Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


HijackThis LOG -Persistent problems..

  • Please log in to reply
6 replies to this topic

#1 winigo


  • Members
  • 40 posts
  • Local time:07:11 AM

Posted 26 April 2005 - 08:28 PM

Inoculated again..
antivirus scans has detected -win32 kuang2 worm, and adware., who knows what..
can't seem to get rid of some malware for weeks..
Performed Spybot SD & Ad-aware as per your instructions page, carefully..

Here is the result of my HijackThis scan :

Logfile of HijackThis v1.99.0
Scan saved at 9:12:51 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095424758007
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

thank you for looking into it.

w. :thumbsup:

BC AdBot (Login to Remove)


#2 Grinler


    Lawrence Abrams

  • Admin
  • 43,613 posts
  • Gender:Male
  • Location:USA
  • Local time:07:11 AM

Posted 26 April 2005 - 11:35 PM

Looks clean to me..what is being detected?

#3 winigo

  • Topic Starter

  • Members
  • 40 posts
  • Local time:07:11 AM

Posted 27 April 2005 - 10:25 AM

Thank you,

Through various scans ..this was detected (before i ran Spybot & Adaware):

Active scan detected :
Incident Status Location
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Adware:Adware/Startpage.AAO No disinfected C:\WINDOWS\system32\WUCLIENT.dat Adware/Startpage.AAO No disinfected C:\WINDOWS\system32\wuclient.dat

Panda antivirus scan detected :
Technical name:Adware/Startpage.AAO
Technical name:

Startpage.FH, toolbar.cc, ns3
Type: Spyware
trendMicro detected :

Malware type: Java Applet
Aliases: Exploit-ByteVerify, Java.Shinwow.AB, Java/Shinwow.AJ.3592!Trojan, Trojan.ByteVerify, Trojan:Java/Classloader.E

ALSO i would like to add two comments :

everytime i run Spybot i get this error message :
Error During Check
(Zwax {Ungultiger Datentyp fur} )[/COLOR]

accompanied by a Congratulations_:no immediate threats were found

_Is that OK?

AND during configuration of AdAware, (in your tutorial),

Step 4 of :Logfile Detail Level,
it is mentioned to put a checkmark to
< include Alternate data streams details in Logfile>

_ i don't see this line,
i see >Don't Log streams smaller than.. and another similar line ending with <Inoculeit>
those two are unchecked...

_Did i miss anything?....i want to make sure i get everything right, as much as possible and i will do more reading about how Spyware works in your tutorials, i'm so sick of it...will probably run a check every morning from now on..

If my previous log is ok, Spybot, adAware, and Spywblaster seem to do a good job..

Thank you, i will add a link to you site..when mine is done.. :thumbsup:

#4 Grinler


    Lawrence Abrams

  • Admin
  • 43,613 posts
  • Gender:Male
  • Location:USA
  • Local time:07:11 AM

Posted 27 April 2005 - 05:56 PM

These are just remnants that are not doing any harm. I am not exactly sure what the registry key is that is causing you the problem though from the information provided.

You can delete this file. if you cant delete it, go itno its properties and uncheck read only

#5 winigo

  • Topic Starter

  • Members
  • 40 posts
  • Local time:07:11 AM

Posted 27 April 2005 - 09:39 PM


but i don't know which file you are referring to,
i have not mentioned any file in particular.. you asked what it detected,

The files detected in my last message are by scans PRIOR to cleaning with S-bot & Ad-ware.

Spybot did not detect anything & Adaware dtected one file that i deleted.

I was just wondering why i get this error message from SpyBot scan eveytime i run it,

Error During Check
(Zwax {Ungultiger Datentyp fur}

while it says _:no immediate threats were found.

thank you anyway, i guess it runs well _?_ (spybotSD)

you have examined the Hijack file before, so i suppose everything's well

Thank you very much,

#6 Grinler


    Lawrence Abrams

  • Admin
  • 43,613 posts
  • Gender:Male
  • Location:USA
  • Local time:07:11 AM

Posted 28 April 2005 - 03:31 PM

Read through this and see if it helps:


#7 winigo

  • Topic Starter

  • Members
  • 40 posts
  • Local time:07:11 AM

Posted 28 April 2005 - 05:30 PM

thankx for the tip,
its not exactly the same error notification ( i have the fix for this particular error your link referred to)

i searched the forum, still haven' found it.. But i know where to look now.

thank you

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users