TechSpot

Please look at my HJT log...

By stratocasius
Jan 25, 2006
  1. Could someone with the knowhow please examine the HJT log below...I'm having a heck of a time removing the "browsela.dll" infected file and I hear that the only way is to narrow it down using HJT...

    Thanks guys!
    _________________________________________________________________


    Logfile of HijackThis v1.99.1
    Scan saved at 1:15:11 PM, on 1/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\spoolsv.exe
    C:\PROGRA~1\NavNT\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\mnmsrvc.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\System32\NMSSvc.exe
    C:\PROGRA~1\NavNT\rtvscan.exe
    C:\Windows\system32\CCM\CcmExec.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Windows\system32\PROMon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Windows\system32\ctfmon.exe
    C:\Windows\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnbc.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    R3 - URLSearchHook: (no name) - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\Windows\system32\apwiz.dll
    O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\Windows\adsldpbg.dll
    O3 - Toolbar: SuperBar - {67D40EE0-5FE3-414B-B1B2-1625B318C6C3} - C:\Program Files\_SUPERBAR\_SUPERBAR.dll (file missing)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: Coupons - {FB986A68-EAE4-11D4-9BD1-0080C6F60B6A} - C:\Windows\CouponBar.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
    O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AlexaToolbar] C:\Windows\alt.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\System32\Shdocvw.dll
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O15 - Trusted Zone: http://*.jlportal (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} (CouponTBInst Control) - http://a19.g.akamai.net/7/19/7125/4051/ftp.coupons.com/CouponBar/CouponBar.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.aavalue.com/RR/Toolbar/rr-toolbar.cab
    O16 - DPF: {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - http://www.advancedsearchbar.com/searchbarsetup2.exe
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c356.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {9A04E3F0-3BB2-11D2-91E2-00C04FAEC46B} (NMClient Class) - http://wpexchange/ConferencingBin/xcliacc.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacksonlewis.net
    O17 - HKLM\Software\..\Telephony: DomainName = jacksonlewis.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jacksonlewis.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jacksonlewis.net
    O20 - Winlogon Notify: browsela - C:\Windows\system32\browsela.dll
    O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\Windows\System32\NavLogon.dll
    O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\Windows\CWBRXD.EXE
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
     
  2. swker98

    swker98 TechSpot Paladin Posts: 1,077

    Next time post your log as an ATTACHMANT

    First of all get rid of norton anti virus and firewall, there bloat ware

    get avg and zone alarm insted

    go here then go here

    Get your pc scaned for free forom PANDA

    BOOT INTO SAFE MODE TURN OFF SYSTEM RESTORE
    Fix the fowling enetries


    O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\Windows\system32\apwiz.dll

    O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\Windows\adsldpbg.dll

    O3 - Toolbar: SuperBar - {67D40EE0-5FE3-414B-B1B2-1625B318C6C3} - C:\Program Files\_SUPERBAR\_SUPERBAR.dll (file missing)

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O3 - Toolbar: Coupons - {FB986A68-EAE4-11D4-9BD1-0080C6F60B6A} - C:\Windows\CouponBar.dll


    O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)

    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

    O15 - Trusted Zone: http://*.jlportal (HKLM)

    O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} (CouponTBInst Control) - http://a19.g.akamai.net/7/19/7125/4...r/CouponBar.cab

    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

    O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.aavalue.com/RR.../rr-toolbar.cab

    O16 - DPF: {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - http://www.advancedsearchbar.com/searchbarsetup2.exe

    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx

    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zan...bridge-c356.cab

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...23/cpbrkpie.cab

    O16 - DPF: {9A04E3F0-3BB2-11D2-91E2-00C04FAEC46B} (NMClient Class) - http://wpexchange/ConferencingBin/xcliacc.cab

    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/do...bin/actxcab.cab



    O20 - Winlogon Notify: htproc - htproc32.dll (file missing)

    O20 - Winlogon Notify: browsela - C:\Windows\system32\browsela.dll<- YOU ARE INFECTED WITH A TROGIN



    FIX IF NOT YOUR ISP
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacksonlewis.net
    O17 - HKLM\Software\..\Telephony: DomainName = jacksonlewis.net

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jacksonlewis.net

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jacksonlewis.net


    FIX IF YOU DONT USE PARTY POKER
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...