HijackThis log

[MaximumUr]

Need help with log

Can someone help me to get my log strait, I need to get rid of unecesary junk, here's my log :wave:

Logfile of HijackThis v1.99.1
Scan saved at 6:26:24 PM, on 4/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Documents and Settings\Big_U\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50138
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - G:\WINDOWS\ceres.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - G:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - G:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - G:\Program Files\E2G\IeBHOs.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - G:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: (no name) - {A7210A62-C3A5-FD5E-A95C-C5C9D6C96E93} - G:\WINDOWS\system32\mhcsgk.dll
O2 - BHO: (no name) - {A7530E66-C3A5-FD5E-A95C-C5C9D6C96E93} - G:\WINDOWS\system32\mhcsgk.dll
O2 - BHO: (no name) - {A7537C62-C3A5-FD5E-A95C-C5C9D6C96E93} - G:\WINDOWS\system32\mhcsgk.dll
O2 - BHO: (no name) - {A7540962-C3A5-FD5E-A95C-C5C9D6C96E93} - G:\WINDOWS\system32\mhcsgk.dll
O2 - BHO: (no name) - {A7570F66-C3A5-FD5E-A95C-C5C9D6C96E93} - G:\WINDOWS\system32\mhcsgk.dll
O2 - BHO: (no name) - {A75E0862-C3A5-FD5E-A95C-C5C9D6C96E93} - G:\WINDOWS\system32\mhcsgk.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - G:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {D8220D62-C7D1-FD66-A95C-C5C9D6C96E93} - G:\WINDOWS\system32\mhcsgk.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - G:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - G:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [IPInSightLAN 02] "G:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "G:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [pccguide.exe] "G:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "G:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "G:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [LVCOMS] G:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] G:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [WUSB54GS] G:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [msnappau] "G:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Dvx] G:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] G:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [WebRebates0] "G:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [wfmGaCf69] G:\WINDOWS\oidejb.exe
O4 - HKLM\..\Run: [Win Server Updt] G:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "G:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [IST Service] G:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [oomm] G:\PROGRA~1\COMMON~1\oomm\oommm.exe
O4 - HKCU\..\Run: [Odpr] G:\WINDOWS\system32\apth.exe
O4 - HKCU\..\Run: [Tksjnf] G:\WINDOWS\system32\r?ndll32.exe
O4 - HKCU\..\Run: [aircity] G:\WINDOWS\system32\aircity.exe
O4 - HKCU\..\Run: [eZmmod] G:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] G:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [aircity] G:\WINDOWS\system32\aircity.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = G:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSXXXXXXXXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates - file://G:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Web Rebates - file://G:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - G:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - G:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - G:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - G:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://G:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)

 

[MaximumUr]

Here's the rest of my log


O15 - Trusted Zone: *.media-motor.net
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50212/QDow_AS2.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=1668
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter.com/pop_shooter/install/win2000/SYSsfitb.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0008.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C00B1A9F-0554-4A7A-830E-BBA54CCCC6D1}: NameServer = 151.164.11.201,151.164.30.104
O23 - Service: Ati HotKey Poller - Unknown owner - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - G:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - G:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: RA Server (Slave) - TWD Industries SAS - G:\WINDOWS\Slave.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - G:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - G:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - G:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: WUSB54GSSVC - Unknown owner - G:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - G:\WINDOWS\system32\YPCSER~1.EXE

 

[howard_hopkinso]

Go HERE and follow the instructions very carefully. Print them out if you can.

Once you have done that go HERE for instructions on how to post your Hijackthis log.

Please post you new HJT log in the Windows OS forum and give your post a descriptive title.

Thread split & renamed
-- Regards Mictlantecuhtli :grinthumb

Regards Howard :grinthumb

 

[tbrunt3]

First off Welcome To Techspot :unch:

Next thing you will have to do is place Hijackthis in its own folder YOURS is not ..It has to be C/HJT this is very important for back up please do this and follow the above instructions then repost your log..

 

[Mictlantecuhtli]

follow the above instructions then repost your log..

Pray tell, how would the logfile differ if HJT was in different directory?

 

[tbrunt3]

The reason is becuse it is for back up most people will deleate the backups if the folder is on there desktops or my docoments folder the back up is the important thing..This is also what they told us and stressed in trainning..Hope this makes sense to you.

 

[MaximumUr]

Please need help with Hjt Log

Hey everyone! I'm here because i have a problem with junk popups, spyware and I don't know what else. And i need to see if you can help me. I tried the steps on the post you gave me to remove Begin2search / coolwebsearch I don't know if I did something wrong because I still have a popup problem and also I use PC-cillin and keep getting messeges that it detects a virus called DLOADER and that it can't quarentine it so i scan and does not locate it. So please help here's my log i just saved it thanks.

 

[RealBlackStuff]

MaximumUr

Your HJT-logfile is NOT complete.
All the important R0, R1 and R2 info is missing! (And I assume some more process-info as well!)
Without that, there is very little to go on, trying to sort your problem.

 

[MaximumUr]

Oops I must have fixed something I wasn't supposed to in HJT, I will apreciate if you help me solve my problem, thank you for your time.

 

[RealBlackStuff]

Run HJT and save the full scan-results. If not saved as xxxx.TXT rename the log-file into something.txt and do NOT make any changes to it!
MUST have a .txt extension.
Then attach that file as in your previous post.

 

[MaximumUr]

New HJT Logfile

Here is my HJT Logfile. I did it in regular mode and not in safe mode , don't know if it makes a diference. thanks.

 

[tbrunt3]

I will give it a shot here is what I found. See if RBS agrees with me


Malicious

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
(Description: An unknown URL Search Hook.)

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
(Description: An unknown URL Search Hook.)

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
(Description: MyWebSearch adware toolbar.)

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
(Description: MyWebSearch adware toolbar.)

O4 - HKLM\..\Run: [Nsv] G:\WINDOWS\system32\nsvsvc\nsvsvc.exe
(Description: Unidentified adware )

O4 - HKCU\..\Run: [Tksjnf] G:\WINDOWS\system32\r?ndll32.exe
(Description: Illegal filename - result of a malware infection.)

O4 - HKCU\..\Run: [Odpr] G:\Documents and Settings\Big_U\Application Data\apth.exe
(Description: PurityScan/ClickSpring adware trojan.)

suggestions

turn off sunjava updater


TO DO LIST

1) Press the "Fix checked" button. Then close HijackThis.

2) Then reboot your computer.

3) Delete the folders C:\Program Files\MyQuickSearch\ and C:\Program Files\MyWebSearch\ if they are on your PC.

4) Delete the folder \nsvsvc\ which resides in C:\WINDOWS\System32\ or C:\WINDOWS\System\

5) Delete the file G:\Documents and Settings\Big_U\Application Data\apth.exe

6) Empty your recycle bin.

7) Run Windows Update and install all critical updates.

 

[MaximumUr]

Thanks! Tbrunt3, I think that did it. My pc is super fast now like it was before I'm so releaved. Now if you don't mind me asking is there anything I can do to protect my pc so i won't get those pesky adwares again

 

[tbrunt3]

Biggest thing you can do is switch to firefox only use IE for windows updates also another good thing to download is a program called spyware blaster you can use this with firefox and IE you can check it out Here

 

[RealBlackStuff]

I'm afraid most of your problems is still there.

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
Slave.exe
nsvsvc.exe
r?ndll32.exe
apth.exe
oidejb.exe
oommm.exe

Next, run the latest CWShredder from cwshredder.net/bin/CWSInstall.exe

Next, try to UNinstall anything to do with:
G:\WINDOWS\system32\nsvsvc\nsvsvc.exe
G:\PROGRA~1\COMMON~1\oomm\oommm.exe
G:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
G:\WINDOWS\Slave.exe
G:\WINDOWS\system32\nsvsvc\nsvsvc.exe
G:\WINDOWS\system32\r?ndll32.exe
G:\Documents and Settings\Big_U\Application Data\apth.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [Nsv] G:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [wfmGaCf69] G:\WINDOWS\oidejb.exe
O4 - HKCU\..\Run: [Tksjnf] G:\WINDOWS\system32\r?ndll32.exe
O4 - HKCU\..\Run: [oomm] G:\PROGRA~1\COMMON~1\oomm\oommm.exe
O4 - HKCU\..\Run: [Odpr] G:\Documents and Settings\Big_U\Application Data\apth.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSXXXXXXXXUS
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://G:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O23 - Service: RA Server (Slave) - TWD Industries SAS - G:\WINDOWS\Slave.exe

Now click on the Fix Checked button in HJT.
When done, delete the highlighted bold files. When a directory-name is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.