Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hijackthis log. 2

Status
Not open for further replies.
XWalrus2

XWalrus2

Programmer
May 27, 2002
47
0
0
US
Can someone tell me which of these I need to fix?

Logfile of HijackThis v1.97.7
Scan saved at 6:46:38 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\PROGRA~1\MICROS~4\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe
C:\WINDOWS\System32\playxd.exe
C:\WINDOWS\System32\po5300ah.exe
C:\WINDOWS\System32\channels.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
c:\windows\msbb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\sballaban\Desktop\HijackThis.exe
C:\WINDOWS\System32\Bxbw21Y.exe
C:\WINDOWS\System32\Alw1R.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msfaol.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [3W@DPTH5XBK93S] C:\WINDOWS\System32\GnsDk.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [tssi] C:\WINDOWS\System32\tssi.exe
O4 - HKLM\..\Run: [sRn] C:\docume~1\sballa~1\locals~1\temp\sRn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mo651G] C:\docume~1\sballa~1\locals~1\temp\Mo651G.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPCDTray] "C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [sfub] C:\WINDOWS\sfub.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [cuwkvmkampa] C:\WINDOWS\System32\caylqnxu.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [fajex] C:\WINDOWS\fajex.exe
O4 - HKLM\..\Run: [gxcbopyt] C:\WINDOWS\gxcbopyt.exe
O4 - HKLM\..\Run: [playxd] C:\WINDOWS\System32\playxd.exe
O4 - HKLM\..\Run: [po5300ah] C:\WINDOWS\System32\po5300ah.exe
O4 - HKLM\..\Run: [channels] C:\WINDOWS\System32\channels.exe
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe -m
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - O17 - HKLM\System\CCS\Services\Tcpip\..\{DF190DAF-9E00-4AFC-8985-2B2F1A58C4CA}: NameServer = 205.188.146.146
 
Sort by date Sort by votes
Wow!

Have you run adaware and spybot yet?
If not, please run them first to see if the amount of stuff we need to review can be cut down.
You also have the peper trojan, you can try the uninstaller here:

If you have questions using those, let us know, post a new log after youve run them.

Thanks.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Yeah, I ran spybot and ad-aware.
This isn't my computer, thank God. It's my father's.
Thanks for the link, I'll check it out.
 
Upvote 0 Downvote
Ok
I figure that log would take me an hour or so that I simply dont have.

Check out vop's suggestions.
Pestpatrol, doxdesk, and kephyr are good places to look for removal instructions when you get a category name. You wont find them all, but you'll find some.

You also have clientman:

At least one piece of tv media
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
(fix the line, delete the file)

and wintools.
(I see a few comments about wintools in that link and seeing the cross ref to huntbar, Im pretty sure that pestpatrol has removal instructions on huntbar.)

All the r1 and r0 lines except the two for network.com need to be fixed. If the network.com is not a site you or your dad use or recognize, fix them too.

I believe that all the O2 lines except the one for acrobat and the one for spybot are bad. You can google on each clsid, computercops is getting a lot of those now where their reference table will be the first thing up and you can see an l (legitimate, O (optional), or X (bad) as well as a name. With the name you can then research and look for other files in the O4 entries that go with it.

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - That O16 line should also be fixed.

See if you can work through some of that and get the amount of stuff we need to wade through cut down and then we'll try to help you finish it up.






-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
I would add to the previous posts that there are a few non system processes running at the moment, so try and terminate them through task manager or a third party app such as SysInternals Process Explorer before switching off system restore and using HijackThis.

Off the top of my head, the following tasks need to be terminated before using HijackThis:

AutoUpdate.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\playxd.exe
C:\WINDOWS\System32\po5300ah.exe
C:\WINDOWS\System32\channels.exe
c:\windows\msbb.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\Bxbw21Y.exe
C:\WINDOWS\System32\Alw1R.exe

John
 
Upvote 0 Downvote
jrbarnett's post shows the importance of finding and killing rogue processes. Otherwise, your intervention process can become much more suboptimal and difficult.

It is such things as running (possibly stubbornly undeletable) rogue EXEs or DLLs that may be in a position to protectively interfere with or to disable cleanup and security scanning tools.
 
Upvote 0 Downvote
How's it going?

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
I've gotten everything. Thanks for all of the help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

electricpete
  • Locked
  • Question
ComboFix log 2
Replies
15
Views
154
electricpete
electricpete
electricpete
  • Locked
  • Question
Rootkit Reveal Log 1
Replies
2
Views
36
goombawaho
goombawaho
MarkZK
  • Locked
  • Question
Hijackthis Log 1
Replies
10
Views
32
BadBigBen
BadBigBen
TheAceMan1
  • Locked
  • Question
Another HJT Log 2
Replies
5
Views
61
BadBigBen
BadBigBen
lancekidd
  • Locked
  • Question
Hijack Log
Replies
7
Views
52
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top