1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[SOLVED] HijackThis Log - Need Help Please

Discussion in 'Virus & Other Malware Removal' started by shesun4givn2, Aug 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    Logfile of HijackThis v1.95.0
    Scan saved at 7:39:40 PM, on 8/19/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\S3apphk.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\CallWave\IAM.exe
    c:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Owner\Favorites\Media\My Documents\Downloads\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://srch-us5.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://us5.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://srch-us5.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://us5.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://srch-us5.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://srch-us5.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://us5.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://srch-us5.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://srch-us5.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://srch-us5.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspace.com/Java/cs4fs084.cab
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://rain.prohosting.com/mwebcam/cgi-bin/index.cgi
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Owner\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
    O16 - DPF: {4226E9B7-D637-40E8-893A-13298AB41477} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://play.toontown.com/ttinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_6.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


    Thx,
    Shes :)
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Run HijackThis again. Click Scan. Put a checkmark next to every one of the following items. Click Fix Checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://srch-us5.hpwis.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://us5.hpwis.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://srch-us5.hpwis.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://us5.hpwis.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://srch-us5.hpwis.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://srch-us5.hpwis.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://us5.hpwis.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://srch-us5.hpwis.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://srch-us5.hpwis.com/

    O1 - Hosts: 217.116.231.7 aimtoday.aol.com

    O9 - Extra button: MktBrowser (HKLM)

    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
     
  3. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    If you want to further examine your computer, you might want to download and install the free Ad-aware 6 Personal Build 181, available at this site: http://www.lavasoft.de/support/download/

    [After it is installed, make sure to read through the Help Manual to get familiar with the program.]

    Next, start A-A ... on the start-up screen, you will need to first run the Webupdate Feature (gear wheel at the top), or click "check for updates" to get the Reference File up to date. Currently there are multiple updates each week to keep up with the latest developments in this anti-trackware arena. Ad-Aware's database is almost twice as big as some of the other anti-trackware applications, and new targets are added/updated 2 or 3 times a week lately.

    Please use either the Smart Scan or the Custom Scan with Memory and Both registry scans ON. Also.... make sure that you activate IN-DEPTH scanning before you proceed, whichever mode you choose.

    [NOTE: If you used any other Anti-Trackware application to remove detected content immediately prior to running a scan with Ad-aware 6 you will need to perform a Custom Full System scan to ensure that the objects have all been successfully removed.]

    Then we recommend that you have these options checked:
    Under Ad-aware 6 Settings, Tweaks, Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 Settings, Tweaks, Cleaning Engine:
    "Automatically try to unregister objects prior to deletion."
    "Let Windows remove files in use after reboot."

    Next ...

    Run Ad-aware 6.
    Mark the objects you wish to eliminate for removal. There are many options available with a right-click.
    Make a Quarantine only if you do not have the Auto-Quarantine option ON.
    Then choose "Next" to remove the chosen objects.
    Finally ... Reboot
     
  4. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    Thx for your help Brendandonhu & Winchester73 :)

    I'll remove the suggested items thru HJT Brendandonhu - thank you very much. Hopefully I'll learn enough about HJT soon, so I'll be able to help answer these questions instead of asking them all the time. ;)

    Thanks for the suggested configuration of A-A 6 Winchester. I have the download and I use your suggested config for the Custom Scan, but I was not aware of the tweaks needed. Thanks a bunch! :)

    Have a great day!
    She's
     
  5. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Glad my suggestions were of some value ...

    SmartScan is a set of preset scanning options. Ad-aware now comes with a pre-defined set of settings that most users should find sufficient for their scanning needs. Of course, should a user require or want more or less than defined here, they can always perform a custom scan.

    SmartScan uses these scanning options: Scan Memory, Scan Registry, Deep Scan Registry, System Folder, Cookies, and then the conditional scans based on what's located.
     
  6. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    [tsg=yourewelcome][/tsg]
    http://forums.techguy.org/t147485/s.html
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [SOLVED] HijackThis Need
  1. hfrei
    Replies:
    1
    Views:
    340
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/157462

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice