Post Your Hijackthis Log

By acidosmosis
Nov 13, 2004
Topic Status:
Not open for further replies.
  1. Littlejim

    Littlejim Newcomer, in training

    HiJack This Log, almost finished, I think.

    So far so good,

    Have used the great guide supplied by 'RealBlackStuff' and have reduced my log by about half! I think I am almost there. Please would someone cast their eye through my log and let me know if anything else is 'not supposed to be there'.

    I have several more questions but I think one at a time...

    Cheers,
    J.
  2. Jkasj

    Jkasj Newcomer, in training

    Alright first off, I would like to thank all of you for helping me out in advance.

    Next, my situation. My computer was running fine until three months ago when my sister and my nephew came to visit (during the winter holiday). My nephew had to do some "homework" (he's 16) and I think he did a little bit more then just homework if you catch my drift.

    Since that little visit my computer has not been operating very well. Simple tasks are fine, as is browsing the internet. But any downloads simply go at a snails pace, or just time out. Even online poker games tend to drop me. Even my nephew complained while he was here, saying his Half life (is that right?) game wasn't working online anymore.

    I am on a ethernet (included in my monthly rent) which used to download at a very high rate (ex: 120 kb/s) and now I can barely get 1.2 kb/s.

    Thanks again you guys, any advice or help is greatly appreciated.

    Logfile of HijackThis v1.98.2
    Scan saved at 9:03:47 PM, on 3/8/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~2\DefWatch.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~2\Rtvscan.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\windows\system\hpsysdrv.exe
    C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe
    C:\WINDOWS\system32\RUNDLL32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Kazaa Lite Revolution\kazaalite.kpp
    C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/info/e-center-p
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Utopia Angel] C:\Utopia\Angel\Angel.exe
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: Sid Registration.lnk = D:\ATR1.EXE
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
  3. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  4. Jkasj

    Jkasj Newcomer, in training

    having some trouble.....

    Followed your instructions and cleared a bunch of stuff, however having an issue (maybe cause I've been screwing with it all afternoon) with getting my "running processes" deleted. It's on that list of bad applications running, but whenever I run hijackthis it goes right to R1's etc....

    Don't mean to trouble ya, and if you can help me out with this I will have the majority of it done. Thanks again for your help. Just seeing that list of processes that shouldn't be running is a big eye opener. Appreciate your time. Thanks again.
  5. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Jkasj
    There is no such list of "bad applications running".
    The Processes running: will show up in the log after you SAVED the logfile AS e.g. hjt.txt
    I will advise you which ones are the baddies, so post your new log pronto, please.
  6. Jkasj

    Jkasj Newcomer, in training

    .....

    **laughs at himself** Damn, no wonder I couldn't get it. I kept seeing the applications list on the log, and .......well I don't know what the hell I'm doing. :p

    Did everything on the list. Heres the log. Really appreciate your help, cause there is no way in hell I would have figured any of this out.

    Nice choice of beer.
  7. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Jkasj

    My very first post to you said:

    Go to this post here first, and follow the instructions EXACTLY, especially about UPDATING and HJT-location.

    this is what I get from you: Logfile of HijackThis v1.98.2
  8. Jkasj

    Jkasj Newcomer, in training

    Damn. Wrong version. Is this right? if not I'll work on it once I get off work tonight. Sorry for all this hassle.
  9. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Jkasj

    Boot in Safe Mode.
    Switch System Restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    PowerReg Scheduler V3.exe
    ATR1.EXE

    Next, try to UNinstall only, NOT delete yet, anything to do with:
    C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll
    C:\Program Files\PartyPoker\IEExtension.dll

    Next, run HJT on its own and let it 'fix' if there:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/info/e-center-p
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: Sid Registration.lnk = D:\ATR1.EXE
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    When done, delete the highlighted bold files. When a directory-name is bold, delete everything in it, including that directory itself.
    Boot normal. When all OK, switch System Restore back on.
  10. Jkasj

    Jkasj Newcomer, in training

    Alright got everything except for the Atr1.exe...but I never found it as a running process while in safe mode.

    Here is the new log.

    Attached Files:

    • HJT.txt
      File size:
      4.5 KB
      Views:
      5
  11. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Jkasj

    Your log is clean. D:\Atr1.exe was maybe part of one of the deleted baddies, or got there at one time while a CD was running. Not to worry as long as it is gone.
     
  12. Jkasj

    Jkasj Newcomer, in training

    Thank you so much for your help and patience.
  13. tomk

    tomk Newcomer, in training

    Please check my HIJACKTHIS log

    Please check the log atached and lrt me know what has to be reoved.

    Thx
    Tom
  14. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    tomk

    Move HJT to its OWN directory, NOT on the Desktop!

