Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log


  • This topic is locked This topic is locked
10 replies to this topic

#1 babaganoosh

babaganoosh

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 10 October 2004 - 10:31 AM

Hi,
I've had no problems with malware and the like since using Netscape Navigator, although I do use IE on occasion. The internet is running a little strange lately. Could you please look at my log?
Thanks!
Jeff :thumbsup:

Logfile of HijackThis v1.97.7
Scan saved at 12:03:31 PM, on 10/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\Rcman.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\OSDMenu.EXE
C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\EAX.exe
C:\Program Files\Creative\SBLive2k\RemoteCenter\Center\RCenter.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://news.yahoo.com/"); (C:\Documents and Settings\Jeff Hayward\Application Data\Mozilla\Profiles\default\eqrw71qh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeff Hayward\Application Data\Mozilla\Profiles\default\eqrw71qh.slt\prefs.js)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [RemoteCenter] C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\Rcman.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7874.5211226852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

Edited by babaganoosh, 10 October 2004 - 10:34 AM.


BC AdBot (Login to Remove)

 


#2 TexasAngel67

TexasAngel67

    Bleeping Helper


  • Members
  • 1,551 posts
  • OFFLINE
  •  
  • Location:Fort Worth
  • Local time:07:55 AM

Posted 10 October 2004 - 11:17 AM

Hi Jeff. First things first, please download the most recent update to HijackThis. You are using the older version. The experts can advise you once you've done the update. Then post a new log.

~67~

#3 babaganoosh

babaganoosh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 10 October 2004 - 08:24 PM

Thanks, here is HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 9:53:07 PM, on 10/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\Rcman.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\OSDMenu.EXE
C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\EAX.exe
C:\Program Files\Creative\SBLive2k\RemoteCenter\Center\RCenter.exe
c:\Program Files\PestPatrol\CookiePatrol.exe
c:\Program Files\PestPatrol\PPMemCheck.exe
c:\Program Files\PestPatrol\PPControl.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jeff Hayward\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://news.yahoo.com/"); (C:\Documents and Settings\Jeff Hayward\Application Data\Mozilla\Profiles\default\eqrw71qh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeff Hayward\Application Data\Mozilla\Profiles\default\eqrw71qh.slt\prefs.js)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [RemoteCenter] C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\Rcman.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 10 October 2004 - 10:03 PM

Hi Jeff,
Long time no see. :thumbsup:

You've got a couple of items on there that need to go. Let me do some more checking and I'll get back to you.

Are you running the MyWay toolbar by choice?

Also, you need to move HijackThis into its own permanent folder. This is important. You are running it from a temp folder. Please follow THESE INSTRUCTIONS. But there's no need to post another log yet.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#5 babaganoosh

babaganoosh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 10 October 2004 - 10:29 PM

Since I received the generous help of you and your colleagues I've been problem-free for months. :thumbsup: Now I mainly come to the site to enjoy my reign as asteroids champion! :flowers:

The Myway toolbar is not running by my choice. I'm not sure how I got it, but I seldom use IE anymore. I would like to dump the toolbar.

I made a folder in programs labeled hijackthis, found the hijackthis.exe file in the temp folder and moved the file into the hijackthis folder using windows explorer. When I open the hijackthis folder which is in the programs folder, there sits the hijackthis.exe file. I've deleted the earlier version I had and made a shortcut for the desktop. When I open hjt I get a window telling me about the temp folder and to move it. I look in the temp folder and it's not there. The instructions you linked me to appear to be for XP and don't work for my 2000 system. I'm baffled as to why it still comes up as being in a temp folder. :trumpet:

Please let me know what I'm doing wrong and I will correct it.

Thanks again.

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 10 October 2004 - 11:31 PM

Well, that is strange. Are you sure your shortcut is linked to HijackThis.exe and not HijackThis.zip? The running process in your log usually appears when HJT is run from the .zip.--i.e. it hasn't been unzipped. I see you're running WinZip, so if you haven't unzipped HijackThis you need to use WinZip to do that. Scroll down a ways in this tutorial if you need help on doing that.

If you still encounter problems, just download the .exe of HijackThis that's already been unzipped and save it to your desktop. This is a direct download.
http://209.133.47.12/~merijn/files/HijackThis.exe

You may know the MyWay toolbar as Smiley Central. Even if you downloaded it I recommend you get rid of it anyway. We'll deal with that when the HJT folder is straightened out.

You say the internet is running strange. Is Netscape strange too or just IE? Could you be a little more specific on what the problem is? There's not really much there in your log.

Asteroids--I was a Space Invaders man myself. But just the arcade game you had to put quarters in. Keyboard controls just aren't the same for me. :thumbsup:

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#7 babaganoosh

babaganoosh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 11 October 2004 - 12:24 AM

I have properly downloaded the hjt.exe into its own folder in programs after actually following the directions correctly. :thumbsup:

The problem I was having was difficulty logging on to certain websites today like microsoft, which turned out to be my ISP's problem that they eventually corrected. While that was occurring I tried to use IE and when I had it open I heard a "bloop" sound like a drop landing in water - the same sound I heard when being terrorized by the aboutblank menace months ago! :flowers: It didn't have any of the other symptoms like having the homepage changed or any of that business, but I thought I would have you check it out just in case. I did run spybot, ad-aware and pest patrol which turned up a small number of innocuous cookies and the like. I didn't like the looks of that toolbar either.

Playing the asteroids game with the keyboard controls works pretty well except for the hyperspace which is the shift key, but if you're slapping that one you're probably going to get crashed into anyway. :trumpet:

Thanks again for your help!

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 11 October 2004 - 09:46 AM

OK, Jeff, you have some leftovers from that old infection so let's try to get you spic and span. Please do the following.

Go to Add/Remove Programs thru Control Panel and look for and uninstall any of the following if found:
My Search Bar
MyWay Speed Bar
Fun Web Products Easy Installer--or anything similar.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows.

Scan again with HijackThis. Put a checkmark by these entries, double-checking to be sure that only these entries are checked.

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

If you didn't set the following yourself, fix it. It was in your log and fixed back in May but it was not clear to me if you set it yourself.

O15 - Trusted Zone: http://*.windowsupdate.microsoft.com

The following are optional fixes that can improve your PC's performance:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

This is installed when RealOne is installed and is an application updater. Once installed it runs independently of RealOne Player, and it can be removed. Also you will manually have to disable this. Here’s how:
1. Start RealOne Player and click on Tools then Preferences.
2. Select Automatic services in the Categories pane.
3. Then uncheck all options and then click OK.
4. You can manually update RealOne Player after removal.

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

This is a known resource hog that's not needed at startup. You will still have access to Office if you fix it.

Now close all other windows--you should only see HijackThis open on your Desktop--and then click the "Fix checked" button.

Reboot your computer into Safe Mode and delete the MyWay directory/folder:

C:\Program Files\MyWay

Reboot back into normal mode and post another HJT log.

Also see if you can reproduce the behavior you described so we can tell whether or not it's fixed.

Edited by Papakid, 11 October 2004 - 10:04 AM.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#9 babaganoosh

babaganoosh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 11 October 2004 - 06:23 PM

Here is what I've done (in order):

My Search Bar - Deleted through add/remove programs. MyWay Speed Bar and
Fun Web Products Easy Installer--or anything similar - were not listed.

Fixed the following with HJT:
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Two files were not listed in HJT after deletion of My Search Bar:
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

In safe mode, deleted C:\Program Files\MyWay folder via my computer.

Here is HJT after changes:
Logfile of HijackThis v1.98.2
Scan saved at 7:36:24 PM, on 10/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\Rcman.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\OSDMenu.EXE
C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\EAX.exe
C:\Program Files\Creative\SBLive2k\RemoteCenter\Center\RCenter.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://news.yahoo.com/"); (C:\Documents and Settings\Jeff Hayward\Application Data\Mozilla\Profiles\default\eqrw71qh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeff Hayward\Application Data\Mozilla\Profiles\default\eqrw71qh.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [RemoteCenter] C:\Program Files\Creative\SBLive2k\RemoteCenter\Rc\Rcman.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab

Thank you so much. :thumbsup:

#10 babaganoosh

babaganoosh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 11 October 2004 - 07:30 PM

I should mention that I have had IE open for a while without any bloop sounds or other strange goings-on.

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 12 October 2004 - 01:14 AM

I should mention that I have had IE open for a while without any bloop sounds or other strange goings-on.


That's good to hear. :thumbsup:

The log looks clean. Just one item came back.
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com

If you think HJT is not working right we can try to fix it again. I don't use the trusted zone in IE because it can work against you. Otherwise that should be legit.

It would be a good idea to run Disk Cleanup. Type cleanmgr in the run box by going to Start>Run. Have it clean out the following three:

Temporary Files
Temporary Internet Files
Recycle Bin

I also see that you are running two antivirus at startup. Not a good idea. I suggest you uninstall one of them unless you know of a way to keep them from both starting up everytime you reboot.

If you are satisfied that you are clean I recommend these simple steps you can take to reduce the chance of infection in the future. You've got some security software but there are other measures you can take. Be sure to read the pages linked to below if you haven't already.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your Operating System and Internet Explorer. The first defense against infection is a properly patched OS.

Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
Or, with Internet Explorer open, click Tools>Windows Update.


2. Adjust your security settings for ActiveX:
Go to Internet Options>Security tab.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed ActiveX controls', to 'Prompt;
set the second option, 'Download unsigned ActiveX controls', to 'Disable';
and finally, set 'Initialize and Script ActiveX controls not marked as safe' to 'Disable'.

These recommendations are based on veteran spyware fighter Tony Klein's now classic article, So how did I get infected in the first place? Check it out for even more information.

I also highly recommend the information in Bleepingcomputer's own Simple steps to keep your computer secure!

Jeff, you still have a number of start ups that aren't necessary. Preventing them from starting up should further improve your PC's performance. For an easy to use Startup Manager that will give you an idea of what each startup does and whether or not it is needed, Try Startup Inspector for Windows Any questions let me know.

I didn't like hyperspace in Asteroids either and never used it. It would somethimes work out OK in Defender tho. :flowers:

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users