Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


HELP: Virus / Trojan / HiJackThis Log

  • This topic is locked This topic is locked
2 replies to this topic

#1 HelpMePlzThx


  • Members
  • 1 posts
  • Local time:06:57 PM

Posted 24 April 2004 - 01:19 PM

Thank you for your site. I thought I was going to have to reformat to regain control of my computer.

I ran Ad-Aware, SpyBot, HiJackThis, and CWShredder several times and found a bunch. My computer is much more responsive. There is still at least one lurking. Occasionally at start-up or during a session a web page with the address will open (in fact, it opened while I was typing this). Is there any information on this and how to get rid of it. Also every time the computer is restarted icons pop up that I never downloaded. Icons like "Casino" and "Pop up blocker." Also "Second Thought" which was never downloaded. The icons randomly appeared when I restarted. My HiJackThis login is:

Logfile of HijackThis v1.97.7
Scan saved at 12:58:29 PM, on 4/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\nCase\msbb.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Administrator\My Documents\aaw6.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pop.popuptoast.com/9908/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9908/search/r...PCID=default&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=135343
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9908/search/r...PCID=default&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pop.popuptoast.com/9908/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: auto.search.msn.com
O1 - Hosts: search.netscape.com
O1 - Hosts: ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [glnuefwx] C:\WINDOWS\System32\dathledn.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [ponghyv] C:\WINDOWS\ponghyv.exe
O4 - HKLM\..\Run: [rydav] C:\WINDOWS\rydav.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\websearch\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_stp.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501...r2501031120.EXE
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstall...seInstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/AX/AX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CCAF97A-02C8-4BF9-AE29-5AF55FCA6D83}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{B439208E-F32A-4362-BCBF-EE24F990700C}: NameServer =

BC AdBot (Login to Remove)



#2 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,526 posts
  • Gender:Male
  • Local time:06:57 PM

Posted 24 April 2004 - 11:00 PM

Hi and welcome.

I'm afraid you have much more than one item left. Let's do a couple more preliminaries before using HT to clean up.

I want you to go to TrenMicro's HouseCall and do a free online virus scan. Follow the directions on the site.

When the scan is done go immediately to WindowsUpdate (with Internet Explorer open click Tools>Windows Update) Allow your PC to be scanned & download & install ALL critical updates.

After rebooting, check CWShredder to make sure you have the latest version. Well, OK, it has just been updated to v 1.57.0 so you probably don't. You can use the updater within the program or download a fresh copy from the link in the CWShredder tutorial. Then run CWShredder again. Don't scan, fix. Keep running it, AdAware & Spybot until they no longer find anything. Then repost a fresh HT log here.

Before running HijackThis again, please move it into a permanent folder of its own. To do this follow this progression.
START>My Computer>RIGHT click Local Disk>Explore>RIGHT click an open area of the main pane to the right>New>Folder>type in HJT>click outside the name box.

Now that the folder is made you need to unzip HT. Since you're running XP--Double-click HijackThis.zip>in the left hand column, click "Extract All Files">Next>Browse>click the + next to My Computer if it's not already expanded> click the HJT folder you just created to select it>OK.

If you want you can make a shortcut for your desktop. Right click HijackThis.exe>Create Shortcut. Now right click the shortcut>Send To>Desktop.

When you post a new HT log someone will be with you as soon as possible. Sorry it's taken so long.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson

#3 Scarlett


    Bleeping Diva

  • Members
  • 7,479 posts
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:06:57 PM

Posted 26 March 2006 - 10:10 AM

Due to inactivity this topic will now be closed.
If you happen to experience any more problems, please start a new topic.

~ Scarlett

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users