hijackthis log

spkenn5 · 07-03-2006, 10:13 PM

please review it..

Logfile of HijackThis v1.99.1
Scan saved at 5:12:33 PM, on 7/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RxMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\inet20001\services.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\kernels8.exe
C:\WINDOWS\System32\netfilt4.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\ieredir.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\WINDOWS\System32\sndraw32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\netfilt4.exe
C:\WINDOWS\System\svchost.exe
C:\Program Files\BraveSentry\BraveSentry.exe
C:\Program Files\Navnt\navapw32.exe
C:\WINDOWS\System32\dlh9jkdq2.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\TheMatrixHasYou.exe
C:\WINDOWS\TEMP\C035.tmp
C:\WINDOWS\System32\vxgamet3.exe
C:\WINDOWS\System32\netfilt4.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\qvxgamet3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Quang\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ib.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib14.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVSSS.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [14.tmp] C:\DOCUME~1\Quang\LOCALS~1\Temp\14.tmp.exe
O4 - HKLM\..\Run: [15.tmp] C:\DOCUME~1\Quang\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [14.tmp.exe] C:\DOCUME~1\Quang\LOCALS~1\Temp\14.tmp.exe
O4 - HKLM\..\Run: [15.tmp.exe] C:\DOCUME~1\Quang\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [netfilt4] C:\WINDOWS\System32\netfilt4.exe
O4 - HKLM\..\Run: [windows] c:\temp\svchost.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [sndraw32] C:\WINDOWS\System32\sndraw32.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\services.exe
O4 - HKLM\..\RunServices: [netfilt4] C:\WINDOWS\System32\netfilt4.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [sndraw32] C:\WINDOWS\System32\sndraw32.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [netfilt4] C:\WINDOWS\System32\netfilt4.exe
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\Quang\LOCALS~1\Temp\94.tmp
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Quang\LOCALS~1\Temp\7B.tmp3584.exe
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe
O4 - HKCU\..\Run: [sndraw32] C:\WINDOWS\System32\sndraw32.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\services.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{046D00C5-D2E4-4F5E-8E17-BF06F77A2D2C}: NameServer = 85.255.116.30,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CD2E639-92EA-45C9-AA0C-F5E18AA84A63}: NameServer = 85.255.116.30,85.255.112.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{046D00C5-D2E4-4F5E-8E17-BF06F77A2D2C}: NameServer = 85.255.116.30,85.255.112.95
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\2006.dll
O20 - Winlogon Notify: 3246762198745124975reg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\32467621987451249 75.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\ijqlhhkb.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\System32\agkfejpb.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RxMon.exe

PC eye · 07-03-2006, 10:35 PM

There were a few small items to take care with the fix option. These are:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) This is often referred to as an "orphan". While this one is missing a file others will often load drivers without any program installed or leftover causing problems with others. A good registry cleaner like RegCleaner will remove most of these types automatically.
O4 - HKLM\..\Run: [windows] c:\temp\svchost.exe This should not be in a "C:\temp" folder. This looks like a trojan. The svchost.exe(MS original) would be found in a subfolder of Windows itself.
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
is the actual location for the valid MS file.

Besides the above items to remove the Yahoo and Google toolbars for Internet Explorer can leave you wide open for adwares. You may want to run a good remover like AdAware SE Personal found at http://www.lavasoft.com
RegCleaner can downloaded free at http://www.majorgeeks.com/RegCleaner_d460.html

spkenn5 · 07-04-2006, 02:24 AM

okay after gettin rid of that trojan

Logfile of HijackThis v1.99.1
Scan saved at 9:16:54 PM, on 7/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ieredir.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\sndraw32.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Windows\xpupdate.exe
C:\Program Files\Navnt\navapw32.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RxMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\TEMP\200C98A.tmp
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Quang\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [14.tmp] C:\DOCUME~1\Quang\LOCALS~1\Temp\14.tmp.exe
O4 - HKLM\..\Run: [15.tmp] C:\DOCUME~1\Quang\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [14.tmp.exe] C:\DOCUME~1\Quang\LOCALS~1\Temp\14.tmp.exe
O4 - HKLM\..\Run: [15.tmp.exe] C:\DOCUME~1\Quang\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [sndraw32] C:\WINDOWS\System32\sndraw32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [sndraw32] C:\WINDOWS\System32\sndraw32.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\Quang\LOCALS~1\Temp\94.tmp
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Quang\LOCALS~1\Temp\7B.tmp3584.exe
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [sndraw32] C:\WINDOWS\System32\sndraw32.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{046D00C5-D2E4-4F5E-8E17-BF06F77A2D2C}: NameServer = 85.255.116.30,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CD2E639-92EA-45C9-AA0C-F5E18AA84A63}: NameServer = 85.255.116.30,85.255.112.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{046D00C5-D2E4-4F5E-8E17-BF06F77A2D2C}: NameServer = 85.255.116.30,85.255.112.95
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\2006.dll
O20 - Winlogon Notify: 3246762198745124975reg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\32467621987451249 75.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\ijqlhhkb.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RxMon.exe

PC eye · 07-04-2006, 06:08 AM

You still have an item missing but not urgent as you can see from R3 - Default URLSearchHook is missing
The rest of the log here besides running a Google toolbar is not showing anything else. Remember that HiJack This doesn't go through the entire registry however. For removing adware, spyware, and even the occasional browser hijacker one good one to keep onhand is the AdAware SE Personal free edition mentioned earlier.
Some other free version utilities like AVG 7.1, Ewido, you already have Spybot S+D, Window Defender beta 2 can be downloaded at the following links. Having more then one onhand can be a good help at times.
For AVG 7.1, http://free.grisoft.com/doc/2/lng/us/tpl/v5
For Ewido free spyware remover, http://free.grisoft.com/doc/ewido-an.../lng/us/tpl/v5
Microsoft's contribution to fighting off spyware, http://www.microsoft.com/downloads/d...displaylang=en
For additional freewares along with a mix of sharewares, http://www.majorgeeks.com/downloads31.html

edifier · 07-04-2006, 01:34 PM

Quote:

The rest of the log here besides running a Google toolbar is not showing anything else.

PC eye

I'm no expert but how can you say that.He still has multiple infections.

**Buzz1927** · 07-04-2006, 05:20 PM

PC eye, you have no idea what you're talking about, there's all kinds of crap on here. And just because the log states "file missing" doesn't mean that it is.

spkenn5, download and install Cleanup.
http://www.stevengould.org/downloads.../CleanUp40.exe

Download, install, update and scan your system with the free version of Ewido Security Suite:
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), exit Ewido and boot into safe mode:

Restart your computer, and begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Once in safemode, run Cleanup.

Now open Ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please restart normally, then paste the contents of the text file to this thread, along with a new HijackThis log.

PC eye · 07-04-2006, 07:58 PM

Quote:

Originally Posted by edifier

PC eye

I'm no expert but how can you say that.He still has multiple infections.

I didn't state that there were multiple infections known to be there. The idea of using removers like those posted is to locate/remove anything HiJack This does not see. Those utilities also help to keep stuff off your system at times as well as locate things that are not even in the registry until something makes them active. The svchost.exe file found in C:\temp goes to show that it would have gone unnoticed if something didn't make that active along with creating new values in the registry itself. Something had to put it there?

PC eye · 07-05-2006, 02:00 AM

Quote:

Originally Posted by Buzz1927

PC eye, you have no idea what you're talking about, there's all kinds of crap on here. And just because the log states "file missing" doesn't mean that it is.

spkenn5, download and install Cleanup.
http://www.stevengould.org/downloads.../CleanUp40.exe

Download, install, update and scan your system with the free version of Ewido Security Suite:
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), exit Ewido and boot into safe mode:

Restart your computer, and begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Once in safemode, run Cleanup.

Now open Ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please restart normally, then paste the contents of the text file to this thread, along with a new HijackThis log.

I don't?

"Listed below you will find the best freeware programs available on the Internet for removing spyware, adware, and malware:

Adware and Spyware Removal

Lavasoft Ad-Aware SE 1.06
Spybot Search and Destroy 1.4
Microsoft Windows Defender

Ewido Anti-Malware
a² (a-squared) Scanner

Preventing the Installation of Adware and Spyware

SpywareBlaster 3.5.1
SpywareGuard 2.2

Specialized Removal Programs

about:Buster - Removal of CWS HomeSearch Hijacker or res:// hijacker
CWShredder 2.19 - CoolWebSearch Removal Tool from Trend Micro
Elite Toolbar Remover
I-Lookup Toolbar Uninstallers - Version 1 and Version 2
Incredifind and PerfectNav Uninstaller
Kill2Me - Removal of Look2Me infections
KillBox for removing files that are in use
Lop.com Uninstaller
OmegaKiller for removing hijackers like
Omegasearch.com Prosearching.com. Search200.com. Mysearchnow.com. Searchexe.com
SmitRem for removing Spyaxe, SpySheriff, Winhound and others
VX2.BetterInternet for XP/2000 for Removing Look2Me
VX2.BetterInternet for Windows 9X for Removing Look2Me
WildTangent Remover

Helpful Tools for Investigating Adware and Spyware Infections

HijackThis 1.99.1 by Merijn
SysInternals Process Explorer
Sysinterals RootkitRevealer

Online Virus Checkers
Trend Micro Housecall - will scan and remove threats
BitDefender Scan Online - will scan and remove threats
Ewido Online Scanner - will scan and remove threats
Jotti's Online Malware Scan
Kaspersky Online Scanner - appears to only scan for but not remove threats
Panda Activescan - appears to only scan for but not remove threats
McAfee FreeScan - appears to only scan for but not remove threats
eTrust Antivirus Web Scanner - will scan and remove threats
Symantec Security Check - will scan and remove threats
Dr.Web Online Check - user can upload and test for threats on particular files

Trojan Scanner
TrojanScan by WindowsSecurity.com

Free Antivirus Programs to Download
ANTI-VIR
AVAST
AVG

TCP/IP and Winsock Repair Utilities for Windows XP and 2000

LSPFix by Cexx.org
Winsock XP Fix
XP TCP/IP Repair utility

IEFix Utility for correcting Internet Explorer problems

Variety of Great Freeware Utilities for everything from Password Recovery Tools to Network Monitoring Tools and more.

If there are other spyware/adware removal tools that you think should be listed here, please email me.

Removal Instructions for Other Programs

Spyware Removal and Other Resources

Essential Tools for Removing Spyware, Adware, and Malware

How to Remove SurferBar
Bargain Buddy Removal Instructions and Help
Bonzi Buddy Removal
Click2FindNow and I-Lookup Removal
Comet Cursor Removal
Date Manager Removal
Spyaxe, Spy Trooper, Spy Sheriff, Brave Sentry and Similar Removal Instructions and Help
Alfacleaner Removal Instructions and Help
about:Blank Homepage Hijacker Removal Instructions and Help
Kazaa Removal Instructions and Help
res://random.dll Homepage Hijacker Removal Instructions and Help
IBIS Web Search (websearch.com) Removal Instructions and Help
Open Search Web (Lop.com) Removal Instructions and Help
UPDMGR.EXE Removal Instructions and Help
FCADVICE.EXE Removal Instructions and Help
Dubolom.com Homepage Hijacker Removal Instructions and Help
DSO Exploit Removal Instructions and Help
FastSearch.cc Homepage Hijacker Removal Instructions and Help
My Web Search Removal Instructions and Help
Cursor Mania Removal Instructions and Help
Fun Buddy Icons Removal Instructions and Help
Smiley Central Removal Instructions and Help
My Mail Stamps Removal Instructions and Help
My Mail Stationery Removal Instructions and Help
My Mail Signatures Removal Instructions and Help
Fun Web Products Popular Screensavers Removal Instructions and Help
Gator Software Removal
Hugesearch.net Homepage Hijacker Removal Instructions and Help
Search-Space.com and Start-Space.com Homepage Hijacker Removal Instructions and Help
How to Remove Global-Finder.com Homepage Hijacker
Globaltoolbar Removal
GoHip Software Removal
HotBar Toolbar Removal
Huntbar and Search Toolbar Info and Removal
Look2Me Removal Instructions and Help
Lookfor.cc (res://mshp.dll/index.html) Homepage Hijacker Removal Instructions and Help
MaximumSearch.net Homepage Hijacker Removal Instructions and Help
Ncase Removal Instructions and Help
People OnPage Toolbar Info and Removal
Precision Time Removal
Prolivation.com Removal
SaveNow and NewDotNet Removal
SearchMyRequest.com Homepage Hijacker Removal Instructions and Help
Smartsearch.ws Homepage Hijacker Removal Instructions and Help
SysUpd.exe (TSCash) Removal Instructions and Help
Ezula TopText (yellow underlined links) Removal Instructions and Help
How to Remove SpeedBlaster and MemoryMeter
TopRebates and WebRebates Removal Instructions and Help
Twaintec.dll Removal Instructions and Help
WeatherBug Removal
WildTangent Removal Instructions and Help
WinTools Removal Instructions and Help
Xupiter Removal
Xzoomy.com Removal
ZY Web Search (db105.com) Removal" And these are just a few. http://www.pchell.com/support/spywaretools.shtml

edifier · 07-05-2006, 02:44 AM

PC eye

HijackThis is not just a removal tool but most importantly, a diagostic tool and should be used as part of the cleaning process, not as the cleaning process.If your going to respond to someone's infected log, then you have to offer more than what your giving.I responded earlier because the impression you were giving was that there was nothing serious in his log, but there was.And 'Buzz' is correct.Just because it says 'file missing', doesn't mean it is.And if you follow any log cleaning by malware experts, have you not noticed that they never use 'Adaware'.It's better than nothing but is generally not an effective program anymore.Don't know what you were trying to accomplish in your last post but your goal should be to read through someone's infected log and then decide and suggest which of those many programs/fixes you just listed is the proper ones to remove the infection.Not the way your responding to logs now.

PC eye · 07-05-2006, 03:21 AM

Quote:

Originally Posted by edifier

PC eye

HijackThis is not just a removal tool but most importantly, a diagostic tool and should be used as part of the cleaning process, not as the cleaning process.If your going to respond to someone's infected log, then you have to offer more than what your giving.I responded earlier because the impression you were giving was that there was nothing serious in his log, but there was.And 'Buzz' is correct.Just because it says 'file missing', doesn't mean it is.And if you follow any log cleaning by malware experts, have you not noticed that they never use 'Adaware'.It's better than nothing but is generally not an effective program anymore.Don't know what you were trying to accomplish in your last post but your goal should be to read through someone's infected log and then decide and suggest which of those many programs/fixes you just listed is the proper ones to remove the infection.Not the way your responding to logs now.

You seemed to have missed one.
"Helpful Tools for Investigating Adware and Spyware Infections
HijackThis 1.99.1 by Merijn"

AdAware SE Personal also finds and can remove registry values created by adwares and even browser hijackers. RegCleaner will remove orphanned reg values that are no longer associated to a file whether it is missing or somehow made inactive. You can have a driver right there on the drive with a registry failing to load it properly requiring a reinstallation to make it active. The svchost.exe found in a C:\temp folder with a slight change in spelling is the scvhost.exe virus. http://www.auditmypc.com/process/scvhost.asp

07-03-2006, 10:13 PM	#1 (permalink)
spkenn5 Silver Member Join Date: Jan 2006 Location: Philadelphia,PA Age: 19 Posts: 191	hijackthis log please review it.. Logfile of HijackThis v1.99.1 Scan saved at 5:12:33 PM, on 7/3/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Navnt\npssvc.exe C:\WINDOWS\System32\svchost.exe C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RxMon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\inet20001\services.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\WINDOWS\System32\kernels8.exe C:\WINDOWS\System32\netfilt4.exe C:\WINDOWS\smss.exe C:\WINDOWS\ieredir.exe C:\WINDOWS\System32\spoolsvv.exe C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe C:\WINDOWS\System32\sndraw32.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Windows\xpupdate.exe C:\WINDOWS\System32\netfilt4.exe C:\WINDOWS\System\svchost.exe C:\Program Files\BraveSentry\BraveSentry.exe C:\Program Files\Navnt\navapw32.exe C:\WINDOWS\System32\dlh9jkdq2.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\TheMatrixHasYou.exe C:\WINDOWS\TEMP\C035.tmp C:\WINDOWS\System32\vxgamet3.exe C:\WINDOWS\System32\netfilt4.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\qvxgamet3.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Quang\Desktop\HijackThis.exe R3 - Default URLSearchHook is missing F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: ib.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib14.dll O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVSSS.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [14.tmp] C:\DOCUME~1\Quang\LOCALS~1\Temp\14.tmp.exe O4 - HKLM\..\Run: [15.tmp] C:\DOCUME~1\Quang\LOCALS~1\Temp\15.tmp.exe O4 - HKLM\..\Run: [14.tmp.exe] C:\DOCUME~1\Quang\LOCALS~1\Temp\14.tmp.exe O4 - HKLM\..\Run: [15.tmp.exe] C:\DOCUME~1\Quang\LOCALS~1\Temp\15.tmp.exe O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe O4 - HKLM\..\Run: [netfilt4] C:\WINDOWS\System32\netfilt4.exe O4 - HKLM\..\Run: [windows] c:\temp\svchost.exe O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe O4 - HKLM\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe O4 - HKLM\..\Run: [sndraw32] C:\WINDOWS\System32\sndraw32.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\services.exe O4 - HKLM\..\RunServices: [netfilt4] C:\WINDOWS\System32\netfilt4.exe O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe O4 - HKLM\..\RunServices: [sndraw32] C:\WINDOWS\System32\sndraw32.exe O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU\..\Run: [netfilt4] C:\WINDOWS\System32\netfilt4.exe O4 - HKCU\..\Run: [Key] C:\DOCUME~1\Quang\LOCALS~1\Temp\94.tmp O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Quang\LOCALS~1\Temp\7B.tmp3584.exe O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe O4 - HKCU\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe O4 - HKCU\..\Run: [sndraw32] C:\WINDOWS\System32\sndraw32.exe O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\services.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{046D00C5-D2E4-4F5E-8E17-BF06F77A2D2C}: NameServer = 85.255.116.30,85.255.112.95 O17 - HKLM\System\CCS\Services\Tcpip\..\{8CD2E639-92EA-45C9-AA0C-F5E18AA84A63}: NameServer = 85.255.116.30,85.255.112.95 O17 - HKLM\System\CS1\Services\Tcpip\..\{046D00C5-D2E4-4F5E-8E17-BF06F77A2D2C}: NameServer = 85.255.116.30,85.255.112.95 O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\2006.dll O20 - Winlogon Notify: 3246762198745124975reg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\32467621987451249 75.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\ O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\ijqlhhkb.dll O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\System32\agkfejpb.dll O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RxMon.exe __________________ Intel Pentium 4 3.0ghz MSI Dekstop Board Nvidia Geforce FX5200 128 Mb (NEED TO CHANGE) 1.5G Of RAM unknown 4 fans ^_^ 1 x Maxtor IDE 160GB :) NEW :) Aspire 350W Power supply eMachine 17' Monitor(NEED TO CHANGE) Windows XP Home Edition SP2

07-04-2006, 02:24 AM	#3 (permalink)
spkenn5 Silver Member Join Date: Jan 2006 Location: Philadelphia,PA Age: 19 Posts: 191	okay after gettin rid of that trojan Logfile of HijackThis v1.99.1 Scan saved at 9:16:54 PM, on 7/3/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\WINDOWS\ieredir.exe C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\System32\sndraw32.exe C:\WINDOWS\System32\spoolsvv.exe C:\Program Files\Yahoo!\Messenger\ypager.exe C:\Windows\xpupdate.exe C:\Program Files\Navnt\navapw32.exe C:\PROGRA~1\Navnt\npssvc.exe C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RxMon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\TEMP\200C98A.tmp C:\Program Files\Windows Media Player\wmplayer.exe C:\Documents and Settings\Quang\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R3 - Default URLSearchHook is missing O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [14.tmp] C:\DOCUME~1\Quang\LOCALS~1\Temp\14.tmp.exe O4 - HKLM\..\Run: [15.tmp] C:\DOCUME~1\Quang\LOCALS~1\Temp\15.tmp.exe O4 - HKLM\..\Run: [14.tmp.exe] C:\DOCUME~1\Quang\LOCALS~1\Temp\14.tmp.exe O4 - HKLM\..\Run: [15.tmp.exe] C:\DOCUME~1\Quang\LOCALS~1\Temp\15.tmp.exe O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe O4 - HKLM\..\Run: [sndraw32] C:\WINDOWS\System32\sndraw32.exe O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe O4 - HKLM\..\RunServices: [sndraw32] C:\WINDOWS\System32\sndraw32.exe O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU\..\Run: [Key] C:\DOCUME~1\Quang\LOCALS~1\Temp\94.tmp O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Quang\LOCALS~1\Temp\7B.tmp3584.exe O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe O4 - HKCU\..\Run: [sndraw32] C:\WINDOWS\System32\sndraw32.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{046D00C5-D2E4-4F5E-8E17-BF06F77A2D2C}: NameServer = 85.255.116.30,85.255.112.95 O17 - HKLM\System\CCS\Services\Tcpip\..\{8CD2E639-92EA-45C9-AA0C-F5E18AA84A63}: NameServer = 85.255.116.30,85.255.112.95 O17 - HKLM\System\CS1\Services\Tcpip\..\{046D00C5-D2E4-4F5E-8E17-BF06F77A2D2C}: NameServer = 85.255.116.30,85.255.112.95 O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\2006.dll O20 - Winlogon Notify: 3246762198745124975reg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\32467621987451249 75.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\ O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\ijqlhhkb.dll O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RxMon.exe __________________ Intel Pentium 4 3.0ghz MSI Dekstop Board Nvidia Geforce FX5200 128 Mb (NEED TO CHANGE) 1.5G Of RAM unknown 4 fans ^_^ 1 x Maxtor IDE 160GB :) NEW :) Aspire 350W Power supply eMachine 17' Monitor(NEED TO CHANGE) Windows XP Home Edition SP2

07-04-2006, 05:20 PM	#6 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,361	PC eye, you have no idea what you're talking about, there's all kinds of crap on here. And just because the log states "file missing" doesn't mean that it is. spkenn5, download and install Cleanup. http://www.stevengould.org/downloads.../CleanUp40.exe Download, install, update and scan your system with the free version of Ewido Security Suite: 1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". 2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment. 3. From the main ewido screen, click on update in the left menu, then click the Start update button. 4. After the update finishes (the status bar at the bottom will display "Update successful"), exit Ewido and boot into safe mode: Restart your computer, and begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. Once in safemode, run Cleanup. Now open Ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack.... If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file. Please restart normally, then paste the contents of the text file to this thread, along with a new HijackThis log. __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

07-03-2006, 10:35 PM	#2 (permalink)
PC eye Diamond Member Join Date: Apr 2006 Location: Inside a pc Posts: 19,730	There were a few small items to take care with the fix option. These are: R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) This is often referred to as an "orphan". While this one is missing a file others will often load drivers without any program installed or leftover causing problems with others. A good registry cleaner like RegCleaner will remove most of these types automatically. O4 - HKLM\..\Run: [windows] c:\temp\svchost.exe This should not be in a "C:\temp" folder. This looks like a trojan. The svchost.exe(MS original) would be found in a subfolder of Windows itself. O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s is the actual location for the valid MS file. Besides the above items to remove the Yahoo and Google toolbars for Internet Explorer can leave you wide open for adwares. You may want to run a good remover like AdAware SE Personal found at http://www.lavasoft.com RegCleaner can downloaded free at http://www.majorgeeks.com/RegCleaner_d460.html

07-04-2006, 06:08 AM	#4 (permalink)
PC eye Diamond Member Join Date: Apr 2006 Location: Inside a pc Posts: 19,730	You still have an item missing but not urgent as you can see from R3 - Default URLSearchHook is missing The rest of the log here besides running a Google toolbar is not showing anything else. Remember that HiJack This doesn't go through the entire registry however. For removing adware, spyware, and even the occasional browser hijacker one good one to keep onhand is the AdAware SE Personal free edition mentioned earlier. Some other free version utilities like AVG 7.1, Ewido, you already have Spybot S+D, Window Defender beta 2 can be downloaded at the following links. Having more then one onhand can be a good help at times. For AVG 7.1, http://free.grisoft.com/doc/2/lng/us/tpl/v5 For Ewido free spyware remover, http://free.grisoft.com/doc/ewido-an.../lng/us/tpl/v5 Microsoft's contribution to fighting off spyware, http://www.microsoft.com/downloads/d...displaylang=en For additional freewares along with a mix of sharewares, http://www.majorgeeks.com/downloads31.html

07-05-2006, 02:44 AM	#9 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	PC eye HijackThis is not just a removal tool but most importantly, a diagostic tool and should be used as part of the cleaning process, not as the cleaning process.If your going to respond to someone's infected log, then you have to offer more than what your giving.I responded earlier because the impression you were giving was that there was nothing serious in his log, but there was.And 'Buzz' is correct.Just because it says 'file missing', doesn't mean it is.And if you follow any log cleaning by malware experts, have you not noticed that they never use 'Adaware'.It's better than nothing but is generally not an effective program anymore.Don't know what you were trying to accomplish in your last post but your goal should be to read through someone's infected log and then decide and suggest which of those many programs/fixes you just listed is the proper ones to remove the infection.Not the way your responding to logs now.