Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Hijackthis Log: Please Help Diagnose

  • This topic is locked This topic is locked
4 replies to this topic

#1 WebDiva


  • Members
  • 2 posts
  • Local time:03:28 PM

Posted 08 February 2006 - 05:38 PM

Hello. I seem to be infected with a some sort of virus / spyware. I have run a Windows update, a Symantec virus scan and update, an Adaware scan, as well as Spybot Search and Destroy. While these scans have detected and removed problems I am still experiencing the initial problem which lead me to run these scans. When I open a browser (IE) window I get a pop-up marked as an advertisement. This pop-up is labeled: Registry Cleaner Recommended. Errors in your Windows registry database, if present, could cause erratic operation and other computer problems including: ...

When I close the pop-up window I then get a warning message.

A co-worker suggested that I run this scan and use this forum for possible help. Any suggestions would be greatly appreciated.



HijackThis Scan Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:13:43 PM, on 2/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\st95km5w\Desktop\HijackThis_download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drexel.edu/cce/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ctcqxv.exe
O4 - HKLM\..\Run: [4vcncu64] C:\WINDOWS\system32\4vcncu64.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rzuasl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15270B8D-C8F5-43AD-8B84-5B02B46958FC} (AdminToolbarControl Object) - http://admin.dfire.org//igxui42.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://v4.ingeniux.com/dragonfire/msxml4.cab
O16 - DPF: {8C28EFD7-767B-11D1-8400-000000000000} - http://brioquery.irt.drexel.edu/components....Insight.en.cab
O16 - DPF: {9B7D6C2B-9C1C-4C97-A0F2-063CA129397F} (IEHelper Object) - http://admin.dfire.org//igxui42.cab
O16 - DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} (WSpell Spelling Checker Control) - http://v4.ingeniux.com/dragonfire/wspell.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drexel.edu
O17 - HKLM\Software\..\Telephony: DomainName = drexel.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drexel.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = drexel.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iamidrp - Intel Corporation - (no file)
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

BC AdBot (Login to Remove)


#2 pskelley


  • Members
  • 1,487 posts
  • Gender:Male
  • Local time:04:28 PM

Posted 09 February 2006 - 10:46 AM

Hi Katie and welcome to the forum. I do see some junk, and often the stuff hides from us. Let's do this in the posted order and see what happens.

1) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

2) Ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ctcqxv.exe
O4 - HKLM\..\Run: [4vcncu64] C:\WINDOWS\system32\4vcncu64.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rzuasl.exe
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Enable hidden files&folders..reverse the process when finished.

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\Ctcqxv.exe >>> file

C:\WINDOWS\system32\4vcncu64.exe >>> file

C:\WINDOWS\system32\Rzuasl.exe >>> file

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

I can't identify this: O23 - Service: Iamidrp - Intel Corporation - (no file) highlited in red. But the company is of course Intel. Do you know what it is? I am leary of removing it without more information, thanks.

Restart the computer and post the ewido scan results, a new HJT log and your comments. How iis the computer running now.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 WebDiva

  • Topic Starter

  • Members
  • 2 posts
  • Local time:03:28 PM

Posted 10 February 2006 - 03:15 PM


Hello and thank you so much for your reply. I've done everything you suggest, but I have questions about the ewido scan. Here is the log of what ewido found:

ewido anti-malware - Scan report

+ Created on: 11:13:39 AM, 2/10/2006
+ Report-Checksum: B5B896C0

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Adware.BargainBuddy : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Adware.DealHelper : Ignored
C:\Documents and Settings\aw73\Cookies\aw73@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Ignored
C:\Documents and Settings\aw73\Cookies\aw73@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Ignored
C:\Documents and Settings\nae22\Cookies\nae22@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : Ignored
C:\Documents and Settings\nae22\Cookies\nae22@servedby.advertising[2].txt -> TrackingCookie.Advertising : Ignored
:mozilla.11:C:\Documents and Settings\st95km5w\Application Data\Mozilla\Firefox\Profiles\fcrd0eia.default\cookies.txt -> TrackingCookie.Statcounter : Ignored
C:\Documents and Settings\st95km5w\Cookies\st95km5w@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Ignored
C:\Documents and Settings\st95km5w\Cookies\st95km5w@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Ignored
C:\Documents and Settings\st95km5w\Cookies\st95km5w@com[2].txt -> TrackingCookie.Com : Ignored
C:\Documents and Settings\st95km5w\Cookies\st95km5w@ivwbox[2].txt -> TrackingCookie.Ivwbox : Ignored
C:\Documents and Settings\st95km5w\Local Settings\Temp\dealhelper.exe -> Downloader.Agent.hw : Ignored
C:\Program Files\WebSavingsfromEbates -> Adware.MoneyMaker : Ignored
C:\Program Files\WebSavingsfromEbates\System -> Adware.MoneyMaker : Ignored
C:\Program Files\WebSavingsfromEbates\System\Temp -> Adware.MoneyMaker : Ignored
C:\Program Files\WebSavingsfromEbates\System\Temp\dump.txt -> Adware.MoneyMaker : Ignored
C:\Program Files\WebSavingsfromEbates\System\Temp\run.txt -> Adware.MoneyMaker : Ignored
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP228\A0064411.exe -> Adware.Sahat : Ignored
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP228\A0064412.exe -> Adware.Sahat : Ignored
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP228\A0064413.dll -> Adware.Sahat : Ignored
C:\WINDOWS\SYSTEM32\Aghbnk.exe -> Adware.DealHelper : Ignored
C:\WINDOWS\SYSTEM32\axuninstall.exe -> Adware.BlazeFind : Ignored
C:\WINDOWS\SYSTEM32\Ctcqxv.exe -> Adware.DealHelper : Ignored
C:\WINDOWS\SYSTEM32\dun.exe -> Adware.DealHelper : Ignored
C:\WINDOWS\SYSTEM32\Fpliij.exe -> Adware.DealHelper : Ignored
C:\WINDOWS\SYSTEM32\Jtersx.exe -> Adware.DealHelper : Ignored
C:\WINDOWS\SYSTEM32\Rzuasl.exe -> Adware.DealHelper : Ignored
C:\WINDOWS\SYSTEM32\Svgogq.exe -> Adware.DealHelper : Ignored
C:\WINDOWS\SYSTEM32\Uwglah.exe -> Adware.DealHelper : Ignored

::Report End

So I'm not sure if there are things that need to be deleted or not. I haven't rerun HijackThis because I wasn't sure if I should wait and see what you said about the ewido scan. I did remove the things you had already suggested I remove.

New Problem:

I really hope that I'm not being a huge pain in the rear, but the person who infected me seems to be in a bad place. I've had him do everything I did so that I could reduce what is needed. He started off with this icon in his task bar that mimiced the window's update icon. He seemed to be infected with Spy Falcon and Spyware Strike. Here is what he e-mailed me:

Iím having a problem with unwanted pop ups and something in my taskbar that I never downloaded. Two icons remain on my taskbar. One resembles a Microsoft Windows Update insignia with an intermittent flashing exclamation point that informs me that my computer is infected. It then prompts me to download software to correct the problem (which I have not done). The other is an icon that has an SF on it. When I click on it, it comes up as Spy Falcon. The previous icon was something by the name of Spyware Strike.

I purchased an antivirus software through Staples. The manufacturer is Panda Software. I installed it and it corrected the problem meaning it got rid of the Spyware Stirke icon and the flashing Microsoft icon, but returned a few minutes later. This time as the Spy Falcon icon along with the MS Window's update icon.

One other problem that happens is upon startup. Ewido anti-malware always brings up an alert that reads it has detected malware. The folowing is the info given:

File: mssearchnet.exe

Path: C:\WINDOWS\system32

Infection: Hijacker.SpyAxe

Furthermore, I have tried to delete both (Spyware Strike and Spy Falcon) of these programs using the Add/ Remove in the Control panel, but to no avail.

If needed I also have his scans from running ewido and HijackThis. I wasn't sure if you wanted me to post that information as well.

Thanks again for all of your help,


#4 pskelley


  • Members
  • 1,487 posts
  • Gender:Male
  • Local time:04:28 PM

Posted 13 February 2006 - 03:42 PM

I must apologize, new software is coming but I did not get the notification that you posted. If you do not hear from me within 8 hours of a post, PM me here:

Katie, I am sorry:( I can't work like you are asking me to. If you have a friend with problems tell them to post their own topic. If you are picking up additional infections yourself, stay off line except when troubleshooting the problem or checking email.

Yes, everything you ignored in the ewido scan is bad and must be deleted. Run the scan again and delete everything ewido finds unless you know it is not bad. Finish the other instructions I posted at the same time. Give me any information I requested along with the new ewido scan results and a new HJT log. I will let you know what to do next as soon as possible after that.

Oh...and don't open anything that "friend" sends you. It sound like you have picked up additional infections. We will tackle them when you finish the instructions from Feb 9 2006, 10:46 AM

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 pskelley


  • Members
  • 1,487 posts
  • Gender:Male
  • Local time:04:28 PM

Posted 21 February 2006 - 12:41 PM

No reponse to this thread since Feb 13 2006, 03:42 PM :thumbsup:

Topic is closed
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users