&fti=yes
    O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
    O4 - HKCU\..\Run: [NoAdware] "C:\Program Files\NoAdware\NoAdware.exe" /s

    Then delete C:\WINDOWS\ZServ.dll

    Reboot in normal mode.
    If you installed Spybot S&D and let it immunise you PC, you don't need any crap like NoAdware.

    Run Adaware and Spybot at least once a week, and ALWAYS updte their definitions first.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...