Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Review of HijackThis log is appreciated


  • This topic is locked This topic is locked
8 replies to this topic

#1 Nosterdamus

Nosterdamus

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 06 October 2004 - 09:47 AM

Hello all,

I've just installed HijackThis and will appreciate an experts' review on the log file.

Thank you in advance.

Logfile of HijackThis v1.98.2
Scan saved at 16:37:22, on 06/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\cisvc.exe
F:\Program Files\NavNT\defwatch.exe
F:\Program Files\NavNT\rtvscan.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\system32\ssoftsrv.exe
F:\WINDOWS\System32\ups.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\MsgSys.EXE
F:\WINDOWS\System32\HPZipm12.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\cidaemon.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\NavNT\vptray.exe
F:\WINDOWS\htpatch.exe
F:\Program Files\ASUS\Probe\AsusProb.exe
F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\WINDOWS\System32\hphmon05.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINDOWS\Mixer.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Nikon\PictureProject\NkbMonitor.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Windows Media Player\wmplayer.exe
F:\WINDOWS\regedit.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\he-il\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\he-il\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HTpatch] F:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ASUS Probe] F:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] F:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] F:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "F:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunOnce: [WinSideBySideSetupCleanup 38010120] rundll32 sxs.dll,SxspRunDllDeleteDirectory F:\WINDOWS\WinSxS\InstallTemp\38010120
O4 - HKCU\..\Run: [Yahoo! Pager] F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = F:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://waves.galim.org.il/pd/tv_enua.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab


BTW, this is a GREAT site you are running here guys :thumbsup:

Nosterdamus

BC AdBot (Login to Remove)

 


#2 Nosterdamus

Nosterdamus
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 06 October 2004 - 11:01 AM

Additional info:

I don't know if this is related to Hijack, but I have installed AdAware and Spybot S&D and while running them, it seems that both getting stucked in some point. Spybot S&D does not tell me where exactly the problem might be, but it is just doing nothing. I can press the "Stop" button though…

With AdAware SE it is a little bit more complicated… Once it gets to the point where it get stuck, I need to press the "Cancel" button twice in order to stop it, but the only way I can shut the SW down is by killing it's process at the Task Manager. However, AdAware does report where it is stuck at (I really want to believe that anyway….) as it shows the status at the top of the AdAware window.

I have copied a screen capture of AdAware, right before hitting the "Cancel" button, and is located here

Any help is appreciated.

Thanx

Nosterdamus

Edited by Nosterdamus, 06 October 2004 - 11:09 AM.


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:55 AM

Posted 06 October 2004 - 04:35 PM

I dont really see anything here...have you tried running spybot and ad-aware in safe mode? Try that and post a new log

#4 Nosterdamus

Nosterdamus
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 06 October 2004 - 05:37 PM

Thank you for your respond Grinler.


I've tried your sugestion but with no luck: The programs get stuck in safe mode as well.

Does software\microsoft\windows\currentversion\policies\exlorer (AdAware's last report) rings a bell? Why getting stuck durring registry check? Is it possible that my registry is corrupt? What could be wrong? I have another machine with Win XP SP2 installed and it doesn't seem to be a problem. Is there any other information that I can provide you with that whould be usefull?

As for your request, I post a new log here. Please note that hijackThis was executed AFTER rebooting from safe mode.

Logfile of HijackThis v1.98.2
Scan saved at 00:10:31, on 07/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\cisvc.exe
F:\Program Files\NavNT\defwatch.exe
F:\Program Files\NavNT\rtvscan.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\system32\ssoftsrv.exe
F:\WINDOWS\System32\ups.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\MsgSys.EXE
F:\Program Files\NavNT\vptray.exe
F:\WINDOWS\htpatch.exe
F:\Program Files\ASUS\Probe\AsusProb.exe
F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\WINDOWS\System32\hphmon05.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINDOWS\Mixer.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Nikon\PictureProject\NkbMonitor.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\HPZipm12.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\cidaemon.exe
F:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\he-il\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\he-il\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HTpatch] F:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ASUS Probe] F:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] F:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] F:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "F:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = F:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://waves.galim.org.il/pd/tv_enua.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab



Thanx

Nosterdamus

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:55 AM

Posted 06 October 2004 - 07:41 PM

I would uninstall both problems and reinstall them. Weird you cant run it..also do this:

Please run two online virus scans:

http://housecall.antivirus.com/
http://www.pandasoftware.com/activescan/

Then let us know if its working better and what the scans found.

#6 Nosterdamus

Nosterdamus
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 October 2004 - 06:58 PM

Sorry for the late respond Grinler, but I've encountered several problems running your suggested scans, however, after several tries, including uninstalling the latest WinRAR version which I've installed recently, I've managed to complete the scans.

Housecall antivirus found nothing, but PandaScan yielded for some 60 infections (which were fixed) and more than 4500 messages....
I couldn't read log (should one was about to be prepared), as my XP was blocking a pop-up at the end of the scan process and after allowing pop-ups at PandaScan, I was redirected to a "The page can not be displayed" message.

Anyway, I've uninstalled and reinstalled AdAware and Spybot S&D and surprisingly enough, Spybot is running well but AdAware is still getting stuck at the same point...

Any other ideas?


Thanx a million for your help & support

Nosterdamus

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:55 AM

Posted 07 October 2004 - 11:23 PM

Lets try this one next:

http://www.bitdefender.com/scan/licence.php

#8 Nosterdamus

Nosterdamus
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 09 October 2004 - 03:49 AM

Well Grinler, the problem is solved, mostly thanks to you :thumbsup:

I've uninstalled AdAware again and installed the most recent version from Lavasoft and it is running just fine.

However, I also ran the new scan which you've suggested and it looks like there are many files that reported "password protected" and "bad crc". Some of them I really don't know, and I suspect that they are installations and/or downloads made by my son. So I'm checking with him to determine whether they should stay or not...

If after cleaning up there still be problems, I'll post another question. If you think that the problems that I encounter do not belong to this forum, I'd be happy if you can direct me to the right one.

Many thanks for your input & support.

Nosterdamus

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:55 AM

Posted 09 October 2004 - 12:45 PM

Sounds good..let us know how it works out




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users