1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijackthis Log

Discussion in 'Virus & Other Malware Removal' started by onejewel, Oct 6, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. onejewel

    onejewel Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    4
    :confused:
    Hi there!
    I'm new here, and hope I'm posting this in the right place. I've read the posts and d/l'ed Adaware, run it, and d/l'ed HijackThis as well and followed directions. Here's the resulting log.
    The problem is this... I know that incredifind has hijacked my browser & now won't allow me to access certain sites, but there are other spyware programs that I need rid of too.
    Can you help me with which files need to be deleted and which ones are alright to leave?
    Thanks for all the help! and Just so's you know....
    You people are AWESOME!
    (y) (y) (y)
    Julienne
    ~~~~~~~~~~~~~~~~~~~~~~~
    Logfile of HijackThis v1.97.2
    Scan saved at 11:43:08 AM, on 10/6/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\wjview.exe
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\PROGRA~1\SMARTD~1\SDPhotoBar.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Common files\KeenValue\KWM.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tjdo.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~2\BHO\BHO.dll
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\Program Files\CommonName\Toolbar\CNBarIE.dll (file missing)
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~2\BHO\BHO.dll
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll
    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
    O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll
    O3 - Toolbar: FlowGoBar - {4E7BD74F-2B8D-469E-C0FF-FD63B399BC7D} - C:\PROGRA~1\FLOWGO~1\Toolbar\flgobar.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MyPointsPointAlert] wjview /cp:p "C:\Program Files\MyPointsPointAlert\System\Code" Main lp: "C:\Program Files\MyPointsPointAlert"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [KeenValue] C:\Program Files\Common files\KeenValue\KeenValue.exe
    O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SDPhotoBar.exe] C:\PROGRA~1\SMARTD~1\SDPhotoBar.exe
    O4 - HKCU\..\Run: [SPYNUKER] C:\Program Files\Trek Blue\Spyware Nuker\SPYNUKER.exe /STARTUP
    O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
    O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Point Alert (HKCU)
    O9 - Extra button: Support (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: ComcastHSI (HKCU)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.memolink.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/SpywareNuker_com/SpywareNukerInstaller.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {22E5705C-991A-4646-9053-A9525CA7222A} - http://www.topmoxie.com/external/builds/mypoints/mpmoxie.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37315.2046990741
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/blackhawkstriker/wtinst.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
     
  2. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Hi and welcome, I've split you into your own thread for better assistance.
     
  3. onejewel

    onejewel Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    4
    Thanks! :)
    Just learning my way around in here and learning some fascinating stuff on the way through!
    ~Julienne~
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,169
    First Name:
    Derek
    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tjdo.com/searchbar.html
    R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~2\BHO\BHO.dll
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O1 - Hosts: 216.177.73.139 search.netscape.com

    O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\Program Files\CommonName\Toolbar\CNBarIE.dll (file missing)
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~2\BHO\BHO.dll
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll
    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
    O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp.dll
    O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll
    O3 - Toolbar: FlowGoBar - {4E7BD74F-2B8D-469E-C0FF-FD63B399BC7D} - C:\PROGRA~1\FLOWGO~1\Toolbar\flgobar.dll
    O4 - HKLM\..\Run: [MyPointsPointAlert] wjview /cp "C:\Program Files\MyPointsPointAlert\System\Code" Main lp: "C:\Program Files\MyPointsPointAlert"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [KeenValue] C:\Program Files\Common files\KeenValue\KeenValue.exe
    O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
    O4 - HKCU\..\Run: [SPYNUKER] C:\Program Files\Trek Blue\Spyware Nuker\SPYNUKER.exe /STARTUP
    O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
    O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
    O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm

    O9 - Extra button: Point Alert (HKCU)
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product...erInstaller.exe
    O16 - DPF: {22E5705C-991A-4646-9053-A9525CA7222A} - http://www.topmoxie.com/external/bu...nts/mpmoxie.cab
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/mini...uginstaller.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/...iker/wtinst.cab


    reboot & delete the following files or folders
    C:\Program Files\MyPointsPointAlert\
    C:\Program Files\Common files\KeenValue\
    C:\Program Files\Free Downloads Accelerator\
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,169
    First Name:
    Derek
    I would have thought that adaware with the latest definitions should have removed a lot of the entries though

    have you got it configured as suggested in this post http://forums.techguy.org/t164245/s.html
     
  6. onejewel

    onejewel Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    4
    Derek,
    Yes, Adaware found 364 objects in the scan, it removed 6 of them. I was not sure which to check to remove and which to keep, so to be on the safe side, thought I'd ask here before having to go to a system restore checkpoint.
    Thanks for the advice, I'm starting the process now and will let you know shortly how it turns out.
    You're a sweetie for responding so quickly! Thanks a million!
    ~Julienne~
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,169
    First Name:
    Derek
    whatever adaware finds is perfectly safe to tick and remove

    it's always better to let adaware & spybot do a run and remove everything they find then only the really stubborn or unknowns are left for us to look at and remove manually
     
  8. onejewel

    onejewel Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    4
    Just so that I'm clear on this....
    I've set up Adaware just the way I was directed in the link you sent to me Derek. It scanned and found 364 objects, but only six were checked. It removed those six.
    I've scanned again after making sure it's set up as directed and it's still found (even after cleaning out the files you suggested from the HijackThis sweep) 324 items. None of these items are checked, although they are listed as "Malware" and "Data Miners"
    from places like cydoor, Igetnet, e-universe_keenvalue, and new.net are these things I should be okay erasing?
    Thanks again for your help,
    ~Not wanting to ruin things unfixable~
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,169
    First Name:
    Derek
    anything it finds is safe to delete so right click any entry and tick select all and then let it fix everything

    many will be what they call dataminers which is a posh term for cookies and it is removing cookies from the system
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169920

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice