Solved: hjt log guestions

barncat · Jan 23, 2005

i have some questions about these entries in my hjt log. how do i find what these are are doing? can i "fix" these to see what happens? Any suspicious things in the log???/ THANKS ......

O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O16 - DPF: {11111111-1111-1111-2222-111111111157} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

O9 - Extra button: ZDelete Auto-Cleaner (HKCU)

Logfile of HijackThis v1.97.3
Scan saved at 7:42:31 AM, on 1/23/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v4.70 SP1 (4.70.0000.1155)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = {BROWSER_HOMEPAGE}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [ZE5IECONFIG] regedit.exe /s "{INSTALL_DIR}\MSIE.REG"
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ZDelete Auto-Cleaner (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Macromedia Active Shockwave) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {11111111-1111-1111-2222-111111111157} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

Cookiegal · Jan 23, 2005

Your version of Hijack This is seriously outdated. Please get the new one and post another log.

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

barncat · Jan 23, 2005

THANK YOU.....GOT THE new log..... oh, i found out what the zdelete thing is.....
still get these that i would like to find out how to find out what they are: thanks
O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O16 - DPF: {11111111-1111-1111-2222-111111111157} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

Logfile of HijackThis v1.99.0
Scan saved at 12:27:29 PM, on 1/23/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v4.70 SP1 (4.70.0000.1155)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = {BROWSER_HOMEPAGE}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [ZE5IECONFIG] regedit.exe /s "{INSTALL_DIR}\MSIE.REG"
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: ZDelete Auto-Cleaner - {EB7F329E-F14E-48ae-AB69-4E28C492D382} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {11111111-1111-1111-2222-111111111157} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

Cookiegal · Jan 23, 2005

You can check BHO's here:

http://computercops.biz/bhotb-all.html

The two you mentioned are legit but can be fixed because their files are missing.

The O16's you can check in SpywareBlaster by clicking on Internet Explorer, then right click in the area where the bad entries are shown and select find - then copy the number portion of the O16 entry in the dialog box that opens up then click OK. If it finds it there, then it's bad. There are some entries that bad that don't show there but it's a guideline. The rest you have to research.

You can get SpywareBlaster here (I'm not sure if 95 supports it though):

http://www.javacoolsoftware.com/spywareblaster.html

Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O13 - WWW. Prefix: http://

O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net

O16 - DPF: {11111111-1111-1111-2222-111111111157} -

Are you runnng this reg edit file knowingly and intentionally?
O4 - HKLM\..\Run: [ZE5IECONFIG] regedit.exe /s "{INSTALL_DIR}\MSIE.REG"

barncat · Jan 23, 2005

thank you for all your effort...lots of info for me to absorb.....this regedit thing , HKLM\..\Run: [ZE5IECONFIG] regedit.exe /s "{INSTALL_DIR}\MSIE.REG",
is what is showing up as an error message at startup!!!! i didn't recognise the hjt entry as the error message...can i delete that reg key? or just "fix" in hjt???

THANK YOU very much for all your help....

i neither intentionally or knowingly do anything....

barncat · Jan 23, 2005

hjt "fix" took care of the error message ,"regedit----".....thanks again!

Cookiegal · Jan 23, 2005

You're welcome.

Do a search to see if you can locate that .reg file and if you find it, delete it.

BTW, the other O16 entry you were asking about was from Trend Micro's Housecall on-line scan so legit.

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

barncat · Jan 30, 2005

these came back! do i need to do more than just "fix" with hjt???? thanks

O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O16 - DPF: {11111111-1111-1111-2222-111111111157}

Cookiegal · Jan 30, 2005

Please post the entire Hijack This log.

barncat · Jan 30, 2005

oh, sorry.....here is current ...i deleted the above items today....thanks.....

Logfile of HijackThis v1.99.0
Scan saved at 6:25:48 PM, on 1/30/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v4.70 SP1 (4.70.0000.1155)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = {BROWSER_HOMEPAGE}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: ZDelete Auto-Cleaner - {EB7F329E-F14E-48ae-AB69-4E28C492D382} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O13 - WWW. Prefix: http://
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

Cookiegal · Jan 30, 2005

BTW, those two BHO's are not malicious, one is for Internet Download Manager and the other is for Adobe Acrobat Reader, but their files are missing.

Rescan with Hijack This and have it fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O13 - WWW. Prefix: http://

barncat · Jan 31, 2005

Thank You again....i feel like such a dunce...i read and read, but not much of this computer stuff stays with me....and i must be really out of step when it comes to compatibility with software...i find most programs irritating at best and some popular ones as obnoxious, ie, adobe....if i accidently clk on a pdf link adobe stops my computer while it loads........so, i collect garbage in my computer when i uninstall it.....thanks you very much for all the help.....

Cookiegal · Jan 31, 2005

You're welcome.

Log in or Sign up

Solved: hjt log guestions

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

barncat Thread Starter

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Sponsor

Welcome to Tech Support Guy!

Log in or Sign up

Solved: hjt log guestions

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

barncat Thread Starter

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

barncat Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Sponsor

Welcome to Tech Support Guy!

Useful Searches