Jump to content


Photo

hijackthis log scan, please help


  • This topic is locked This topic is locked
9 replies to this topic

#1 peaceman

peaceman

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 July 2004 - 04:49 PM

So after using both spybot and adware with fully scan, combined with AVG anti-virus, I'm still getting pop-ups, I suspect it has something to do with the 35mb.com, and most of the pop-ups are with link paypopup.com. Anyways, here is my log file, can any expert please help me and tell me what I need to do next?

Any info would be greatly appreciated :thumbsup:

Thank you :p

Logfile of HijackThis v1.98.0
Scan saved at 2:46:22 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Yang\My Documents\Misc Wares\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\Phonetic\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivil...ve/makeover.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab

#2 peaceman

peaceman

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 30 July 2004 - 09:59 PM

anybody?

#3 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 31 July 2004 - 01:09 AM

peaceman,

Make sure all browser and windows are closed, and have HijackThis remove the following by placing a check in the appropriate boxes and selecting: Fix Checked.

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

On the following line, are you using the Immunize feature of Spybot Search and Destroy, or did you or a system administrator put this into place? If none of these apply, have HijackThis fix this.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Reboot when done with HijackThis.

Then run HijackThis once again (closing browser and all windows), and post a new log

Edited by FZWG, 31 July 2004 - 01:33 AM.

IPB Image

There are times when everything is understood...then one regains consciousness!

#4 peaceman

peaceman

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 31 July 2004 - 03:13 PM

Hi FZWG Thanks for your help I didn't have hijack fix
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
for me becuase I'm not using the Immunize feature .

Here is the new log.


Logfile of HijackThis v1.98.0
Scan saved at 1:11:00 PM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\Yang\My Documents\Misc Wares\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\Phonetic\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivil...ve/makeover.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab

Thanks

:) :thumbsup:

#5 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 31 July 2004 - 03:38 PM

peaceman,

On:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

If:
You are not using the Immunize feature of Spybot Search and Destroy,
You did not place this restriction
A system administrator did not put it into place

Then, remove it (check it and use: Fix checked).

Also remove:

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe

Next, set Windows to show hidden files, as shown here:
http://www.xtra.co.n...1916458,00.html

Reboot in Safe Mode as shown here:
http://service1.syma...001052409420406

Search and delete the following file (only what is in bold)
C:\WINDOWS\iexplore.exe

Post another log, please, just to make sure all is OK, otherwise, the log looks good.

Are you still getting pop-ups?

:keybrd:

Edited by FZWG, 31 July 2004 - 04:15 PM.

IPB Image

There are times when everything is understood...then one regains consciousness!

#6 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 31 July 2004 - 03:55 PM

peaceman,

Edited the above. Please note.
IPB Image

There are times when everything is understood...then one regains consciousness!

#7 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 31 July 2004 - 04:16 PM

peaceman,

Edited the above. Please note.
IPB Image

There are times when everything is understood...then one regains consciousness!

#8 peaceman

peaceman

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 August 2004 - 09:17 PM

FZWG, evertyhing seems to be okay now, no more pop-ups.

Thanks a lot for your help! really appreciated!

You are the best :)


:thumbsup: :thumbsup: :thumbsup:

#9 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 01 August 2004 - 09:39 PM

Glad to help, peaceman.

At one point, to show hidden files and folders, you unchecked the: Hide protected operating system files (recommended) option. Please go back and check it!

Also, it is a good idea to clean up Temporary Internet Files, Temporary Files, and the Recycle Bin. Use the Disk Cleanup utility in Windows XP, as follows:
-Click Start>Run
-In the Open box, key in: cleanmgr
-Click: OK
-Place a check next to the categories mentioned above
-Click OK
-Click: Yes to proceed with the action
-Reboot

Since you believe the system is now clean, use System Restore, and create a Restore Point :
First, turn off System Restore:
-On the Desktop, right-click My Computer
-Select: Properties
-Select the System Restore tab
-Check: Turn off System Restore
-Click: Apply, and then: OK

Restart the computer
Turn System Restore back on (Same instructions as above, this time check: Turn On System Restore)

Create a restore point:
-Go to: Start>All Programs.
-Go to: Accessories>System Tools, and select: System Restore.
-In the System Restore wizard, select: Create a restore point
-Click the Next button.
-Type a description for the restore point, like: 1August04 Cleanup
Click Create.

Last, but not least, consider mustering up your PCís line of defense against malware. You already have an Anti-virus program. Make sure it is kept updated and run regularly.

An excellent reference in developing a plan of defense is Tony Kleinís 'How Did I Get Infected In The First Place':
http://www.computerc.../postt7736.html
The information in the article has some useful programs that you could use!!

Good luck, peaceman!! :wave:
IPB Image

There are times when everything is understood...then one regains consciousness!

#10 peaceman

peaceman

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 03 August 2004 - 12:51 AM

hi FZWG, I just did the system restore thing, thanks for the help :D :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button