Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My HJT log - Help Please


  • Please log in to reply
2 replies to this topic

#1 Digimom

Digimom

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 29 December 2004 - 03:28 PM

I've downloaded and ran HJT but it makes absolutely no sense to me so I'm hoping you can help, I'd appreciate it. :thumbsup: My kids have downloaded things and I've taken them off ( or think I have ) but lately twice a day a browser opens by itself, I'm not sure what's causing it. Here's my log, thanks in advance for any help you can give.

Logfile of HijackThis v1.99.0
Scan saved at 2:26:06 PM, on 12/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\CHAOS SOFTWARE\CHAOS 6\ALARM.EXE
C:\PROGRAM FILES\3M\PSN2LITE\PSN2LITE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL (disabled by BHODemon)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AccessibilityToolbar - {9E0C6AAD-A8E3-4E49-9DBD-786099B599A4} - C:\PROGRAM FILES\ACCESSIBILITYTOOLBAR TOOLBAR\ACCESSIBILITYTOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ScanRegistry] "C:\WINDOWS\scanregw.exe " /autorun
O4 - HKLM\..\Run: [SystemTray] "SysTray.Exe"
O4 - HKLM\..\Run: [AVG_CC] "C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe " /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] "C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe"
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE /service
O4 - HKCU\..\Run: [ALARM.EXE] "C:\PROGRAM FILES\CHAOS SOFTWARE\CHAOS 6\ALARM.EXE"
O4 - Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Free Software - C:\Program Files\Cool Web Scrollbars\hh.html
O8 - Extra context menu item: Link Popularity - http://route.mouseclickapplication.com/cgi...=1&set=1&tool=1
O8 - Extra context menu item: Keyword Density - http://route.mouseclickapplication.com/cgi...=1&set=1&tool=2
O8 - Extra context menu item: Position Reporter - http://route.mouseclickapplication.com/cgi...=1&set=1&tool=3
O8 - Extra context menu item: SE Submission - http://route.mouseclickapplication.com/cgi...=1&set=1&tool=4
O8 - Extra context menu item: SE Optimizer - http://route.mouseclickapplication.com/cgi...=1&set=1&tool=5
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Toggle AccessibilityToolbar toolbar - {F1D75287-2EF6-4E41-A305-A27A7921ECAA} - C:\PROGRAM FILES\ACCESSIBILITYTOOLBAR TOOLBAR\ACCESSIBILITYTOOLBAR.DLL
O9 - Extra 'Tools' menuitem: &AccessibilityToolbar toolbar - {F1D75287-2EF6-4E41-A305-A27A7921ECAA} - C:\PROGRAM FILES\ACCESSIBILITYTOOLBAR TOOLBAR\ACCESSIBILITYTOOLBAR.DLL
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\TRASH.EXE (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/092405708c2cb889e701/netzip/RdxIE6.cab
O16 - DPF: {2AF973E9-21D2-4BCE-AB51-9DE67165A7C4} (ActiveGL Control) - http://nl.mirrors.gtaskins.com/viewer/modelviewer.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.18/ttinst.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O16 - DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} (FASetupStart Control) - http://a2.ff.fullaudio.com.edgesuite.net/f....0.40/setup.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite22/fvlite.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...lim/install.cab
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {BA5E57BB-88D5-422A-AC9E-C01A6EEE2537} (WebDvr3 Class) - http://67.122.184.99//WebDvr3.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...5271ab95b94951b

BC AdBot (Login to Remove)

 


#2 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:01:14 AM

Posted 30 December 2004 - 02:07 PM

Hi Digimom,

I'll be responsible for looking after your log review. I'll get back to you as soon as I can with some fixes. Please be patient whilst I work through your log.

#3 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:01:14 AM

Posted 31 December 2004 - 01:54 PM

Hi Digimom,

There are a number of steps you need to take in order to clean your machine. Please carry out the steps in the order they are given. You may find it helpful to print these instructions out as you will not have access to the Internet whilst you are running in Safe mode.

Please read through all of the steps first to ensure you understand what I'm asking you to do. If you have any questions, please ask before you start the fixes.
  • Please go to Start >>> Control Panel >>> Add or Remove Programs and remove the following programs
    • Windows AdControl
  • Reboot your computer into Safe Mode.

  • Run HijackThis
    Click on the Scan button and when complete
    Put a check beside all of the items listed below
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/092405708c2cb889e701/netzip/RdxIE6.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...lim/install.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...5271ab95b94951b

    Close all open Explorer windows and browsers
    Click on the "Fix Checked" button
    When complete and all files removed, close the application

  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

    Please delete the following folder (delete item in bold). Please do not be concerned if
    any of the items are not found as they may have been automatically removed by actions I had
    you take earlier in the cleaning process.C:\PROGRAM FILES\WINDOWS CONTROLAD >>> Folder
  • Reboot your machine, run HijackThis and post a new log here using the Add Reply button. Also, can you perhaps give me some additional information viz:
    • There are a few toolbars showing in the log. Did your children install theses and do they actually use them.
    • You mentioned that the browser opens on its own. When it opens, does it contain any information or just a default page?
    • Do you have multiple user accounts on this machine?
    • Can you remember what you removed prior to posting this log.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users