Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my HJT log, please help


  • Please log in to reply
3 replies to this topic

#1 xtn

xtn

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 08 March 2005 - 05:41 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:34:02 PM, on 3/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Parallel Tasking\ptask.exe
C:\WINDOWS\otioc.exe
C:\Program Files\Pop-Up No-No\punn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Documents and Settings\user\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\user\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\user\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_18_0.dll
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2BA27A08-8EED-4296-B8DE-7977EE7139E7} - C:\WINDOWS\System32\ekh.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_18_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [IR3t] C:\WINDOWS\otioc.exe
O4 - HKLM\..\Run: [PopUpNoNo] "C:\Program Files\Pop-Up No-No\punn.exe" -startup
O4 - HKLM\..\Run: [Zu$RڽrD/C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\otioc.exe
O4 - HKLM\..\Run: [Zu$RڽrD/C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\otioc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [Update Service] wmipsvsc.exe
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [Generic Service Process] serv1ces.exe
O4 - HKLM\..\RunServices: [File System Service] wmiprvsc.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoft.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Canada Companion) - http://us.dl1.yimg.com/download.companion....bio5_3_18_0.cab
O18 - Filter: text/html - {29BC84C2-009F-46E7-878B-F6EDBC11D2FC} - C:\WINDOWS\System32\ekh.dll
O18 - Filter: text/plain - {29BC84C2-009F-46E7-878B-F6EDBC11D2FC} - C:\WINDOWS\System32\ekh.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:00 AM

Posted 09 March 2005 - 03:56 AM

Hi there,

* Download and install CCleaner
Do not use it yet.

Download CWShredder. Don't let it run yet!

* Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\user\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\user\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: (no name) - {2BA27A08-8EED-4296-B8DE-7977EE7139E7} - C:\WINDOWS\System32\ekh.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [IR3t] C:\WINDOWS\otioc.exe
O4 - HKLM\..\Run: [Zu$RڽrD/C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\otioc.exe
O4 - HKLM\..\Run: [Zu$RڽrD/C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\otioc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [Generic Service Process] serv1ces.exe
O4 - HKLM\..\RunServices: [File System Service] wmiprvsc.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoft.exe
O18 - Filter: text/html - {29BC84C2-009F-46E7-878B-F6EDBC11D2FC} - C:\WINDOWS\System32\ekh.dll
O18 - Filter: text/plain - {29BC84C2-009F-46E7-878B-F6EDBC11D2FC} - C:\WINDOWS\System32\ekh.dll
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\Program Files\Parallel Tasking <== this folder
C:\WINDOWS\otioc.exe
C:\Program Files\ISTsvc <== this folder
C:\WINDOWS\zeta.exe

* Start CWShredder and click FIX

* Start Ccleaner and click Run Cleaner

* Reboot your system back to normal mode

Just to make sure....

Download Registrar Lite from: http://www.resplendence.com/download/reglite.exe and install it.
Run Registrar Lite and copy and paste the following into the address-field on top:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

*Select the green arrow go.
*On the right side panel, you will see 'Appinit_Dlls', so doubleclick on it.
*A window will open (Data Editor) and below you will see 'Value' and a field next to it with a file in it, so copy and paste into your next post together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 xtn

xtn
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 09 March 2005 - 04:32 AM

miekiemoes thank you very much for taking the time in answering my
question!

Im glad to see that there are still people out there who help others.
I will try wat you suggested, thanks again!

XTN

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:00 AM

Posted 10 March 2005 - 11:11 AM

Hi xtn,

Don't forget to post a new hijackthislog after finishing these steps. ;-)

Edited by miekiemoes, 10 March 2005 - 11:11 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users