HiJack This Log, need some help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

MudPuddles

Thread Starter
Joined
Feb 6, 2003
Messages
25
I am currently working on a computer that is infected with viruses and trojans. Here is the Hijack This! Log. Any assistance, would be greatly appreciated.

Logfile of HijackThis v1.97.3
Scan saved at 9:01:35 AM, on 10/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\PROGRA~1\NETRAT~1\Premeter\prmt.exe
C:\PROGRA~1\Save\Save.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\winservn.exe
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NETWOR~1\v11\NE.EXE
c:\progra~1\exact\exactupdate00123.exe
C:\Program Files\Hotbar\bin\4.3.5.0\HbSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mitch Palmieri\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchalot.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchalot.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchalot.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchalot.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchalot.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.5.0\HbHostIE.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Network Essentials\v11\NE.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: eXact Browser Companion - {F9765480-72D1-11D4-A75A-004F49045A87} - c:\progra~1\exact\exacttoolbar00057.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &eXact Toolbar - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - c:\progra~1\exact\exacttoolbar00057.dll
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.5.0\HbHostIE.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [InstantPleasure3] c:\program files\dialers\instantpleasure3\instantpleasure3.exe /noconnect
O4 - HKLM\..\Run: [InstantPleasure] c:\program files\dialers\instantpleasure\instantpleasure.exe /noconnect
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [Premeter] C:\PROGRA~1\NETRAT~1\Premeter\prmt.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\MITCHP~1\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe /Upgrade
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [OSSProxy] C:\WINDOWS\System32\ossproxy.exe
O4 - HKCU\..\Run: [NSCheck] C:\WINDOWS\System32\nscheck.exe /check
O4 - HKCU\..\Run: [PrivateNet] C:\PrivateNet\HORNY_COEDS_92[1].exe 1
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Free Software Downloads (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Ebates (HKCU)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Broken Internet access because of LSP provider 'csloa.dll' missing
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/Swdir_Alt_Pub.cab
O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://usa-download.nocreditcard.com/download/Object/ieaccess2XP.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50023/QDow.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.netmails.com/members/tricia234/evwren.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.5493402778
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab
O16 - DPF: {B2C03E2E-2219-4FF9-810A-540ACA63F8D9} (nsBrowserConfig Class 2) - https://www.marketscore.com/globalconfig/nsconfig.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/proclaim/NSupd9x.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/swimsuitnetwork.cab
 
Joined
Mar 25, 2001
Messages
3,334
Yikes! You're not kidding.

In addition to the above recommendation for AV scan and AdAware, use the CWS Shredder before AdAware:

http://www.spywareinfo.com/~merijn/cwschronicles.html

...after AdAware, download and scan with Spybot too:

http://www.safer-networking.org/index.php?lang=en&page=download

...after installing, have it go online and download all updates, then scan your system. Everything it finds in RED is safe to fix.


Then do post a new log and we can then see whats left and have HJT fix what's leftover.
 

MudPuddles

Thread Starter
Joined
Feb 6, 2003
Messages
25
Ok...I have run the anti-trojan scan and came up with all kinds of stuff: Port 1025 Open
Application: Network blackjack, ICQ
Trojans: NetSpy, Maverick's Matrix, Remote Storm

Port 5000 is open
Applicastions: Yahoo Messenger Chat
Trojans: Bubbel, Back Door Setup, Blazer 5, Socket 23, Sockets de Troie

In addition, I have run housecall's virus scan and found:

TROJ Adclicker
ADW Tenget A

Both of which are "non cleanable".

Now to my question....is it possible to do a destructive recovery and wipe all of these out? It seems to me, it would be less time consuming, but I am not sure how having a virus would effect the recovery process.


Thanks a bunch.

Mud
 
Joined
Mar 25, 2001
Messages
3,334
That's your call, but IMHO I think we can clean you up by running through the processes noted above.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Buckaroo, shouldn't system restore be turned off first?
 
Joined
Jul 26, 2002
Messages
46,331
Originally posted by buckaroo:
That's your call, but IMHO I think we can clean you up by running through the processes noted above.
I agree with buckaroo that it is your call but as he said we can help you clean this up and in the process you may learn something such as steps you can take to help prevent it in the future.

What do you mean by a destructive recovery anyway?


And Yes AcaCandy he should turn off system restore.
 

MudPuddles

Thread Starter
Joined
Feb 6, 2003
Messages
25
Ok....how exactly do I go about getting rid of the viruses and trojans? I am thinking here. It would take a lot less time to just do a destructive recovery and get rid of the excess software they have running on their computer anyway...aside from the invader issues, there is way too much junk on this thing! LOL I am hesitant to do a destructive recovery when there are active viruses on the computer because I don't know how it will affect the recovery process. So....what would you do?

Thanks in advance.

Mud
 

MudPuddles

Thread Starter
Joined
Feb 6, 2003
Messages
25
Destructive recovery is where you basically wipe everything out to the computer's original condition. I am aware of how to keep this stuff off of my computer, however, this is my friend's computer and I am trying to help her...she has 3 kids...need I say more?? (nothing against kids...got them myself. LOL)


Mud
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
That's all fine and dandy as long as there's nothing that needs backed up and she has all the software installation cds, and driver cds, as sometimes the recovery cd does not contain drivers.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top