Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Hijackthis log [RESOLVED]

  • This topic is locked This topic is locked




  • Topic Starter
  • Member
  • PipPipPip
  • 335 posts
Ok I am about to do that, but you said "reboot and let me know." Let you know what?
  • 0




    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Let me know if everything went as planned and how the popups are.



  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 335 posts
Yeah they are still coming annoying as ever, can't you just give me a link to a temporary popup blocker until we fix this?

Edited by Sk0rch, 29 August 2005 - 04:49 PM.

  • 0



    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please read the complete post first, you should copy and paste this post to a new text Document or print it.
Download and install http://www.ccleaner.com/ccdownload.php

Download and install Adaware, uncheck "show help file" and "perform full system scan" at the end of the installing routine, perform the update and close Adaware. You will need it later

Download and save to your Desktop, don't run it now, we will use it later:

Download and then double click http://cwshredder.ne.../CWShredder.exe. Then close every window and disconnect from Internet, double click the CWSshredder icon on your Desktop.
Click Fix, ok and then Next, let it fix everything it asks about.

Run HijackThis
Click on scan and put a check on the following lines, if they are still there

all the r1's RO's we have been checking off from the begining :tazz:

Make sure all browser and all Windows Explorer windows are closed and click on fix.

Shut down all running programs, make sure that you are not connected to the internet!
Double-click the FxAgentB.exe file to start the removal tool.
Save the log it makes and post it in your next reply.
Please do NOT start any other applications until the removal tool exits and the computer is restarted.
Restart the computer.
Run the removal tool again to ensure that the system is clean.

Start Ccleaner and click: Run Cleaner.
Run Adaware and perform a full system scan.
Reboot and post a new HijackThis log.
  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 335 posts
Symantec Backdoor.Agent.B Removal Tool

process: winlogon.exe, thread: 00000238 (terminated)
process: services.exe, thread: 00000284 (terminated)
process: lsass.exe, thread: 00000288 (terminated)
process: svchost.exe, thread: 00000330 (terminated)
process: svchost.exe, thread: 00000374 (terminated)
process: svchost.exe, thread: 000003E0 (terminated)
process: svchost.exe, thread: 00000460 (terminated)
process: svchost.exe, thread: 00000514 (terminated)
process: explorer.exe, thread: 000005CC (terminated)
process: spoolsv.exe, thread: 00000648 (terminated)
process: winampa.exe, thread: 00000718 (terminated)
process: rundll32.exe, thread: 0000073C (terminated)
process: SetPoint.exe, thread: 00000780 (terminated)
process: ewidoctrl.exe, thread: 000007D4 (terminated)
process: nvsvc32.exe, thread: 00000078 (terminated)
process: svchost.exe, thread: 000000C4 (terminated)
process: wdfmgr.exe, thread: 00000134 (terminated)
process: KHALMNPR.EXE, thread: 000000F4 (terminated)
process: alg.exe, thread: 00000934 (terminated)
process: notepad.exe, thread: 00000D24 (terminated)
process: FxAgentB.exe, thread: 000009F4 (terminated)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs (value set to "")

C:\Documents and Settings\Owner.KEVIN: (not scanned)
C:\Program Files\Ultima Online 2D\Desktop: (not scanned)
C:\RECYCLER\S-1-5-21-4007067155-365516090-3097661178-1003\Dc3.net: (not scanned)
C:\RECYCLER\S-1-5-21-4007067155-365516090-3097661178-1003\Dc5.net: (not scanned)
C:\System Volume Information: (not scanned)
C:\WINDOWS\system32\comionc.dll: (will be deleted on next reboot)
C:\WINDOWS\Temp\Adware: (not scanned)
C:\WINDOWS\Temp\BullGuard: (not scanned)

The Backdoor.Agent.B removal was successful.
The system will delete 1 Backdoor.Agent.B files from your PC on next reboot.

Here is the report:

1 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 123638
The number of deleted files: 0
The number of viral processes terminated: 0
The number of viral threads terminated: 21
The number of registry entries fixed: 1

The tool initiated a system reboot.

