Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log- rc0907


  • Please log in to reply
17 replies to this topic

#1 rc0907

rc0907

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 22 June 2005 - 09:47 PM

i got the about:blank highjacker....i ran adware and spybot but still have the same problem. downloaded hijackthis and here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 9:42:00 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\STOPzilla!\SZServer.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\QuickTime\qttask.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
d:\program files\mcafee.com\agent\mcagent.exe
D:\PROGRA~1\COMMON~1\AOL\110619~1\EE\AOLHOS~1.EXE
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\PROGRA~1\COMMON~1\AOL\110619~1\EE\AOLServiceHost.exe
D:\PROGRA~1\AMERIC~1.0A\waol.exe
D:\WINDOWS\System32\LVComS.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
D:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Wireless LAN Utility\WlanUtility.exe
D:\WINDOWS\System32\hpoipm07.exe
D:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\PROGRA~1\AMERIC~1.0A\shellmon.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\Documents and Settings\Owner\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - D:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [STOPzilla] D:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1106190611\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "D:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [CleanUp] D:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AOL Fast Start] "D:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Wireless Lan Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: STOPzilla - D:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - D:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - D:\Program Files\Common Files\STOPzilla!\SZServer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:11 AM

Posted 23 June 2005 - 06:28 PM

Hello rc0907 and welcome to the BC forums. I don't see any indications of any viruses or malware in the log at this time. Can you be more specific on the details of any issues you are currently having?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 rc0907

rc0907
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 23 June 2005 - 08:12 PM

when i go to certain websites like yahoo or ebay, after logging in, it the webpage jumps to some kind of search site. it does not have the web address on the address bar, but i typed in a search and i found out it is www.findtop.net

please help. i basically just go on ebay and yahoo and i can't do that with this hijacker....thanks.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:11 AM

Posted 24 June 2005 - 09:40 AM

Hi rc0907. Let's run a couple of scans to see if there is anything that might not be showing up in the log.

Download PFind.zip and unzip the contents to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

After you have rebooted start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Check the checkbox for List minor sections (full)
  • Check the checkbox for List empty sections (complete)
  • Click on the Generate StartupList Log button
  • Click the Yes button to create the list
Post the contents of C:\pfind.txt and the information from the StartupList back here and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 rc0907

rc0907
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 27 June 2005 - 09:00 PM

here's what i got, please advise!!! :
note: D: drive is actually my C: drive...does anyone know how to change the D: to C:? i hate having that D:


Checking the D: folder



Checking the D:\Program Files folder



Checking the D:\WINDOWS folder



Checking the D:\WINDOWS\SYSTEM32 folder

D:\WINDOWS\SYSTEM32\ms0b920b.dll: UPX!


Checking all directories under the D:\WINDOWS\SYSTEM32\drivers folder

D:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: FSG!u*h
D:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!
D:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header


Checking the D:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the D:\Documents and Settings\All Users\Application Data folder




Checking the D:\Documents and Settings\Administrator\Start Menu\programs\Startup\ folder




Checking the D:\Documents and Settings\Administrator\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


D:\WINDOWS\
bootstat.dat Mon Jun 27 2005 8:30:10p A.S.. 2,048 2.00 K
qtfont.qfn Sat Jun 25 2005 10:47:00p A..H. 54,156 52.89 K

D:\WINDOWS\TASKS\
sa.dat Mon Jun 27 2005 8:24:38p A..H. 6 0.00 K

D:\WINDOWS\LASTGOOD\INF\
oem35.inf Sat Jun 25 2005 10:33:28p A..H. 0 0.00 K
oem35.pnf Sat Jun 25 2005 10:33:28p A..H. 0 0.00 K

D:\WINDOWS\SYSTEM32\CONFIG\
default.log Mon Jun 27 2005 8:30:04p A..H. 8,192 8.00 K
sam.log Mon Jun 27 2005 8:30:20p A..H. 1,024 1.00 K
security.log Mon Jun 27 2005 8:30:12p A..H. 12,288 12.00 K
software.log Mon Jun 27 2005 8:31:18p A..H. 106,496 104.00 K
system.log Mon Jun 27 2005 8:30:10p A..H. 749,568 732.00 K

D:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
ade6c2~1 Sun May 15 2005 11:42:54a A.SH. 388 0.38 K
prefer~1 Sun May 15 2005 11:42:54a A.SH. 24 0.02 K

12 items found: 12 files, 0 directories.
Total of file sizes: 934,190 bytes 912.29 K

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:11 AM

Posted 28 June 2005 - 12:07 PM

Hi rc0907. Yup, we have a file hiding in there that could be causing the problems you indicated. Let's see if we can remove that.

Download Pocket Killbox and unzip it to your desktop.
  • Double-click on KillBox.exe.
  • Click "Delete on Reboot".
  • Paste the line below into the top "Full Path of File to Delete" box.
    • D:\WINDOWS\SYSTEM32\ms0b920b.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Delete on Reboot prompt.
  • Click "Yes" at the Delete next Reboot prompt.
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in. Also, try your IE and see if you still have a problem with the pages juming around and let me know if they are still doing that.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 rc0907

rc0907
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 28 June 2005 - 11:47 PM

did everythign you mentioned. still can not get to certain websites like my yahoomail and ebay. it just jumps to a search webapage...here's the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 11:44:36 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\STOPzilla!\SZServer.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
D:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\Program Files\Logitech\Video\LogiTray.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\WINDOWS\VM_STI.EXE
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\PROGRA~1\COMMON~1\AOL\110619~1\EE\AOLHOS~1.EXE
D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
D:\PROGRA~1\AMERIC~1.0A\waol.exe
D:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
D:\PROGRA~1\COMMON~1\AOL\110619~1\EE\AOLServiceHost.exe
D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Wireless LAN Utility\WlanUtility.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\WINDOWS\System32\LVComS.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\hpoipm07.exe
D:\PROGRA~1\AMERIC~1.0A\shellmon.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Owner\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - D:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [STOPzilla] D:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1106190611\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "D:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [BigDogPath] D:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AOL Fast Start] "D:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Wireless Lan Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: STOPzilla - D:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - D:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - D:\Program Files\Common Files\STOPzilla!\SZServer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:11 AM

Posted 29 June 2005 - 09:36 AM

Hi rc0907. Three isn't anything showing in the log but there are a couple of items that should be cleaned up and then we can run some standard scans and see what they show.

Step #1

It appears that you have 2 anti-virus programs running on this computer. That is not recommended because they can conflict with each other and cause file access issues. Additionally, if an infection is found, each program will try and block access to the file and not allow the other to clean or repair it so nothing will be done with it. I strongly recommend that you keep either McAfee or AVG and delete the other one.

Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

Please run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix", "clean" or "auto-clean". If you have any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #4

Spybot Search & Destroy

Download, install, update and run a scan with Spybot S&D v1.4:
  • Download and Install Spybot Search & Destroy, accepting the Default Settings.
  • In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
  • Close ALL windows except Spybot S&D
  • Click the button to ‘Search for Updates’ and then download and install all available Updates.
  • Next click the button ‘Check for Problems’
  • When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window.
  • Make certain there is a check mark beside all of the RED entries ONLY.
  • Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
  • REBOOT to complete the scan and clear memory.
Step #5

Download CCleaner and install it. Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

One other question. Are you using AOL's browser or Microsoft's Internet Explorer?

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 rc0907

rc0907
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 30 June 2005 - 03:51 PM

i finished step 1 and 2....but now my wireless internet is not working...i am using another computer to post this. i will do an online scan after i get the internet up and running...seems like evertime i follow the directions given, my internet stops working. first time i was able to uninstall and reinstall the wireless driver and it worked but this time that did not work...i guess i have to keep messing with it until it works. any suggestions? and thanks a million for your help!

