Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack This Log/about:blank, etc.

Started by coachwife6 , Aug 12 2004 09:42 AM

  • Please log in to reply

#1
coachwife6
Posted 12 August 2004 - 09:42 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I am helping a friend clean up her computer. I have run spybot S&D 1.3, installed Spyblaster, run Ad-aware, Run The Cleaner, Turned off System Restore, etc. Any help you could give me would be appreciated.


Logfile of HijackThis v1.98.2
Scan saved at 10:37:22 AM, on 8/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\owner\local settings\temp\PCz7AAC.exe
C:\documents and settings\owner\local settings\temp\q.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\szchost.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: VPN-OEM Extension - {89044184-F260-4FDD-8FAB-2662814846E5} - C:\WINDOWS\System32\wmhshell.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C4E4AB5F-3FA9-4691-A8FA-31E343F9EF74} - C:\WINDOWS\System32\oed.dll (file missing)
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [video[1]] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M9ONU5E9\video[1].exe
O4 - HKLM\..\Run: [video] C:\Documents and Settings\Owner\My Documents\My Pictures\video.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [update32] C:\windows\configs.exe
O4 - HKLM\..\Run: [cmd32] C:\configs.exe
O4 - HKLM\..\Run: [bbjsdkb] "C:\WINDOWS\System32\bbjsdkb.exe"
O4 - HKLM\..\Run: [wccvkkl] "C:\WINDOWS\System32\wccvkkl.exe"
O4 - HKLM\..\Run: [uecdyee] "C:\DOCUME~1\Owner\LOCALS~1\Temp\uecdyee.exe"
O4 - HKLM\..\Run: [PCz7AAC] C:\documents and settings\owner\local settings\temp\PCz7AAC.exe
O4 - HKLM\..\Run: [q] C:\documents and settings\owner\local settings\temp\q.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\RunServices: [video[1]] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M9ONU5E9\video[1].exe
O4 - HKLM\..\RunServices: [video] C:\Documents and Settings\Owner\My Documents\My Pictures\video.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://63.219.178.91/1/deaGB1007.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O18 - Filter: text/html - {C2C7209F-DF7E-4F56-918E-10758B9356E2} - C:\WINDOWS\System32\oed.dll
O18 - Filter: text/plain - {C2C7209F-DF7E-4F56-918E-10758B9356E2} - C:\WINDOWS\System32\oed.dll
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - C:\WINDOWS\System32\wmhshell.dll

Edited by coachwife6, 15 August 2004 - 01:52 PM.

  • 0

Advertisements

#2
Smokey
Posted 12 August 2004 - 10:00 AM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Welcome to GTG coachwife6 <_<

You may wish to print out a copy of these instructions to follow while you complete this procedure. Please move Hijack This to a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Delete your temporary internet files To do this:

1. In Interent Explorer, go to "Tool", then "Internet Options"
2. Right in the middle, under "Temporary interent files", click the "Delete Files..." button
3. Make sure the box next to "Delete all offline content" is checked, and hit "OK"

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu). Be sure you're able to view hidden files, and remove the following files in bold:

C:\WINDOWS\System32\wmhshell.dll
C:\Program Files\RapidBlaster\ <- Folder
C:\windows\configs.exe
C:\configs.exe
C:\WINDOWS\System32\bbjsdkb.exe
C:\WINDOWS\System32\wccvkkl.exe
C:\Documents and Settings\Owner\Local Settings\Temp\uecdyee.exe
C:\documents and settings\owner\local settings\temp\PCz7AAC.exe
C:\documents and settings\owner\local settings\temp\q.exe
C:\WINDOWS\szchost.exe
C:\Windows\nwiz.exe <- If it's not there, it's here
C:\Windows\System32\nwiz.exe
C:\Documents and Settings\Owner\My Documents\My Pictures\video.exe

Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: VPN-OEM Extension - {89044184-F260-4FDD-8FAB-2662814846E5} - C:\WINDOWS\System32\wmhshell.dll
O2 - BHO: (no name) - {C4E4AB5F-3FA9-4691-A8FA-31E343F9EF74} - C:\WINDOWS\System32\oed.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [video] C:\Documents and Settings\Owner\My Documents\My Pictures\video.exe
O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [update32] C:\windows\configs.exe
O4 - HKLM\..\Run: [cmd32] C:\configs.exe
O4 - HKLM\..\Run: [bbjsdkb] "C:\WINDOWS\System32\bbjsdkb.exe"
O4 - HKLM\..\Run: [wccvkkl] "C:\WINDOWS\System32\wccvkkl.exe"
O4 - HKLM\..\Run: [uecdyee] "C:\DOCUME~1\Owner\LOCALS~1\Temp\uecdyee.exe"
O4 - HKLM\..\Run: [PCz7AAC] C:\documents and settings\owner\local settings\temp\PCz7AAC.exe
O4 - HKLM\..\Run: [q] C:\documents and settings\owner\local settings\temp\q.exe
O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
O4 - HKLM\..\RunServices: [video] C:\Documents and Settings\Owner\My Documents\My Pictures\video.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://63.219.178.91/1/deaGB1007.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O18 - Filter: text/html - {C2C7209F-DF7E-4F56-918E-10758B9356E2} - C:\WINDOWS\System32\oed.dll
O18 - Filter: text/plain - {C2C7209F-DF7E-4F56-918E-10758B9356E2} - C:\WINDOWS\System32\oed.dll
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - C:\WINDOWS\System32\wmhshell.dll

Deleting the following you don't use will help speed yp yuor system:
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe" available through Start -> All programs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime Quicktime Tray Icon
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet Yahoo Messenger

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. :D
  • 0

#3
coachwife6
Posted 12 August 2004 - 02:11 PM

coachwife6

    SuperStar

  • Topic Starter
  • Retired Staff
  • 11,413 posts
You are so kind to help me out. I will try this right now and let you know.
I have worked many days on this and only posted as a last resort.
  • 0

#4
coachwife6
Posted 12 August 2004 - 04:14 PM

coachwife6

    SuperStar

  • Topic Starter
  • Retired Staff
  • 11,413 posts
I right-clicked on the start menu and went through Explore to take care of the first part of your instructions. There were several files I could not find, despite looking for more than two hours.

RapidBlaster
bbjsdkb.exe
Temp Files: uecdyee.exe; pcz7aac.exe and q.exe. and video.exe.

I did not want to go to the next step unless I have this one down. Thank you again in advance for your help. It is greatly appreciated.
  • 0

#5
Smokey
Posted 12 August 2004 - 04:16 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Be sure you are viewing hidden files and folders:
http://www.xtra.co.n...1916458,00.html
  • 0

#6
coachwife6
Posted 12 August 2004 - 04:28 PM

coachwife6

    SuperStar

  • Topic Starter
  • Retired Staff
  • 11,413 posts
Thanks - quick feedback. I had unchecked the first part before I started everything, but missed the second part of the instructions of what needed to be unchecked. Thanks. I'll hold off on that Advil now! <_<
  • 0

#7
coachwife6
Posted 12 August 2004 - 05:21 PM

coachwife6

    SuperStar

  • Topic Starter
  • Retired Staff
  • 11,413 posts
I'm wondering if they were deleted when I deleted temporary files, since I saw on the Hijack This log that they were temps? I can't find them.
  • 0

#8
Smokey
Posted 12 August 2004 - 05:30 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
If you've done all you can, let's see a new HJT log. <_<
  • 0

#9
coachwife6
Posted 12 August 2004 - 05:32 PM

coachwife6

    SuperStar

  • Topic Starter
  • Retired Staff
  • 11,413 posts
I haven't done the hijack this check list yet.

Edited by coachwife6, 15 August 2004 - 01:53 PM.

  • 0

#10
admin
Posted 12 August 2004 - 06:40 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts

Platform: Windows XP (WinNT 5.01.2600)

FYI, this system doesn't have the latest critical updates installed. Without them it will likely get reinfected very quickly.
  • 0

Advertisements

#11
coachwife6
Posted 12 August 2004 - 08:23 PM

coachwife6

    SuperStar

  • Topic Starter
  • Retired Staff
  • 11,413 posts
They wouldn't download. I was hoping once I got this all worked out, it would download. It downloads, but couldn't be installed.
  • 0

#12
coachwife6
Posted 12 August 2004 - 09:03 PM

coachwife6

    SuperStar

  • Topic Starter
  • Retired Staff
  • 11,413 posts
Here is the latest HiJackThis log. How does it look?

Logfile of HijackThis v1.98.0
Scan saved at 10:01:58 PM, on 8/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [video[1]] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M9ONU5E9\video[1].exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\RunServices: [video[1]] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M9ONU5E9\video[1].exe
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
  • 0

#13
Smokey
Posted 12 August 2004 - 09:10 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Almost clean. You need to run disk cleanup. To do this:

1. Go to "Start", then "All Programs", "Accessories", "System Tools", and finally "Disk Cleanup"
2. Make sure all boxes are checked and press "OK"
3. Click "Yes" to confirm

Restart you PC, rescan, then post a new log. <_<
  • 0

#14
coachwife6
Posted 12 August 2004 - 09:13 PM

coachwife6

    SuperStar

  • Topic Starter
  • Retired Staff
  • 11,413 posts
I will do that in one minute. I am trying to download the critical updates, per admin.'s suggestion, but it failed again.

Edited by coachwife6, 15 August 2004 - 01:53 PM.

  • 0

#15
coachwife6
Posted 12 August 2004 - 09:21 PM

coachwife6

    SuperStar

  • Topic Starter
  • Retired Staff
  • 11,413 posts
I did disc clean-up, but there wasn't anything to clean up. Here is the new log. One question: the page always goes to http://c:/program
That page doesn't hook up to the internet. Instead shows as the intranet.


Logfile of HijackThis v1.98.0
Scan saved at 10:20:12 PM, on 8/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [video[1]] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M9ONU5E9\video[1].exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\RunServices: [video[1]] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M9ONU5E9\video[1].exe
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP