HJT logfile

TheChef

New Member
This is a logfile from a friends computer. I don't know what shes running or how amny viruses etc. she has.

Logfile of HijackThis v1.99.1
Scan saved at 7:27:16 PM, on 7/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP4 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\aim\aim.exe
C:\Program Files\waws\aius.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\r?ndll32.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lizzie\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {527E717C-E9C5-9A69-BD18-B9EEF880BDBC} - C:\WINNT\system32\fdgrgik.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [FX] C:\WINNT\Downloaded Program Files\CONFLICT.1\ieloader.exe
O4 - HKLM\..\Run: [fotud] C:\WINNT\fotud.exe
O4 - HKLM\..\Run: [pluujc] C:\WINNT\system32\pluujc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Lizzie\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [antiware] c:\winnt\system32\elitefaw32.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKCU\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKCU\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [do03RUYnR] msr500.exe
O4 - HKCU\..\Run: [Gae] C:\WINNT\system32\r?ndll32.exe
O4 - HKCU\..\Run: [Citr] C:\Program Files\waws\aius.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winfixer.com/files/installers/cab/WinFixer2005ScannerInstall.cab
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\mscgdc.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
 
Yes, we ran a scan, I don't know if she updated, but I would assume she did. Are there any lines in HJT or proceses that can be deleted?
 
First off, you have WildTangent installed, some classify it spyware, you can remove it in add/remove programs. also if you see Preview AdService remove it.


Next, you also have a PurityScan infection, if you see PurityScan or VirtueScope in add/remove programs take them out(if they let you).

Make sure you are set to view all files/folder, and hidden/systems folder/files (see step #2 in the sticky )
Now, Open HijackThis and select the Misc Tool section button, then the Process Manager button and kill the following processes:

C:\Program Files\waws\aius.exe
C:\WINNT\system32\r?ndll32.exe

Now go back and run a HJT scan and remove the following entries:

O2 - BHO: (no name) - {527E717C-E9C5-9A69-BD18-B9EEF880BDBC} - C:\WINNT\system32\fdgrgik.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [FX] C:\WINNT\Downloaded Program Files\CONFLICT.1\ieloader.exe
O4 - HKLM\..\Run: [fotud] C:\WINNT\fotud.exe
O4 - HKLM\..\Run: [pluujc] C:\WINNT\system32\pluujc.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Lizzie\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [antiware] c:\winnt\system32\elitefaw32.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe
O4 - HKCU\..\Run: [do03RUYnR] msr500.exe
O4 - HKCU\..\Run: [Gae] C:\WINNT\system32\r?ndll32.exe
O4 - HKCU\..\Run: [Citr] C:\Program Files\waws\aius.exe
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\mscgdc.dll


Now, go to the misc tools section, then the Delete File on Reboot button and browse to each file listed below, repeat the process for each individual file, DON'T REBOOT WHEN IT ASKS YOU, ONLY reboot after you've done the last file.

C:\Program Files\waws\aius.exe
C:\WINNT\system32\r?ndll32.exe
C:\WINNT\system32\fdgrgik.dll
C:\WINNT\Downloaded Program Files\CONFLICT.1 <--THIS WHOLE FOLDER if it exists
C:\WINNT\fotud.exe
C:\WINNT\system32\pluujc.exe
C:\DOCUME~1\Lizzie\LOCALS~1\Temp <--THIS WHOLE FOLDER
c:\winnt\system32\elitefaw32.exe
C:\Program Files\Preview AdService <--THIS WHOLE FOLDER if it exists
C:\WINNT\system32\msmc.exe
msr500.exe <-- You may have to search for this one
C:\WINNT\system32\r?ndll32.exe
C:\Program Files\waws <--THIS WHOLE FOLDER
C:\WINNT\system32\mscgdc.dll


When rebooting, press the F8 key repeatedly and boot it to SAFE MODE, and verify all the files/folders have been deleted, if not, then delete them, if so, then reboot normally and post a fresh HJT log for review.
 
Last edited:
Back
Top