Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis log


  • This topic is locked This topic is locked
7 replies to this topic

#1 katt430

katt430

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 07 November 2004 - 06:24 AM

Would someone be kind enough to take a look at this for me.
Have been having probs for 2 days now, AVG reporting 2 virus's but doesnt pick them up when scanning, have disabled system restore and tried scanning in safe mode but get error,"avg innit missing" can scan in normal mode but finds nothing, have tried stinger, spybot,ad aware, cw shredder,panda, all updated but they find nothing, have uninstalled everything from ad /remove but still having probs, pc running slow,ad pop ups, search engine change even seem to be getting targeted e mail.
Would appreciate any help you may be able to offer.......

Logfile of HijackThis v1.98.2
Scan saved at 10:36:20, on 07/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AOL 7.0\waol.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\Dell Latitude\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lycos.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: HotSearchBar.com Bar - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - (no file)
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\Bouncer.exe 101
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezPopStub.exe /UninstPOP2 C:\Program Files\Web Offer
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebcam/eng5...WebMonProj1.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...86609ee646decd2 ac69bca347da7f92bd3f40ed80f8:f24c6caefc20c400fd4e2e5e2503e16a
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://ocx3.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.ghostsandlegends.com/AxisCamControl.ocx
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.co.uk/app/uploader/FileUploader.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildAppNonUS.cab
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://213.200.210.10/dl/101/GB175_100.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn842.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn842.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C36632C-0500-4DAD-B738-AEA4632044C5}: NameServer = 195.93.49.134
O17 - HKLM\System\CS1\Services\Tcpip\..\{5C36632C-0500-4DAD-B738-AEA4632044C5}: NameServer = 195.93.49.134


Many Thanks....

BC AdBot (Login to Remove)

 


m

#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:58 AM

Posted 07 November 2004 - 02:46 PM

Hi, Katt430, I'm checking your log now. I'll post recommendations asap. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 katt430

katt430
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 07 November 2004 - 05:40 PM

:thumbsup: Many thanks phawgg.......

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:58 AM

Posted 07 November 2004 - 09:09 PM

Katt430, I'm back. Uncertain of what remains installed of the programs you mentioned using, however try this:

Your HijackThis is being run from your Desktop. From My Computer, click on your "local C: drive" and open "file-->new", naming it hjt. You will need to unzip hijackthis.exe, from where it is now, to your new folder. This has to be done so HijackThis can file it's created backups. You may need to use those backups.

You have several bad activeX files.
Most were found using Spywareblaster 3.2, a freeware program I recommend you download & install. Like all tools we use, it should be updated, and you can do it manually instead of paying for the auto-update if you like. Several other programs will help you to avoid problems like you now have, and I'll explain them later. You can do them all after we're done. First let's clean your PC.

I want you to fix some of those entries. Please do the following:
Go to Add or Remove Programs. If found, uninstall Web Offer & Bouncer or SpyBouncer

Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows

Run Hijackthis again, making sure it is the only thing appearing on your desktop. No other open browsers or programs. Click scan, and put a checkmark next to each of these. Then click the Fix button

O3 - Toolbar: HotSearchBar.com Bar - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - (no file)
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\Bouncer.exe 101
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezPopStub.exe /UninstPOP2 C:\Program Files\Web Offer
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...86609ee646decd2 ac69bca347da7f92bd3f40ed80f8:f24c6caefc20c400fd4e2e5e2503e16a
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://ocx3.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildAppNonUS.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn842.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn842.exe
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://213.200.210.10/dl/101/GB175_100.exe

Reboot into Safe Mode (hit F8 key until menu shows up. Select "safe mode". Press "enter")

Then delete these files or directories (Do not be concerned if they do not exist)
C:\Program Files\Web Offer<--this folder only
C:\Program Files\Bouncer\Bouncer.exe 101<--this folder & any files in it

Clean out your Temp files and your Temporary Internet Files. Please do both steps:
Note: You could do these steps in normal mode, but some files might be in use and not allow you to delete them unles you are in Safe Mode.

Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button. This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. Doing this in Safe Mode you should be able to delete all the files.

Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Reboot your computer to go back to normal mode.

Empty the recycle bin.
Run HijackThis again and post the new log as a reply to this post.
(Include comments regarding any problems you might have had, and let us know if its working better. Some additional options may exist, and we can go over specific prevention for you then.)
patiently patrolling, plenty of persisant pests n' problems ...

#5 katt430

katt430
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 08 November 2004 - 09:08 AM

Hello Phawgg..........I have followed your instructions to the letter and encountered no problems along the way :thumbsup:

All seems to be working fine now and definatly running faster!

I have also installed and manually updated Spywareblaster 3.2.

Here is the new Hijackthis log..........


Logfile of HijackThis v1.98.2
Scan saved at 13:08:09, on 08/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\AOL 7.0\waol.exe
C:\Documents and Settings\Dell Latitude\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lycos.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebcam/eng5...WebMonProj1.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.ghostsandlegends.com/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.co.uk/app/uploader/FileUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C36632C-0500-4DAD-B738-AEA4632044C5}: NameServer = 195.93.32.134
O17 - HKLM\System\CS1\Services\Tcpip\..\{5C36632C-0500-4DAD-B738-AEA4632044C5}: NameServer = 195.93.32.134


Once again many many thanks for your time and knowledge.

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:58 AM

Posted 08 November 2004 - 03:57 PM

that's good news, Katt430, glad to hear it. :flowers: Now that you're clean, disable & re-enable your System Restore to set a new restore point. This will insure there are no infected files found in a restore point left over from what we have just cleaned. Additional information & instuctions are here.

Keep your Internet Explorer configured safely. Open IE and check tools-->internet options-->security-->click internet icon-->default (medium will show). Then click custom and check that these settings are:
  • Download unsigned ActiveX controls - prompt
  • Initialize and script ActiveX controls not marked as safe - disable
  • Installation of desktop items - prompt
  • Launching programs and files in IFRAME - prompt
  • Navigate sub-frames across different domains - prompt
SP2 may have these right, change them if they are not. OK your change(s). Yes at the warn dialog box, choose Apply and then OK to exit.

Continue using installed programs for anti-virus & anti-malware protection... update them frequently. (auto-update set or check weekly)
No conflicts exist using these together on your PC [winXPSP2]:
AVG
Ad-aware (excellant additional plug-ins are available)
Spybot S&D (several useful options included . I recommend using Tea Timer Resident Protection, it alerts you to changes you make, or those being made)
A2 (fast scanning & free like the others)
SpywareBlaster (the additional SpywareGuard program isn't needed if you use Tea Timer in Spybot S&D)

Keep your Firewall up & monitor it's configurations (understanding it's operation may require some thought)

Windows Updates can occur frequently, so auto-update or check weekly.

Consider using Firefox as an alternative to IE for fundamental security reasons. You can have both easily.

Tutorials are available for more in-depth considerations.
Switching from Internet Explorer to Firefox
Simple and easy ways to keep your computer safe and secure on the Internet
Using Spybot - Search & Destroy to remove Spyware from Your Computer
Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
Guide to Windows XP Recovery Features
Steps to take when connecting a new computer to the Internet

I'm glad we could be of assistance to you, you're entirely welcome to it. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#7 katt430

katt430
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 10 November 2004 - 07:06 PM

Thank you Phawgg!

#8 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:11:58 AM

Posted 31 December 2004 - 06:32 PM

Closed. The topics in this thread appear to have been resolved.

If referring to this thread you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.

You may also contact a HJT Team Member, and reference the link location address. Happy New Year. :thumbsup: :flowers:
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users