Please review my hijack this log

By MellyJC ยท 9 replies
Aug 19, 2005
  1. So you guys should all know how absolutely awesome you are for being here giving out free help like you do. I know you've saved my computer in the past and I'm sure you've saved that of many others as well.

    In any case, here's my hijack this log. No known problems in terms of operations, it's just been a while since it's been run and it seemed like time.

    Thank you again you awesome people! :D
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    You have one piece of malware, some rubbish, and a fair bit of unnecessary extras.

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Next, open Windows Task Manager.

    On Windows 95/98/ME, press CTRL+ALT+DELETE.
    On Windows NT/2000/XP, press CTRL+SHIFT+ESC.
    Click the Processes tab, select the process (if there), click End Process for:
    swdoctor.exe (rubbish)
    jusched.exe (unnecessary)
    qttask.exe (unnecessary)
    winampa.exe (malware)
    UpdReg.EXE (unnecessary)
    SPLASHA.EXE (unnecessary)

    Next, try to UNinstall anything to do with (not delete yet!):
    F:\Program Files\Spyware Doctor\swdoctor.exe

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    F:\Program Files\Spyware Doctor\swdoctor.exe
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKCU\..\Run: [Spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    Fix ALL your O16 - DPF: entries
    O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
    Now click on the Fix Checked button in HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
  3. DonNagual

    DonNagual TechSpot Ambassador Posts: 2,406

    Can I just say.... wow.

    RealBlackStuff, set up a paypal account so we can donate beer to you.
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    I have a PayPal account, but I don't think Julio would appreciate me making money out of my services. (I would...) :giddy:
  5. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 36

    I actually paid for Spyware Doctor in desperation of my begin2search problem before finding you guys a while back. :(

    So if I get rid of winamp....wma will be able to play all the vids I use it for?
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    You only get rid of ONE program-file, winampa.exe, which is the infected WinampAgent, not Winamp itself.
    That is of course, assuming you follwed my instructions to the letter!

    You can keep the Dr, it won't do you any harm. It won't do you much good either...
  7. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 36

    Ah, alright. Thanks!
  8. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 36

    Alright, did what you said. None of those things were actually running, for whatever that's worth. You said a couple of the processes (updreg, splasha etc) are unnecessary, does that mean I should delete them through hijack this?

    I was bad and kept two of the 016 DPFs. I know what the windows genuine thing is about, and it's a nuisance to have to go through so I'm assuming it's ok to keep that, as well as the pinecone, I trust that site. Is it important I get rid of those too even though I know the sources? I'm just sort of afraid I might have problems if I get rid of them.

    Thanks again for all your help RealBlackStuff, you're my computer hero!

    Also, curious what you think of the Microsoft Antispyware program. It found 4 entries for 'old friends' like begin2search today. At least it's free. heh.
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    My advice for the unnecessary programs only involved stopping them from running, HJT only removed the Run at startup from the registry.
    I did NOT advise to delete any unnecessary programs. You can still run them manually.

    The O16s are only registry clutter, you can keep them if you want, but they are useless.
    The Windows genuine thing should be gone through only once, unless you reinstall.
    The pinecone thing almost pains me! It's an ActiveX thing and we all know how harmful that is, don't we?
    It means that after all the tirades we have on these forums, and the worldwide advice to ditch it, you are still using Internet Explorer.


    I use that MS Antispyware myself, it is excellent. (one of the few good M$ programs)
  10. MellyJC

    MellyJC TS Rookie Topic Starter Posts: 36

    Don't recall the reason it got lost the first time, but I"ve had to do windows validation twice now. The first time was a real pain in the **** since I was using Firefox and it wanted IE or something.

    But yea...I tried Firefox. Great ideas...but half the time my pages wouldn't load. I posted about it on a forum here asking for help getting it working but nobody replied.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...