#10 rc0907

rc0907
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 01 July 2005 - 12:39 PM

ok..got my internet to work again...will post laster today.

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:11 AM

Posted 01 July 2005 - 12:42 PM

Hi rc0907. Is it the connection itself or is it IE? You cantest to see if IE is the problem by using a different browser like FireFox. I see that AOL is installed here and that seems to take over many web browsing operations so you might even try toreinstall the AOL client. One of the items we were fixing was due to a missing AOL file.

Try the above and then see if things return to normal.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 rc0907

rc0907
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 28 July 2005 - 01:21 AM

ok...did all the steps....i use aol browser as well as IE.....here's the new log



Logfile of HijackThis v1.99.1
Scan saved at 1:16:29 AM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\STOPzilla!\SZServer.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
D:\Program Files\QuickTime\qttask.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\PROGRA~1\COMMON~1\AOL\110619~1\EE\AOLHOS~1.EXE
D:\WINDOWS\VM_STI.EXE
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\PROGRA~1\COMMON~1\AOL\110619~1\EE\AOLServiceHost.exe
D:\PROGRA~1\AMERIC~1.0A\waol.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
D:\WINDOWS\System32\LVComS.exe
D:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
D:\Program Files\Wireless LAN Utility\WlanUtility.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\PROGRA~1\AMERIC~1.0A\shellmon.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - D:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [STOPzilla] D:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1106190611\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "D:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [BigDogPath] D:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AOL Fast Start] "D:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Wireless Lan Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: STOPzilla - D:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - D:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - D:\Program Files\Common Files\STOPzilla!\SZServer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe

#13 rc0907

rc0907
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 28 July 2005 - 09:43 AM

my IE browser is still getting hijacked.

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:11 AM

Posted 28 July 2005 - 09:52 AM

Hi rc0907. There re a few things that I see. It appears that AVG was once installed on this computer but is not fully functional now. The update service is running but the program itself does not appear in the running processes list. I would suggest that AVG be uninstalled, or, if you want to use AVG then reinstall it and uninstall McAfee.

There are a couple of items in the log to fix yet also so let's do that.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) note: this is an AOL toolbar that is missing
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Find the following files/folders and delete them (don't worry if they are already gone):c:\counter.cab
There also appears to be a problem in the LSp stack due to a file missing. Let's try and fix that up too.

Download LSP-Fix to your desktop.

Disconnect from the Internet and close all Internet Explorer Windows. Run LspFix.exe and click in the checkbox for I know what I'm doing. Click on each listing of connwsp.dll and then move it into the Remove section by clicking on the >> button that points to the right. When all instances of this dll are in the Remove section press the Finish button.

Now reboot to finish the fix. Start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 rc0907

rc0907
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 30 July 2005 - 01:36 AM

did everything above except install new AVG. i tried the add/remove program to remove AVG but that failed.. i can't seem to delete the avg program or setup new one.
used IE and still getting hijacked. same things goes for AOL browser.
here's the log:
ps- thanks for your time. i will definitely donate if this works out.


Logfile of HijackThis v1.99.1
Scan saved at 1:33:21 AM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\STOPzilla!\SZServer.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\COMMON~1\AOL\110619~1\EE\AOLHOS~1.EXE
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\WINDOWS\VM_STI.EXE
D:\PROGRA~1\COMMON~1\AOL\110619~1\EE\AOLServiceHost.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\PROGRA~1\AMERIC~1.0A\waol.exe
D:\WINDOWS\System32\LVComS.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
D:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
D:\Program Files\Wireless LAN Utility\WlanUtility.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\hpoipm07.exe
D:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\PROGRA~1\AMERIC~1.0A\shellmon.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - D:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [STOPzilla] D:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1106190611\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "D:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [BigDogPath] D:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AOL Fast Start] "D:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = D:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Wireless Lan Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: STOPzilla - D:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - D:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - D:\Program Files\Common Files\STOPzilla!\SZServer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users