1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need HiJack review and help

Discussion in 'Windows XP' started by Ron the Geek, Jan 20, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    I'm working on a Compaq desktop (Presario S4020WM, XPHE SP1, [email protected], 128 MB) and, although I plan to beef up the RAM, even at it's current level it's moving like molasses. I think there's a buncha crap running and it's having to cache everything else. So, here's a hijack log of the machine for one of you nice HiJack experts to look through. Let me say that, since I work on a multitude of computers, I have HiJackThis running from a CD drive. Also, I ran AVG Free Edition before that and found, and healed, about 12 or 13 trojans discovered. Here's the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:40:56 AM, on 1/20/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
    C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
    C:\WINDOWS\System32\S3tray2.exe
    C:\WINDOWS\System32\SahAgent.exe
    C:\Program Files\n-CASE\msbb.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    C:\Program Files\scbar\v2\scbar.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\ezula\mmod.exe
    C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://out.true-counter.com/b/?101 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?101 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?101 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=M3
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.passthison.com/r4/?vu083...02228333933989000222833393398900022283339.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://out.true-counter.com/a/?101 about:blank (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?101 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?101 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\scbar\v2\scbar.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\x3ro1.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: Search Toolbar BHO Object - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Internat Conf] C:\WINDOWS\System32\bootconf.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
    O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
    O4 - HKLM\..\Run: [KUB] C:\WINDOWS\KUB.exe
    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
    O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
    O4 - HKLM\..\Run: [msbb] C:\Program Files\n-CASE\msbb.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    O4 - HKLM\..\Run: [SearchEnhancement] "C:\Program Files\scbar\v2\scbar.exe" /U
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\AddressBar\createnote.htm
    O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\AddressBar\createbookmark.htm
    O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\AddressBar\emaillink.htm
    O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\AddressBar\navigate.htm
    O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
    O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O11 - Options group: [CommonName] CommonName
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/x3ro1.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8106/turbo.cab?id=4283063
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8106/payload2.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50026/QDow.cab
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
    O16 - DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} (MDefControl Class) - http://defender.veloz.com/pub/download/stop-sign_stp_test.cab
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
    O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
    O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
    O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
    O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    If anyone can point out which line items to check off to be fixed, it would be appreciated. Thanks!!

    RTG :cool:
     
  2. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    Okay, I got more: The #[email protected]#% machine won't turn on half the time! I started working on this one yesterday and, with respect to starting up, had no problems. This morning, it wouldn't turn on. It's getting power and it sounds like the fan is running, but that's it. I unplugged the tower and the monitor (at first thinking there was a problem with the monitor) waited a few seconds, then plugged'em back in and it took off. Anything in that log that might give a clue to this part of the dilemma? Thanks!
     
  3. norton850

    norton850

    Joined:
    Mar 8, 2004
    Messages:
    7,794
    You have two separate problems here. You have lots of junk in your log and perhaps you would like a moderator to move your post to Security. However if your system won't turn on no need to worry about the HD if that problem continues. Since the system "appears" to working again I guess that's a wait and see.
     
  4. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    This may end up being a lost cause—I can't get it to boot up anymore. I shut it down and opened it up to increase the memory (from 128 to 512) put the side back on and now it refuses to play nice. It just won't boot. Again, you can see that it's getting power and hear the fan—or something turning—but it just plays dead. If I can't get back into it, then you're right: no need to worry about how to fix a dead machine. But I may get lucky and get the thing back up (that didn't read quite right, did it?...). If so, I'd still like some advice. Thanks!!

    RTG
    :cool:
     
  5. norton850

    norton850

    Joined:
    Mar 8, 2004
    Messages:
    7,794
    So if the problem started after the new memory did you remove it and put things back to the way they were before the problem started?
     
  6. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    The problem started before the memory increase. I didn't actually think much about the fact that I needed to unplug/plugin the machine this morning; thinking it could've been some weird electric surge or interuption. That's why I didn't even think twice about shutting down the computer. As slow as it was running, I was having a difficult time trying to do anything with only 128 mb of ram. Are there BIOS level viruses? Seems like the "won't-start-up" problem could be a bad or corrupted BIOS. Any ideas?
     
  7. Fidelista

    Fidelista

    Joined:
    Jan 17, 2004
    Messages:
    9,600
    The problem is malicious software and virus . This machine is infected bigtime.
    Do not remove anything until a expert advises because removing one of these virus may cause a problem with connection.
    I doubt you have hardware problem at all.
    Have patience .>f
     
  8. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    First day back to work—actually had two days off in a row! Anybody else out there have any thoughts on my dilemma? Thanks!
     
  9. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    The machine came up this morning—now if I can get some help on figuring out how to eliminate these problems while I have it running. Every responders help is always welcome and helpful. Thanks!
     
  10. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    79,467
    First Name:
    Frank
    It's likely not the answer that you're looking for, but a hard drive format and fresh install of Windows XP would probably be the best bet. That machine is loaded with spyware, adware, malware, and who knows what else.

    Are you familiar with and have made use of Ad-Aware SE Personal 1.06 and Spybot - Search & Destroy 1.4?

    Delete all files and folders from inside the C:\WINDOWS\TEMP and the C:\DOCUMENTS AND SETTINGS\(USERNAME)\LOCAL SETTINGS\TEMP folders.

    -------------------------------------------------------------------------------------
     
  11. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    I've just been going through the startup list in MSCONFIG and Googling anything I'm not familiar with. I can't do a re-install because I working on a used machine which is being readied (if possible, in this case...) for resale. I don't have the original Windows CD for any of the PCs I work on, so I have to clean them up as best as possible. A couple things I found under the startup tab that I'm curious about: RECGuard.exe and ps2.exe are files for HP machines—this is a Compaq. I don't know whether or not the previous owner deliberately installed these or if they are malicious files using common names. I also found KUB.exe which I can't find any information on. A couple more in Chinese... I'll be busy deleting and uninstalling today. I'll still take any and all advice out there. Thanks!
     
  12. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    Oh yeah; forgot: Using AVG Free Edition and cleaning up with CCleaner. If the machine will see the network (some do, some don't and I have no idea why...) I'll install, update and run Spybot S&D.
     
  13. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    79,467
    First Name:
    Frank
    HP bought out Compaq and it's now HP/Compaq.

    -------------------------------------------------------------------------------------

    In reference to your "suspicious" startup entries:

    recguard.exe

    http://www.sysinfo.org/startuplist.php?filter=recguard.exe

    ps2.exe

    http://www.sysinfo.org/startuplist.php?filter=ps2.exe

    kub.exe

    (Not listed in startup database, so don't know what it is)

    This site will assist you greatly in editing the startup list. It's probably safe to uncheck those Chinese entries and any blank entries.

    -------------------------------------------------------------------------------------
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Need HiJack review
  1. silver1976
    Replies:
    8
    Views:
    424
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/536850

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice