hijackthis log

[sizk]

hi there,
i've followed the steps of the sticky threads but there's still one thing i can't get rid of, however i try (see line 017).
i already had some troubles previously with others spy- or malwares and had the opportunity to try most of well-effective anti-spywares but none of them will do the job. when fixing with hijackthis, it won't reappear immediatly but does pretty soon anyway.

thx for your help!

Logfile of HijackThis v1.99.1
Scan saved at 23:46:47, on 14/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\Ati2evxx.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\WINNT\system32\rundll32.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\WINNT\System32\hphmon05.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\D-Tools\daemon.exe
E:\Program Files\MessengerPlus! 3\MsgPlus.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINNT\System32\HPZipm12.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\WINNT\system32\ntvdm.exe
E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\# PROGRAMS\# PROGRAMS\Setups\# UTILS\hijackthis\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHmon05] E:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f010.mail.caramail.lycos.fr/app/uploader/FileUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B44176-C987-40AA-B09D-C9989DFC9FA3}: NameServer = 212.151.136.254 130.244.127.161
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINNT\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

[Byteman]

You have to disable Spybot's TeaTimer, then you should be able to whack the 017 line. If you still have problems, you could also boot to safemode to do it, BUT disable teatimer should allow you to do it just fine. Other than that you look free from malware (FYI: the messengerplus software is bundle with lop.com spyware, if you check the box to install the sponsor programs, during installation).

 

[sizk]

You have to disable Spybot's TeaTimer, then you should be able to whack the 017 line. If you still have problems, you could also boot to safemode to do it, BUT disable teatimer should allow you to do it just fine. Other than that you look free from malware (FYI: the messengerplus software is bundle with lop.com spyware, if you check the box to install the sponsor programs, during installation).

Teatimer can't be the reason, i started using it after the problem appeared. anyway, there's one simple thing i've not done that might explain... i couldn't find where to disable the system restore in win2K

 

[sizk]

Some stuff


E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\WINNT\System32\hphmon05.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09. exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\System32\HPZipm12.exe

O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE

about E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe can i just uninstall control panel in Add/Remove programs and should i do that with HJT?
for the others 4 1st lines, must i backup first or can i blindly delete 'em?

 

[Buzz1927]

Teatimer can't be the reason, i started using it after the problem appeared.

Byteman is saying that Teatimer is interfering with hijackthis fixing the 017. Also, block it with your firewall.

 

[sizk]

Byteman is saying that Teatimer is interfering with hijackthis fixing the 017. Also, block it with your firewall.

i got that but i tried to fix it with HJT before i use Teatimer so my bet is i just need to disable the system restore. just, i can't find it the option.

 

[Buzz1927]

I'm not sure there is a system restore in win2k, anyone know?

 

[Byteman]

nope, no sys restore in w2k, only ME and XP. And you may want to check your settings with your ISP and make sure those DNS are bogus.

 

[sizk]

nope, no sys restore in w2k, only ME and XP. And you may want to check your settings with your ISP and make sure those DNS are bogus.

what does that mean and how should i do that?
anyone can answer my question about praetor's reply plz?

 

[Buzz1927]

Fixing the 04's in hijackthis won't delete anything, but you will need to disable them in some programs as well e.g. realplayer.

 

[sizk]

Some stuff


E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\WINNT\System32\hphmon05.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09. exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\System32\HPZipm12.exe

O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE

sorry it's sometimes getting long before i reply, i'm not often at home at the moment...
anyone knows how to get rid of the aboves?

 

[Buzz1927]

Most of them can be fixed i.e. disabled at start-up, by running Hijackthis and checking the 04's. These
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\WINNT\System32\hphmon05.exe
will have a corresponding 04. Some programs will need to be disabled in the program itself or via start>run>msconfig>startup.

 

[sizk]

lately back again...
ok so, last replies slept away from the very goal of the topic which was how to get rid of the 017 line of the log i posted after i've done all the basics?

 

[Buzz1927]

I think it's to do with your ISP. This article explains who they are.

 

[sizk]

I think it's to do with your ISP. This article explains who they are.

well, i might be dumb but i just don't get any point of the article nor how it relates to my "problem".
anyway, what let you think it's sthg to do with the ISP?

 

[Buzz1927]

This line in the article " The membership consists mainly of Internet Service Providers (ISPs),". Might be worth contacting your ISP and asking them.

 

[Buzz1927]

Just remembered, I had this a while back. Block RIPE with your firewall, then fix the entry in Hijackthis.

 

[sizk]

Just remembered, I had this a while back. Block RIPE with your firewall, then fix the entry in Hijackthis.

can't find anything that sounds like ripe in software or internet filtering

 

[sizk]

is RIPE international term or should i look for a translation i.e. a french version?

 

[Buzz1927]

What firewall are you running, I can't see one in the log. I think RIPE would be the same everywhere, but it might be different, or could be RIR.