Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijacker


  • This topic is locked This topic is locked
4 replies to this topic

#1 rjmccutchan

rjmccutchan

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 04 February 2005 - 10:56 AM

Hi. I hope someone can help me with this. This is the log file from Hijackthis.

I really don't know what I am looking at, but I do know we have some problems. I have norton firewall and antivirus, also pop-up stopper, spy-bot, and ad-aware. We run the spy-bot and ad-aware several times a day.

Any information would be helpful! Thanks







Logfile of HijackThis v1.99.0
Scan saved at 10:18:06 AM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\fonts\system\explorer\mru\dlhost.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\BESTBU~1.YOU\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intellicast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: IEHooks Class - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: - {146FD1E3-746D-4592-ADF1-1FBC2914B74D} - C:\WINDOWS\lbbho.dll
O2 - BHO: jimmyhelp.CBrowserHelper - {507ED088-3A25-4871-8915-5C42B6CDBCE9} - C:\WINDOWS\kcxxtbd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: jimmyhelp.CBrowserHelper - {685E5E0E-CA37-4C40-B17A-8FD1A297D605} - C:\WINDOWS\ohsUpR.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: jimmyhelp.CBrowserHelper - {EF4A379B-143E-4980-9A47-466B08C1B434} - C:\WINDOWS\acprte.dll (file missing)
O2 - BHO: (no name) - {F4DBB2A0-CBD9-6B81-7821-2DA74A5AB5B2} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\System32\fonts\system\explorer\mru\dlhost.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: http://www.retouchpro.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




StartupList report, 2/4/2005, 10:52:55 AM
StartupList version: 1.52.2
Started from : C:\DOCUME~1\BESTBU~1.YOU\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\fonts\system\explorer\mru\dlhost.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\BESTBU~1.YOU\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe

--------------------------------------------------



And this is the listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\bestbuy.YOUR-AH1QBB56U1\Start Menu\Programs\Startup]
PowerReg SchedulerV2.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Billminder.lnk = C:\Program Files\Quicken\billmind.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Microsoft Works Calendar Reminders.lnk = ?
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
EPSON Stylus C84 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
S3TRAY2 = S3tray2.exe
tgcmd = "C:\Program Files\support.com\bin\tgcmd.exe" /server
Windows System Tray = C:\WINDOWS\System32\fonts\system\explorer\mru\dlhost.exe
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
ezShieldProtector for Px = C:\WINDOWS\system32\ezSP_Px.exe
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PopUpStopperFreeEdition = C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing) - {00000000-0000-0000-0000-000000000240}
(no name) - C:\WINDOWS\lbbho.dll - {146FD1E3-746D-4592-ADF1-1FBC2914B74D}
(no name) - C:\WINDOWS\kcxxtbd.dll (file missing) - {507ED088-3A25-4871-8915-5C42B6CDBCE9}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\ohsUpR.dll - {685E5E0E-CA37-4C40-B17A-8FD1A297D605}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\WINDOWS\acprte.dll (file missing) - {EF4A379B-143E-4980-9A47-466B08C1B434}
(no name) - (no file) - {F4DBB2A0-CBD9-6B81-7821-2DA74A5AB5B2}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[{2B323CD9-50E3-11D3-9466-00A0C9700498}]
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

[{77E32299-629F-43C6-AB77-6A1E6D7663F6}]
CODEBASE = http://www.nick.com/common/groove/gx/GrooveAX27.cab

[{7D1E9C49-BD6A-11D3-87A8-009027A35D73}]
CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[H2hPool Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\h2hpool.ocx
CODEBASE = http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\Program Files\NewDotNet\newdotnet6_38.dll
Protocol #2: C:\Program Files\NewDotNet\newdotnet6_38.dll
Protocol #18: C:\Program Files\NewDotNet\newdotnet6_38.dll
Protocol #19: C:\Program Files\NewDotNet\newdotnet6_38.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 8,365 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 04 February 2005 - 04:13 PM

Hello rjmccutchan, Welcome to BleepingComputer. If you are still looking for help, I will see what I can do. First we need to get the HijackThis.exe out of the TEMP directory you are running it from. This is important as it needs the permanent folder to save backups if you make a mistake and the logfiles you create. If you wish to run from Docs and Setting, right click on a blank spot and choose NEW then FOLDER call it HJT. Move the HJT.exe into that folder. Delete any instance of HJT not in that folder. Please complete this before proceeding. This is what it looks like now.
Temp\Temporary Directory 1 for hijackthis

You have a New.Net hijacker, please follow the directions in the following link to remove this item:
http://www.newdotnet.com/removal.html Follow directions carefully as this could effect your internet connection. Once the 010 New.Net item is gone from the log then move to the next instruction.


Scan with HijackThis and put a check in the box in front of each of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: IEHooks Class - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
ClearSearch
O2 - BHO: - {146FD1E3-746D-4592-ADF1-1FBC2914B74D} - C:\WINDOWS\lbbho.dll
RelatedLinks adware
O2 - BHO: jimmyhelp.CBrowserHelper - {507ED088-3A25-4871-8915-5C42B6CDBCE9} - C:\WINDOWS\kcxxtbd.dll (file missing)
O2 - BHO: jimmyhelp.CBrowserHelper - {685E5E0E-CA37-4C40-B17A-8FD1A297D605} - C:\WINDOWS\ohsUpR.dll
O2 - BHO: jimmyhelp.CBrowserHelper - {EF4A379B-143E-4980-9A47-466B08C1B434} - C:\WINDOWS\acprte.dll (file missing)
O2 - BHO: (no name) - {F4DBB2A0-CBD9-6B81-7821-2DA74A5AB5B2} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: http://www.retouchpro.com

Close all programs but HijackThis and all browser windows then click on "Fix Checked"
Clean Like this: Start, Run type "cleanmgr" without the quotes then ok. Check and remove anything windows locates.
Empty the recycle bin and restart the computer. Surf a bit to see how it's running, then post a new log (I do not need a startup log) using ADD REPLY to stay in this same thread. Include any comments you think we should have.

Thanks...pskelley
BleepingComputer.com
http://www.bleepingcomputer.com/supportus.php

Edited by pskelley, 04 February 2005 - 04:15 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 rjmccutchan

rjmccutchan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 04 February 2005 - 06:24 PM

pskelley-

Thank you very much for your help! I have no idea what just happened, but it seems to be working very good! What were all of those things that we deleted? Below is the new logfile. Thank you for your time!






Logfile of HijackThis v1.99.0
Scan saved at 6:18:56 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\fonts\system\explorer\mru\dlhost.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\bestbuy.YOUR-AH1QBB56U1\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intellicast.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\System32\fonts\system\explorer\mru\dlhost.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 04 February 2005 - 06:53 PM

Hey rjmccutchan, Great job of following those directions. Most of that junk was adware, placed on your computer by malware writers who receive their profits from big companies who prefer to remain nameless...lol.
Here is a recent article, but there is loads of information available online via a google search. Not too hard to think up a keyword. http://whatis.techtarget.com/definition/0,...i887624,00.html There are still a few items that you would be better off without like: O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe that is given to you by aol, never mind that you did not ask for it or do not know that you got it. Thanks aol. Your computer is clean of malware and now we need to keep it that way. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler. If you read and follow the advice of these gentlemen, while no one can guarantee 100%, you have a good chance of limiting it to a few cookies that programs you have will remove. While on that subject I want to mention that I believe Ad-aware and Spybot should have removed more of that junk so I am going to give you links to two tutorials for those products. Make sure you have the latest versions, are updated and configured like the tutorials says.

http://forums.net-integration.net/index.php?showtopic=3051
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Spybot:
http://www.bleepingcomputer.com/tutorials/using-spybot-to-remove-spyware/
Ad-aware:
http://www.bleepingcomputer.com/tutorials/use-ad-aware-2007-to-remove-spyware/

Good luck and safe surfing
Thanks...pskelley
BleepingComputer.com
http://www.bleepingcomputer.com/supportus.php
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 16 March 2005 - 10:22 PM

Thank you for visiting BleepingComputer. Since this problem as been resolved, I will close this thread. Thank you, pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users