1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please Review My Hijackthis Log

Discussion in 'Virus & Other Malware Removal' started by Steve-x8086, Apr 24, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Steve-x8086

    Steve-x8086 Thread Starter

    Joined:
    Apr 19, 1999
    Messages:
    607
    First Name:
    Steve
    Hi everyone. Below is the hijackthis log for a computer running XP. I know only a little about XP but I see some questionable files. Please let me know what's good and what's bad.
    Thanks a lot, Steve-x8086

    Logfile of HijackThis v1.97.7
    Scan saved at 3:29:06 PM, on 4/24/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\gearsec.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
    C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
    C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe
    C:\WINDOWS\MSMGT.exe
    C:\WINDOWS\System32\msbb.exe
    C:\Program Files\Norton AntiVirus\vsserv.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
    C:\Program Files\AdDestroyer\AdDestroyer.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\My Documents\TSG Programs\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.spidersearch.com/frame_results.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.spidersearch.com/frame_results.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.spidersearch.com/frame_results.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.passthison.com/r4/?vu083003
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.passthison.com/r4/?vu083003
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.spidersearch.com/frame_results.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = system soap pro
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.huntbar.com/ie.asp?aff=857
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {00000185-B716-11D3-92F3-00D0B709A7D8} - C:\DOCUME~1\Owner\LOCALS~1\Temp\BHO010~1.DLL
    O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\ipinsigt.dll
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\GrlNt0i.dll
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
    O2 - BHO: ineb Helper - {753AA023-02D1-447D-8B55-53A91A5ABF18} - C:\WINDOWS\System32\bmeb.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
    O3 - Toolbar: Search Bar - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - C:\WINDOWS\System32\bmeb.dll
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [wininetd] C:\WINDOWS\System32\wininetd.exe
    O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
    O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
    O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe
    O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
    O4 - HKLM\..\Run: [rkz] C:\WINDOWS\rkz.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185
    O9 - Extra 'Tools' menuitem: Block This Page (HKLM)
    O9 - Extra button: HuntBar (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/GrlNt0i.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://younghips.com/cam.exe
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/turbo.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install013.exe
    O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} - http://usa-download.nocreditcard.com/download/Object/ieaccess2XP.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/payload2.cab
    O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.germie.com/kari/2732.exe
    O16 - DPF: {359F7E49-1EA0-4671-92E9-61E32FE25C5E} - http://69.0.137.190/version3/Netster.dll
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
    O16 - DPF: {50A28604-52F2-11D6-8F0F-5254AB11D5C2} - http://go-in-now.com/dialers/108263.exe
    O16 - DPF: {625AECAE-0E47-4290-AF53-7BEB17E191CD} - http://209.120.156.13/funflow/FunFlow.exe
    O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37650.4432986111
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
    O16 - DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} - http://traffichog.com/toolbar/bmeb.cab
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE
    O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{62C4E08D-5004-4DD4-8E33-1917B813105E}: NameServer = 207.251.201.10 207.251.201.11
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,162
    Are you running any kind of anti-virus? You've got so much bad stuff in there. I will request that this be moved over to security for assistance.

    In the meantime,
    Please download and run the following programs.

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware 6 Build 181

    Install the program and launch it.

    First in the main window look in the bottom right-hand corner and click on Check for updates now and download the latest reference files.

    Make sure the following settings are made and on -------ON=GREEN

    From main window: Click Start then Activate in-depth scan (recommended)

    Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right click the window and choose select all from the drop down menu and click Next)

    Restart your computer

    Download and run: SPYBOT SEARCH & DESTROY, here:

    http://download.com.com/3000-2144-1...tml?tag=lst-0-1

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems'', Put a check in every entry Spybot Search & Destroy flags with a red exclamation mark and click ''Fix Selected Problems'' , Then restart your computer.

    Download both of these for added protection: SPYWAREBLASTER & SPYWAREGUARD, here:

    http://www.javacoolsoftware.com/spywareblaster.html

    Once you've done all that please post another Hijack This log. There will be more to do.

    Cookie
     
  3. Steve-x8086

    Steve-x8086 Thread Starter

    Joined:
    Apr 19, 1999
    Messages:
    607
    First Name:
    Steve
    That's what I figured. It is the computer of a relative and they just download, download and download. they did have Norton in there but I don't think they set it up right.

    Tomorrow, Sunday, I will run the programs as you suggested and post another log.

    Thanks a bunch, Steve-x8086
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,162
    I don't see Norton running in there anywhere so I guess they didn't set it up right. That's very important for starters.

    In the meantime, you can do a couple of on-line scans that should clean out some of the stuff. If they can't get Norton up and running, they should get one of the free anti-virus programs that are available, like AVG which you can download at: http://www.grisoft.com/us/us_index.php

    Do scans at these sites:

    http://housecall.trendmicro.com/

    http://housecall.trendmicro.com/

    Let us know what they found

    I'll check back tomorrow

    Cookie
     
  5. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    O4 - HKLM\..\Run: [rkz] C:\WINDOWS\rkz.exe

    What is that??????? :eek:
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/223499

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice