Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brand new computer from Dell and here's my HJT log!


  • Please log in to reply
13 replies to this topic

#1 morrowind

morrowind

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 18 January 2005 - 06:15 PM

Okay, I've got a few day old Dell 8400 with XP Home. I have deleted my cookies, temp saved passwords and usernames, and history in Windows Explorer. I use Firefox 1.0 now.

Before this log I ran Ad-Aware SE with all the new updates and it detected 0 pieces of spyware. But my HJT log appears jacked up. Here it is:

Logfile of HijackThis v1.99.0
Scan saved at 8:35:58 PM, on 1/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kurt Peterson\My Documents\My Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: IAA Event Monitor - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Edited by testikleez, 18 January 2005 - 09:36 PM.


BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:15 PM

Posted 18 January 2005 - 08:33 PM

It would be helpful if you updated your HJT to the most recent version, and then post a new log please.

'Hijack This!'.

#3 morrowind

morrowind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 18 January 2005 - 09:12 PM

It would be helpful if you updated your HJT to the most recent version, and then post a new log please.

'Hijack This!'.

Thanks. I edited my original post with the updated version of HJT.

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:15 PM

Posted 18 January 2005 - 09:17 PM

Do you have another thread going somewhere?? Is someone else helping you already?

I'll continue helping you in your other thread if you give me a link to it. :thumbsup:

#5 morrowind

morrowind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 18 January 2005 - 09:26 PM

I, by accident, posted this is another forum. A moderator moved it over here. This is my current active topic :flowers:

On my other comptuer when I run HJT I only get like 10 items on the entire list. It just seems that my brand new computer is running tons of useless programs and all those homepage links and such have me a bit wary. I want to clean it up so it runs at it's optimum :thumbsup:

Edited by testikleez, 18 January 2005 - 09:29 PM.


#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:15 PM

Posted 18 January 2005 - 09:31 PM

If this is your most recent log, then you are missing the bottom portion of it. I need to see all of it please. :thumbsup:

#7 morrowind

morrowind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 18 January 2005 - 09:37 PM

I just copied and pasted another new log file in my original post. Am I still missing something?

Edited by testikleez, 18 January 2005 - 09:39 PM.


#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:15 PM

Posted 18 January 2005 - 09:47 PM

Nope, I see it now... the 023 entries were not there before... :flowers:

I only see two pieces of malware on there, and you will be able to remove those with Add/Remove programs.

Remove the following:
Windows AdControl
MyWaySA

You need to get an Anti-Virus on there, and some other protection software also.

Check this out, it may help:
out Groovicus’ Guide to Simple P.C. Security

Reboot and post upa new log, and we will make sure those removed properly. :thumbsup:

#9 morrowind

morrowind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 18 January 2005 - 09:59 PM

I uninstalled Windows AdControl (I think I did that in the past but it was back for some reason). When I went to uninstall My Way Search Assistant it said it would be removed upon restart. So I restarted and went to add/remove just to see if it was still there and it was. Although out to the right it didn't have "Add/Remove" like it did before the reboot. It just says "used rarely" or whatever it typically says. Here's my new log:

Logfile of HijackThis v1.99.0
Scan saved at 8:55:48 PM, on 1/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kurt Peterson\My Documents\My Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: IAA Event Monitor - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Why are things doubled on the top part of the list? Why does it have my Internet Explorer start pages listed like 5 times? It is set for www.nfl.com, not that www.dell4me.com. What does the third 09 mean (extra button: AIM - .....)?? What about 03? What is that?

Edited by testikleez, 18 January 2005 - 10:02 PM.


#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:15 PM

Posted 18 January 2005 - 10:24 PM

Whoa!! :flowers: One thing at a time..

Your log is clean, that last program didn't uninstall cleanly, but it is gone, so no worries. The processes you see running at the top are the running processes, and it is completely normal to see duplicate applications running.

The 01 keys are registry keys that relate to your browser. They are not active processes.

The 03 is the toolbar that you just uninstalled. The 09 is an Aim button that has been added to a context menu somewhere. Everything that you are seeing is normal.

Get some protection on that system though before it does get infected. :thumbsup:

#11 morrowind

morrowind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 18 January 2005 - 10:30 PM

Thanks for you help groovicus. Without tech wizards like you people like me would be totally screwed :flowers:

Okay, I noticed that the 03 hadn't changed at all from before or after I uninstalled those 2 programs. That seems odd.

I shouldn't "fix" a few of those extra www.dell4me.com entries?

Also, is there a way to fully uninstall that My Way Search Assistant? I did a file and folder search for "My Way" and "Search Assistant" and nothing came up, but still it just sits there in my add/remove program folder without an option to do anything to it out on the right.

I guess I'm just still worried b/c this list is about twice as long as the one I have on my other older computer.

Oh, and I am looking into grabbing a virus protector and probably ZoneAlarm. Just hadn't got around to it yet with the newness of my computer :thumbsup: Also, even though surfing the internet with Firefox I still have a chance to grab a virus or malware? Even if I don't download files that I don't know what they are or open email attachments?

Edited by testikleez, 18 January 2005 - 10:32 PM.


#12 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:15 PM

Posted 19 January 2005 - 11:07 AM

Firefox is still vulnerable, just in different ways. Disabling javascript would be helpful, but you still need other protection. There are any number of ways to get infected that have nothing to do with your browser. You shouldn't be surfing at all without all of the proper protections in place, and verifying that you have all of your critical updates. 3 just came out last week, so you should get them.

You can remove the dell entries if you wish, and the 03 entry.

My Way Search Assistant can be removed through a registry edit. Open Regedit and navigate to the following key:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall

and remove the offending entry. Always make a backup of your registry before making any changes, just to be safe though.

#13 morrowind

morrowind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 19 January 2005 - 05:26 PM

I did everything you suggested groovicus. The only problem I ran into is that the regedit key you said to delete was not there. Yet 'my way serach assistant' remains on my add/remove list without an option to delete it out to the right.

Edited by testikleez, 19 January 2005 - 05:26 PM.


#14 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:15 PM

Posted 19 January 2005 - 05:50 PM

Hmmm...maybe I pulled up the wrong registry key..

Search the registry for My Way Search Assistant, and I bet you can find it... I can't seem to remember where I hid that particular fix. :thumbsup:

Did I mention to always make up a backup of your registry before messing with it?

Edited by groovicus, 19 January 2005 - 05:50 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users