HJ Log Please Advise

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

RD Rowland

Thread Starter
Joined
Apr 21, 2004
Messages
11
Help! :mad: My son "barrowed" my laptop to do a school project. He had it for over a month and apparently is completely IGNORANT when it comes to internet security. I've tried to clean up his mess using Norton clean sweep, but still haven't been able to get rid of all the bugs. Would really appriciate any help. Especially interested in nuking Lycos sidesearch... Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 12:23:47, on 4/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMJB.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_TDMEngine.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Deliveries\My Deliveries\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://popnav.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://store.presario.net/scripts/redirectors/presario/storeredir2.dll

?s=consumerfav&c=3c01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch

=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer provided by Compaq
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: ƒ`§ auto.search.msn.com
O1 - Hosts: ƒ`§ search.netscape.com
O1 - Hosts: ƒ`§ ieautosearch
O2 - BHO: (no name) - {9EF6B117-0A30-223A-ED36-CC6384A13F36} - (no

file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access

Button Support\StartEAK.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware

6\Ad-watch.exe"
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\BmxLS.exe
O4 - HKLM\..\Run: [01chin] C:\PROGRA~1\CLOCKD~1\REALDOG.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe -s
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

present
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page -

res://c:\windows\downloaded program

files\GoogleToolbar_en_1.1.70-big.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O14 - IERESET.INF:

START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/

storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

http://207.188.7.150/126fd687b25ecd97e500/netzip/RdxIE2.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -

http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield

International Setup Player) -

http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37257.

4877199074
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} -

http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office

Tools on the Web Control) -

http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,662
Hi Rd and welcome to TSG,

For starters, you have the peper.a trojan. Please run the uninstaller and post another log.

Peper.a trojan uninstaller

http://www.zerosrealm.com/downloads/uninst.exe

You must be connected to the Internet to run this program.

Click on the uninst.exe and let it run. When it’s finished it will close itself.

Cookie
 

RD Rowland

Thread Starter
Joined
Apr 21, 2004
Messages
11
Thanks Cookiegal. Here it is....

Logfile of HijackThis v1.97.7
Scan saved at 9:53:47, on 4/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_TDMEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Deliveries\My Deliveries\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: (no name) - {9EF6B117-0A30-223A-ED36-CC6384A13F36} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [01chin] C:\PROGRA~1\CLOCKD~1\REALDOG.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\BmxLS.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe -s
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/126fd687b25ecd97e500/netzip/RdxIE2.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37257.4877199074
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} - http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
 
Joined
Jul 26, 2002
Messages
46,349
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {9EF6B117-0A30-223A-ED36-CC6384A13F36} - (no file)

O4 - HKLM\..\Run: [01chin] C:\PROGRA~1\CLOCKD~1\REALDOG.exe

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\BmxLS.exe

_________________________________________________________________
Fix this one if you did not place this restriction onIE yourself:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
_________________________________________________________________
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/126fd687b25ecd...tzip/RdxIE2.cab

O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} - http://www.jraun.com/activex/src/KeyActivexTest.ocx


Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\WINDOWS\System32\BmxLS.exe file
The C:\Program Files\CLOCKD~1 folder

I have no way of knowing the exact name of that folder, but the first six letters will be CLOCKD.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top