1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: hjt log guestions

Discussion in 'Virus & Other Malware Removal' started by barncat, Jan 23, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. barncat

    barncat Thread Starter

    Joined:
    Jan 11, 2005
    Messages:
    253
    i have some questions about these entries in my hjt log. how do i find what these are are doing? can i "fix" these to see what happens? Any suspicious things in the log???/ THANKS ......

    O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

    O16 - DPF: {11111111-1111-1111-2222-111111111157} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

    O9 - Extra button: ZDelete Auto-Cleaner (HKCU)




    Logfile of HijackThis v1.97.3
    Scan saved at 7:42:31 AM, on 1/23/05
    Platform: Windows 95 B (Win9x 4.00.1111)
    MSIE: Internet Explorer v4.70 SP1 (4.70.0000.1155)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = {BROWSER_HOMEPAGE}
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
    O4 - HKLM\..\Run: [ZE5IECONFIG] regedit.exe /s "{INSTALL_DIR}\MSIE.REG"
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: ZDelete Auto-Cleaner (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Macromedia Active Shockwave) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {11111111-1111-1111-2222-111111111157} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,186
  3. barncat

    barncat Thread Starter

    Joined:
    Jan 11, 2005
    Messages:
    253
    THANK YOU.....GOT THE new log.....:) oh, i found out what the zdelete thing is.....
    still get these that i would like to find out how to find out what they are: thanks
    O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O16 - DPF: {11111111-1111-1111-2222-111111111157} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -


    Logfile of HijackThis v1.99.0
    Scan saved at 12:27:29 PM, on 1/23/05
    Platform: Windows 95 B (Win9x 4.00.1111)
    MSIE: Internet Explorer v4.70 SP1 (4.70.0000.1155)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = {BROWSER_HOMEPAGE}
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
    O4 - HKLM\..\Run: [ZE5IECONFIG] regedit.exe /s "{INSTALL_DIR}\MSIE.REG"
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: ZDelete Auto-Cleaner - {EB7F329E-F14E-48ae-AB69-4E28C492D382} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
    O13 - WWW. Prefix: http://
    O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {11111111-1111-1111-2222-111111111157} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,186
    You can check BHO's here:

    http://computercops.biz/bhotb-all.html

    The two you mentioned are legit but can be fixed because their files are missing.

    The O16's you can check in SpywareBlaster by clicking on Internet Explorer, then right click in the area where the bad entries are shown and select find - then copy the number portion of the O16 entry in the dialog box that opens up then click OK. If it finds it there, then it's bad. There are some entries that bad that don't show there but it's a guideline. The rest you have to research.

    You can get SpywareBlaster here (I'm not sure if 95 supports it though):

    http://www.javacoolsoftware.com/spywareblaster.html

    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

    O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O13 - WWW. Prefix: http://

    O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net

    O16 - DPF: {11111111-1111-1111-2222-111111111157} -



    Are you runnng this reg edit file knowingly and intentionally?
    O4 - HKLM\..\Run: [ZE5IECONFIG] regedit.exe /s "{INSTALL_DIR}\MSIE.REG"
     
  5. barncat

    barncat Thread Starter

    Joined:
    Jan 11, 2005
    Messages:
    253
    thank you for all your effort...lots of info for me to absorb.....this regedit thing , HKLM\..\Run: [ZE5IECONFIG] regedit.exe /s "{INSTALL_DIR}\MSIE.REG",
    is what is showing up as an error message at startup!!!! i didn't recognise the hjt entry as the error message...can i delete that reg key? or just "fix" in hjt???

    THANK YOU very much for all your help....


    i neither intentionally or knowingly do anything....:)
     
  6. barncat

    barncat Thread Starter

    Joined:
    Jan 11, 2005
    Messages:
    253
    hjt "fix" took care of the error message ,"regedit----".....thanks again!
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,186
    You're welcome.

    Do a search to see if you can locate that .reg file and if you find it, delete it.

    BTW, the other O16 entry you were asking about was from Trend Micro's Housecall on-line scan so legit.

    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html
     
  8. barncat

    barncat Thread Starter

    Joined:
    Jan 11, 2005
    Messages:
    253
    these came back! do i need to do more than just "fix" with hjt???? thanks

    O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O16 - DPF: {11111111-1111-1111-2222-111111111157}
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,186
    Please post the entire Hijack This log.
     
  10. barncat

    barncat Thread Starter

    Joined:
    Jan 11, 2005
    Messages:
    253
    oh, sorry.....here is current ...i deleted the above items today....thanks.....

    Logfile of HijackThis v1.99.0
    Scan saved at 6:25:48 PM, on 1/30/05
    Platform: Windows 95 B (Win9x 4.00.1111)
    MSIE: Internet Explorer v4.70 SP1 (4.70.0000.1155)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\tapiexe.exe
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = {BROWSER_HOMEPAGE}
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: ZDelete Auto-Cleaner - {EB7F329E-F14E-48ae-AB69-4E28C492D382} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
    O13 - WWW. Prefix: http://
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,186
    BTW, those two BHO's are not malicious, one is for Internet Download Manager and the other is for Adobe Acrobat Reader, but their files are missing.

    Rescan with Hijack This and have it fix these entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O13 - WWW. Prefix: http://
     
  12. barncat

    barncat Thread Starter

    Joined:
    Jan 11, 2005
    Messages:
    253
    Thank You again....i feel like such a dunce...i read and read, but not much of this computer stuff stays with me....and i must be really out of step when it comes to compatibility with software...i find most programs irritating at best and some popular ones as obnoxious, ie, adobe....if i accidently clk on a pdf link adobe stops my computer while it loads........so, i collect garbage in my computer when i uninstall it.....thanks you very much for all the help.....
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,186
    You're welcome.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/322538

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice