Jump to content


Photo

Hijacker - EVIL things are happening...


  • This topic is locked This topic is locked
10 replies to this topic

#1 Tigerfly

Tigerfly

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 07 June 2004 - 07:04 PM

Here is my logfile - bad things are happening!

- my computer gives me a message that says it is shutting down and then 1 minute later - down!
- I had a new "account" on my computer - a registered user with the login "cclogin". I went into user registration and deleted it - but I am terrified that it was someone trying to get CC info!
- I use google regularly and I have somekind of google hijacker that gives me the first page of my google search as crappy links - I have to click to page two to get my search results.

I just moved about a month ago and got a new ISP - none of this happened until then! I have run panda virus scan, spybot and adware NUMEROUS times and nothing seems to be working! Can you help me before I :techsupport: ???

Thanks :wave:

Tigerfly


Logfile of HijackThis v1.97.7
Scan saved at 7:49:48 PM, on 6/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\msreg.exe
C:\WINDOWS\System32\liosuxr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\ICQPlus\vplus.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\loader.exe
C:\DOCUME~1\Gina\LOCALS~1\Temp\setup.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Gina\Desktop\Hijack this\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.111-big.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.111-big.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [APIMon] C:\WINDOWS\msreg.exe
O4 - HKLM\..\Run: [System Service Manager] norton.exe
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\Run: [zgr] C:\WINDOWS\zgr.exe
O4 - HKLM\..\Run: [crsuknbpgmpjo] C:\WINDOWS\System32\liosuxr.exe
O4 - HKLM\..\RunServices: [System Service Manager] norton.exe
O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Gina\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Global Startup: loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.111-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...360/mcfscan.cab

#2 Tigerfly

Tigerfly

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 07 June 2004 - 08:53 PM

I ran the BitDefender Free Online Virus Scan , and this is what It left me with ... dont know how to fix this stuff , either ...


C:\Documents and Settings\Gina\Local Settings\Temp\~9282888548.tmp infected: Trojan.Downloader.Siboco.A
C:\Documents and Settings\Gina\Local Settings\Temp\~9282888548.tmp disinfected
C:\Documents and Settings\Gina\Local Settings\Temp\~9282888548.tmp unable to disinfect
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGO20.exe suspect: Trojan.Downloader.Small.Gen
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGO20.exe unable to disinfect
C:\WINDOWS\Downloaded Program Files\UGO20.exe suspect: Trojan.Downloader.Small.Gen
C:\WINDOWS\Downloaded Program Files\UGO20.exe unable to disinfect
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ETILK5CT\ntrootkit[1].exe=>(ASPack 2.12) infected: Backdoor.Rtkit.1.1.A
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ETILK5CT\ntrootkit[1].exe=>(ASPack 2.12) unable to disinfect
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ETILK5CT\ntrootkit[2].exe=>(ASPack 2.12) infected: Backdoor.Rtkit.1.1.A
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ETILK5CT\ntrootkit[2].exe=>(ASPack 2.12) unable to disinfect
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SX4BC7IB\ntrootkit[1].exe=>(ASPack 2.12) infected: Backdoor.Rtkit.1.1.A
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SX4BC7IB\ntrootkit[1].exe=>(ASPack 2.12) unable to disinfect

#3 Tigerfly

Tigerfly

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 07 June 2004 - 09:24 PM

Okay , ran a BUNDLE of online scans , and here is my NEW report :

Logfile of HijackThis v1.97.7
Scan saved at 10:13:29 PM, on 6/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\msreg.exe
C:\WINDOWS\System32\liosuxr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\ICQPlus\vplus.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\loader.exe
C:\DOCUME~1\Gina\LOCALS~1\Temp\setup.exe
C:\WINDOWS\System32\dwwin.exe
C:\Documents and Settings\Gina\Desktop\Hijack this\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.111-big.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [APIMon] C:\WINDOWS\msreg.exe
O4 - HKLM\..\Run: [System Service Manager] norton.exe
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\Run: [zgr] C:\WINDOWS\zgr.exe
O4 - HKLM\..\Run: [crsuknbpgmpjo] C:\WINDOWS\System32\liosuxr.exe
O4 - HKLM\..\RunServices: [System Service Manager] norton.exe
O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Gina\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Global Startup: loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab

#4 Tigerfly

Tigerfly

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 08 June 2004 - 06:46 AM

bump?

#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 08 June 2004 - 03:26 PM

You still have a couple of virus/worms in your log, including the AGOBOT HW.
See http://uk.trendmicro...=WORM_AGOBOT.HW

First, get another on line scan at either Housecall or Panda A/V, and let it fix everything it finds.

Next, go to Windows Updates, and install all critical updates/patches for Windows, and Internet Explorer. This will close the security holes that are explioted by the Agobot family of worms.

You do not appear to be running any anti-virus program. A good, free A/V can be found at Grisoft AVG Free Edition.

Having done all that. please post a fresh Hijack this log.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#6 Tigerfly

Tigerfly

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 11 June 2004 - 12:33 AM

Okay , I tried to run Panda & Housecall , but both gave me error msgs. . I was able to install/run the Grisoft , however , and it found some things & claimed to fix them so ...

Logfile of HijackThis v1.97.7
Scan saved at 1:32:54 AM, on 6/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ICQ\ICQ.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\ICQPlus\vplus.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Gina\Desktop\Hijack this\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.111-big.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [APIMon] C:\WINDOWS\msreg.exe
O4 - HKLM\..\Run: [System Service Manager] norton.exe
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\Run: [zgr] C:\WINDOWS\zgr.exe
O4 - HKLM\..\Run: [crsuknbpgmpjo] C:\WINDOWS\System32\liosuxr.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [System Service Manager] norton.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Gina\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8147.6733796296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab




P.S. , I did all the Windows Updates that I could Individually , but when I went to do the rest of them I got this :

Windows Update Error


Windows Update has encountered an error. This may be due to a discrepancy in your computer's time setting.

To check your date and time setting:

On the taskbar, double-click the time.
Verify that the date and time is correct.


Is this yet another Virus ???

#7 Tigerfly

Tigerfly

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 14 June 2004 - 05:23 AM

ttt

#8 Tigerfly

Tigerfly

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 15 June 2004 - 03:37 AM

t

#9 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 15 June 2004 - 04:10 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O4 - HKLM\..\Run: [APIMon] C:\WINDOWS\msreg.exe
O4 - HKLM\..\Run: [System Service Manager] norton.exe
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\Run: [zgr] C:\WINDOWS\zgr.exe
O4 - HKLM\..\Run: [crsuknbpgmpjo] C:\WINDOWS\System32\liosuxr.exe
O4 - HKLM\..\RunServices: [System Service Manager] norton.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe

O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe

Reboot, and delete

files
C:\WINDOWS\msreg.exe
norton.exe
sysconf.exe
C:\WINDOWS\zgr.exe
C:\WINDOWS\System32\liosuxr.exe
C:\WINDOWS\System32\msmc.exe

folder
C:\Program Files\Common Files\updater

These may be hidden files. See HERE for how to show hidden files.

From Internet Options, delete all temporary internet files, and all off line content.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#10 Tigerfly

Tigerfly

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 17 June 2004 - 08:18 AM

Okay , A little bit of a Problem , I think ...

I ran the Hijack This, and I cleared the items that you told me to, then restarted ....

then not a thing went as planned ... I couldnt find any of the things that you told me to delete - not a single one - and yes, I can see all hidden files & folders just fine.

I tried to go to Windows Update , and gott this :

Windows Update has encountered an error. This may be due to a discrepancy in your computer's time setting.

To check your date and time setting:

On the taskbar, double-click the time.
Verify that the date and time is correct.


Now, my time seems correct enough to me, I cant see the Issue.

The new Hijack This log :

Logfile of HijackThis v1.97.7
Scan saved at 9:05:00 AM, on 6/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\ICQPlus\vplus.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Documents and Settings\Gina\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Ahead\Nero\nero.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8147.6733796296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#11 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 17 June 2004 - 04:26 PM

Well you have a nice clean log there. Well done.

The only thing I can suggest for the Window Update problem is to remove, using Hijack this the O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8147.6733796296 entry. That will download again when you visit windows update.

If that does not work, a search of the Microsoft Knowledge base may well reveal the answer.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button