HJT Log...not bad but still problems

Hux · Jul 14, 2005

Well I've run MS Antispyware, Ad-Aware, Ewido, AVG, Panda, Housecall several times on this machine and it is fairly clean, but MS Antispyware is still catching things at startup, the latest was IBIS Toolbar, which it removed.

Here is a HJT Log:

Logfile of HijackThis v1.99.0
Scan saved at 8:18:47 AM, on 7/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lexbces.exe
C:\WINDOWS\System32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Adware Fixes05\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121275445551
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C3E279A-1505-48EB-994E-7E1BA44CF18F}: Domain = ruraltel.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C3E279A-1505-48EB-994E-7E1BA44CF18F}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ruraltel.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{5C3E279A-1505-48EB-994E-7E1BA44CF18F}: Domain = ruraltel.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{5C3E279A-1505-48EB-994E-7E1BA44CF18F}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ruraltel.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{5C3E279A-1505-48EB-994E-7E1BA44CF18F}: Domain = ruraltel.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{5C3E279A-1505-48EB-994E-7E1BA44CF18F}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ruraltel.net
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\System32\lexbces.exe

flavallee · Jul 14, 2005

Microsoft AntiSpyware is still in beta testing, so I wouldn't even be using it. I personally have my doubts how well it works anyway.

----------------------------------------------------------------

Why are you still using the original version of Windows XP instead of Windows XP SP2? This puts you way behind on updates and security-related enhancements.

----------------------------------------------------------------

The O17 entries appear to be a problem, but someone else will need to confirm that.

Does ruraltel.net mean anything to you, and is it associated with your ISP?

----------------------------------------------------------------

Hux · Jul 14, 2005

This is a machine that a lady brought to me to fix.
Windows update will run and wants to install SP2, but doesn't like something about the licensing so it is unable to update. I believe she bought this used from a school so there may be somethin' up with how XP was installed?

ruraltel.net is our local isp. But yes I've never seen any O17's like that on any other machines I've worked on from around here.

dpak · Jul 14, 2005

It was probably an unlicensed copy that Microsoft has on file. They are known to deny certain things (like SP2) if they think the software is pirated.

The only thing strange about those 017 entries is that it looks like the name servers are on two different subnets. This might just be the way your ISP does it, but many times ISPs have their DNS servers on the same subnet. It could be a sign of a bad DNS server in the list which would allow someone to control where websites pointed (so they can steal personal information). You should check with your ISP that your DNS servers should be set to 69.50.176.196 and 195.225.176.110.

Other than that, things look OK to me.

Hux · Jul 14, 2005

That's my guess as well on the license.

Pretty sure those DNS servers are not correct. I removed all the O17 entries and it works fine.

I'll do some more investigating. Only thing right now is that every time I boot it to one of the 2 users set up on it, the first thing that happens is that MS Antispyware warns that IBIS is trying to install and removes it.
Other than that it is running like a champ.

HJT Log...not bad but still problems

Hux

flavallee

Hux

dpak

Hux

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

Welcome to Tech Support Guy!

Latest posts

Members online