Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange problem, please help.


  • This topic is locked This topic is locked
3 replies to this topic

#1 Hagbardio

Hagbardio

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 23 August 2005 - 02:52 PM

This is what HijackThis showed Logfile of HijackThis v1.99.1
Scan saved at 20:25:33, on 2005-08-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\D-Tools\daemon.exe
C:\Program\Winamp\winampa.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\NTCommLib3.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\MessengerPlus! 3\MsgPlus.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\PROGRAM\AIM\aim.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dia-traffic.com/ts/in.cgi?homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lšnkar
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NTCommLib3] C:\WINDOWS\System32\NTCommLib3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: swdoctor.exe
O4 - Startup: common.ini
O4 - Startup: igdb.dat
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122586710669
O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A66AA58-7015-42B5-B5E2-D49F412FCA04}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{588D1F27-4DF0-4EBA-A6A1-EC0C494EA6D2}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB260B4-1270-4108-8E44-FEA7D01F458D}: NameServer = 81.216.65.11,81.216.65.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A66AA58-7015-42B5-B5E2-D49F412FCA04}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{4A66AA58-7015-42B5-B5E2-D49F412FCA04}: NameServer = 69.50.176.198,85.255.112.12
O20 - Winlogon Notify: iexplore - 0g1ms.dll (file missing)
O21 - SSODL: pGQQRiq - {082C13E3-A286-B949-6E52-16364DAC0CC3} - C:\WINDOWS\System32\qncif.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe

I also keep getting SearchAssistant registries in my Registry.

BC AdBot (Login to Remove)

 


#2 Hagbardio

Hagbardio
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 23 August 2005 - 03:29 PM

Bump, this is really a problem :thumbsup:

#3 Beamerke

Beamerke

    Malware Crusher


  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:11 AM

Posted 25 August 2005 - 07:10 PM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup

* Download and install CCleaner
Do not use it yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Put a check in the box next to the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dia-traffic.com/ts/in.cgi?homepage
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A66AA58-7015-42B5-B5E2-D49F412FCA04}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{588D1F27-4DF0-4EBA-A6A1-EC0C494EA6D2}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A66AA58-7015-42B5-B5E2-D49F412FCA04}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{4A66AA58-7015-42B5-B5E2-D49F412FCA04}: NameServer = 69.50.176.198,85.255.112.12
O20 - Winlogon Notify: iexplore - 0g1ms.dll (file missing)
O21 - SSODL: pGQQRiq - {082C13E3-A286-B949-6E52-16364DAC0CC3} - C:\WINDOWS\System32\qncif.dll (file missing)


* Click on "Fix Checked" when finished and exit HijackThis.

* Reboot your PC.

Post back a fresh HijackThis log and I'll take another look.

#4 Beamerke

Beamerke

    Malware Crusher


  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:11 AM

Posted 23 September 2005 - 10:27 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users