Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - kevind


  • Please log in to reply
5 replies to this topic

#1 kevind

kevind

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 01 May 2005 - 10:31 AM

have already run spybot and adaware


Logfile of HijackThis v1.99.1
Scan saved at 11:20:19 AM, on 5/1/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\drmon\smartagt\smartagt.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\RpcSs.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\comsmd.exe
C:\WINNT\System32\DACONFIG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\System32\MSWHEEL.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Navnt\navapw32.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\ddhelp.exe
C:\WINNT\System32\taskmgr.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\unzipped\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SideStep Browser Helper - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINNT\Downloaded Program Files\SbCIe026.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICF06~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICF06~1\point32.exe
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [DACONFIGEXE] DACONFIG.EXE R
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe026.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k26617/sb01a.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/contr...en/nsmp2inf.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://205.158.7.38/215c8f9ebb8ad9790a03/netzip/RdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21b0551e5fd945...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aerotech.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aerotech.com
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 01 May 2005 - 05:55 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe026.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k26617/sb01a.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://205.158.7.38/215c8f9ebb8ad9790a03/netzip/RdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21b0551e5fd945...ip/RdxIE601.cab

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\Downloaded Program Files\SbCIe026.dll

Reboot your computer to go back to normal mode and post a new log.

#3 kevind

kevind
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 01 May 2005 - 09:14 PM

Dear Grinler, Thank you. I think I followed your directions to the letter. I did not find the file C:\WINNT\Downloaded Program Files\SbCIe026.dll
, but you instructed that I may not and to repost, so here it is. The issue still seems to be there. Thanks in advance for your help.

Logfile of HijackThis v1.99.1
Scan saved at 11:02:29 PM, on 5/1/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\comsmd.exe
C:\WINNT\System32\DACONFIG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\MSWHEEL.EXE
C:\WINNT\System32\drmon\smartagt\smartagt.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\RpcSs.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Navnt\navapw32.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\unzipped\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SideStep Browser Helper - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINNT\Downloaded Program Files\SbCIe026.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICF06~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICF06~1\point32.exe
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [DACONFIGEXE] DACONFIG.EXE R
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/contr...en/nsmp2inf.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aerotech.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aerotech.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aerotech.com
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 02 May 2005 - 04:18 PM

Fix tghis again:

O2 - BHO: SideStep Browser Helper - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINNT\Downloaded Program Files\SbCIe026.dll

make sure all windows but hijackthis are closed when you fix it and see if its gone from the log afterwards

#5 kevind

kevind
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 02 May 2005 - 06:35 PM

Dear Grinler,
Thanks again for your time. I know you have lots of people to help. I did as you instructed and removed the sidestep item. But, the issue still shows. To be clear, when I launch IE, the taskbar at the bottom shows direction first to my home page http://www.msn.com and then flashes to 'A bad URL:.. ' then shows the 'http://view.atdmt.com/...' This is different than what I had seen before and thought this is a problem with spyware. I am not getting excess popups, but seems strange and I am worrried about security, should I be??

Here is latest scan file.

Logfile of HijackThis v1.99.1
Scan saved at 8:20:08 PM, on 5/2/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\comsmd.exe
C:\WINNT\System32\DACONFIG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\MSWHEEL.EXE
C:\WINNT\System32\drmon\smartagt\smartagt.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\RpcSs.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Navnt\navapw32.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\ddhelp.exe
C:\unzipped\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICF06~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICF06~1\point32.exe
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [DACONFIGEXE] DACONFIG.EXE R
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/contr...en/nsmp2inf.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aerotech.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aerotech.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aerotech.com
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 02 May 2005 - 09:22 PM

Download http://www.bleepingcomputer.com/files/pfind.php

Extract pfind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\pfind and double-click on pfind.bat. When it is done, reboot and post the contents of c:\pfind.txt as a reply to this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users