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    RAADfgBN.exe

    Next, try to UNinstall (not yet delete) anything to do with:
    C:\Program Files\CommonName\Toolbar\
    C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    C:\WINDOWS\system32\IEDriver

    Next, run HJT on its own and let it 'fix':
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\sb.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll (file missing)
    O2 - BHO: sPeerObj Class - {00000026-8735-428D-B81F-DD098223B25F} - C:\WINDOWS\speer.dll
    O4 - HKLM\..\Run: [Zw0GX9Uw] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - HKLM\..\Run: [dEVHX5Ux] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - HKLM\..\Run: [dUFHZo1w] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - HKLM\..\Run: [YgFGV9Ew] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - HKLM\..\Run: [eQpGYAox] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - HKLM\..\Run: [fwpGTwov] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - HKLM\..\Run: [cQFHWAEx] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - HKLM\..\Run: [cMpGWsEw] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - HKLM\..\Run: [ekVJWAEw] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - HKLM\..\Run: [cYVJU91v] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - HKLM\..\Run: [YMVGYo1w] C:\PROGRA~1\vupqvwvv\RAADfgBN.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
    O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
    O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
    O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
    O9 - Extra button: (no name) - {7469C79A-B689-464D-A43F-C7F07F226AEE} - C:\WINDOWS\system32\IEDriver\td.exe (file missing)
    O9 - Extra 'Tools' menuitem: TurboDownload - {7469C79A-B689-464D-A43F-C7F07F226AEE} - C:\WINDOWS\system32\IEDriver\td.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O11 - Options group: [CommonName] CommonName
    O15 - Trusted Zone: *.musicmatch.com
    O15 - Trusted Zone: *.musicmatch.com (HKLM)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}

    When done, delete the highlighted bold files. When a directory-name is bold, delete everything in it, including that directory itself.
    Boot normal. When all OK, switch System Restore back on.
  15. johnnybev

    johnnybev Newcomer, in training

    help, caught something

    OS: Windows XP Professional
    browser: Firefox 1.0, IE

    Some kind of horrible respawning 'about:blank' and RUNDLL trojan. Norton 2005 removes virus se.dll StartPage trojan about 3 times a day.

    Ran Microsoft Beta AntiSpy in safe mode and destroyed 2 infected files, then ran Adaware SE and removed further 13. What's that about? Anyway... ran HiJack this and here is my log. Please help. PC is grinding...to...a halt.

    Logfile of HijackThis v1.97.7
    Scan saved at 21:02:06, on 15/03/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\WS_FTP Pro\ftpsched.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\svc8021x.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\UStorSrv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\WS_FTP Pro\ftpqueue.exe
    C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Panasonic\TouchPad\Touchpad.exe
    C:\WINDOWS\system32\mgr8021x.exe
    C:\Bits and Bobs\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://vv1.s13.tempx.cc/open_console_out.php?n=21&pin=1
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {90C47D68-5C4E-4715-8905-2FF66635D707} - C:\WINDOWS\system32\eejbgaa.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Panasonic HotKey Manager] C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
    O4 - HKLM\..\Run: [ftpqueue] "C:\Program Files\WS_FTP Pro\ftpqueue.exe" -tray
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
    O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
    O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Touch Pad utility.lnk = ?
    O4 - Global Startup: WLAN Security Client Manager.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {AD0E37CE-0A0E-4183-83E9-902CC84A4185} (RootInstaller Class) - https://www.partners.extranet.microsoft.com/Content/launch/rootinst.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://m62.webex.com/client/latest/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = M62Domain.local
    O17 - HKLM\Software\..\Telephony: DomainName = M62Domain.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{609DACF5-D9A6-4B93-B9FF-38FE25A0DD6A}: NameServer = 158.152.1.43,158.152.1.58
  16. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  17. thmandan22

    thmandan22 Newcomer, in training Posts: 73

    Cleanig up my sisters college-networked laptop

    Here is the hijackthis log from my sisters laptop in safe mode after running normal anit-spyware stuff. Is there anymore that I can remove, several things I did not know if it was safe. Thank you
  18. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

     
  19. thmandan22

    thmandan22 Newcomer, in training Posts: 73

    Followed instructions, Thank you

    Followed those instructions on your link, Thanks.
    Is there anything more to do. I did cleen it up quite abit, but i have a feeling i may have missed somthing on the hijackthis file.

    Thanks agian.
  20. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    You version of Hijackthis is out of date. Download the latest version from http://www.tomcoyote.org/hjt/

    Then post a new HJT log.

    Regards Howard :grinthumb
  21. thmandan22

    thmandan22 Newcomer, in training Posts: 73

    Thanks, I must have run the old one after I downloaded the newest. still a few I am unsure about. Here it is and thanks agian.

    Attached Files:

  22. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    The only entry I can see that stands out is,

    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

    I have done a Google search for this with mixed results, so I`m not really sure whether it should be there or not.

    Perhaps RBS would be the best person to clarify this for you.

    Other than that your log looks pretty clean.

    Regards Howard :grinthumb
  23. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    thmandan22

    Run HJT in Safe Mode and let it fix:
    O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} - C:\WINNT\System32\req.dat
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: req - C:\WINNT\System32\req.dat

    Then delete the bold files.
  24. thmandan22

    thmandan22 Newcomer, in training Posts: 73

    Thanks for all you help, I could not find the req.dat file only a req.exe. any suggestions?
  25. cbadge

    cbadge Newcomer, in training

    My HijackThis log.....any suggestions?

    Logfile of HijackThis v1.99.1
    Scan saved at 8:48:49 PM, on 3/20/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.4\SDHelper.dll
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A4609457-2F97-4BF7-B7A1-456F33FBB3A4}: NameServer = 142.161.130.155 142.161.2.155
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.