Logfile of HijackThis v1.99.1
Scan saved at 3:49:19 PM, on 9/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Winamp\winampa.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096169702640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (
MUWebControl Class) - http://update.micros...b?1124393047008
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.c.../ymmapi_416.dll
O18 - Protocol: bw+0 - (no CLSID) - (no file)
O18 - Protocol: bw+0s - (no CLSID) - (no file)
O18 - Protocol: bw-0 - (no CLSID) - (no file)
O18 - Protocol: bw-0s - (no CLSID) - (no file)
O18 - Protocol: bw00 - (no CLSID) - (no file)
O18 - Protocol: bw00s - (no CLSID) - (no file)
O18 - Protocol: bw10 - (no CLSID) - (no file)
O18 - Protocol: bw10s - (no CLSID) - (no file)
O18 - Protocol: bw20 - (no CLSID) - (no file)
O18 - Protocol: bw20s - (no CLSID) - (no file)
O18 - Protocol: bw30 - (no CLSID) - (no file)
O18 - Protocol: bw30s - (no CLSID) - (no file)
O18 - Protocol: bw40 - (no CLSID) - (no file)
O18 - Protocol: bw40s - (no CLSID) - (no file)
O18 - Protocol: bw50 - (no CLSID) - (no file)
O18 - Protocol: bw50s - (no CLSID) - (no file)
O18 - Protocol: bw60 - (no CLSID) - (no file)
O18 - Protocol: bw60s - (no CLSID) - (no file)
O18 - Protocol: bw70 - (no CLSID) - (no file)
O18 - Protocol: bw70s - (no CLSID) - (no file)
O18 - Protocol: bw80 - (no CLSID) - (no file)
O18 - Protocol: bw80s - (no CLSID) - (no file)
O18 - Protocol: bw90 - (no CLSID) - (no file)
O18 - Protocol: bw90s - (no CLSID) - (no file)
O18 - Protocol: bwa0 - (no CLSID) - (no file)
O18 - Protocol: bwa0s - (no CLSID) - (no file)
O18 - Protocol: bwb0 - (no CLSID) - (no file)
O18 - Protocol: bwb0s - (no CLSID) - (no file)
O18 - Protocol: bwc0 - (no CLSID) - (no file)
O18 - Protocol: bwc0s - (no CLSID) - (no file)
O18 - Protocol: bwd0 - (no CLSID) - (no file)
O18 - Protocol: bwd0s - (no CLSID) - (no file)
O18 - Protocol: bwe0 - (no CLSID) - (no file)
O18 - Protocol: bwe0s - (no CLSID) - (no file)
O18 - Protocol: bwf0 - (no CLSID) - (no file)
O18 - Protocol: bwf0s - (no CLSID) - (no file)
O18 - Protocol: bwg0 - (no CLSID) - (no file)
O18 - Protocol: bwg0s - (no CLSID) - (no file)
O18 - Protocol: bwh0 - (no CLSID) - (no file)
O18 - Protocol: bwh0s - (no CLSID) - (no file)
O18 - Protocol: bwi0 - (no CLSID) - (no file)
O18 - Protocol: bwi0s - (no CLSID) - (no file)
O18 - Protocol: bwj0 - (no CLSID) - (no file)
O18 - Protocol: bwj0s - (no CLSID) - (no file)
O18 - Protocol: bwk0 - (no CLSID) - (no file)
O18 - Protocol: bwk0s - (no CLSID) - (no file)
O18 - Protocol: bwl0 - (no CLSID) - (no file)
O18 - Protocol: bwl0s - (no CLSID) - (no file)
O18 - Protocol: bwm0 - (no CLSID) - (no file)
O18 - Protocol: bwm0s - (no CLSID) - (no file)
O18 - Protocol: bwn0 - (no CLSID) - (no file)
O18 - Protocol: bwn0s - (no CLSID) - (no file)
O18 - Protocol: bwo0 - (no CLSID) - (no file)
O18 - Protocol: bwo0s - (no CLSID) - (no file)
O18 - Protocol: bwp0 - (no CLSID) - (no file)
O18 - Protocol: bwp0s - (no CLSID) - (no file)
O18 - Protocol: bwq0 - (no CLSID) - (no file)
O18 - Protocol: bwq0s - (no CLSID) - (no file)
O18 - Protocol: bwr0 - (no CLSID) - (no file)
O18 - Protocol: bwr0s - (no CLSID) - (no file)
O18 - Protocol: bws0 - (no CLSID) - (no file)
O18 - Protocol: bws0s - (no CLSID) - (no file)
O18 - Protocol: bwt0 - (no CLSID) - (no file)
O18 - Protocol: bwt0s - (no CLSID) - (no file)
O18 - Protocol: bwu0 - (no CLSID) - (no file)
O18 - Protocol: bwu0s - (no CLSID) - (no file)
O18 - Protocol: bwv0 - (no CLSID) - (no file)
O18 - Protocol: bwv0s - (no CLSID) - (no file)
O18 - Protocol: bww0 - (no CLSID) - (no file)
O18 - Protocol: bww0s - (no CLSID) - (no file)
O18 - Protocol: bwx0 - (no CLSID) - (no file)
O18 - Protocol: bwx0s - (no CLSID) - (no file)
O18 - Protocol: bwy0 - (no CLSID) - (no file)
O18 - Protocol: bwy0s - (no CLSID) - (no file)
O18 - Protocol: bwz0 - (no CLSID) - (no file)
O18 - Protocol: bwz0s - (no CLSID) - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 335 posts
I asked this before but you never responded. The IE popups are still coming, can you not temporarily give me a link to a IE popup blocker until this is resolved? They are very annoying.
  • 0



    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
No I don't know of one, sorry.

Please read the complete post first, you should copy and paste this post to a new text Document or print it.
Click here http://www.atribune..../DllCompare.exe to download DllCompare. Start the Program with and click the Run Locate.com - be sure the \Windows\System32 directory is in the box and wait until the the blue text says it has 'completed the scan'.

Click the Make a Log of what was found button and post the log here in this thread and wait for further instructions
  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 335 posts
Ok here is the log, and after what I did on post 124, I am pretty sure I have not had a popup, but maybe I am speaking too soon, or it is just temporarily solved.

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!

C:\WINDOWS\SYSTEM32\xceedzip.dll Fri May 11 2001 5:43:40p A..HR 397,856 388.53 K

1,463 items found: 1,463 files (1 H/S), 0 directories.
Total of file sizes: 342,665,552 bytes 326.79 M

Administrator Account = True

--------------------End log---------------------
  • 0



    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
geeze, here we go again...lol

Let me know


  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 335 posts
I think it worked, haven't had a popup ever since post #124 :tazz:.
  • 0




    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

I recommend that you Defrag your computer before setting your Restore points:

Go to start>all programs>accessories>system tools>Disk Defragmentor Make sure it set to the proper drive (default should be your main driver) and click on defragment

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware

If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.


The following free programs are great for prevention:

SpywareBlaster 3.4

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)


There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:


If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0




  • Topic Starter
  • Member
  • PipPipPip
  • 335 posts
K, just did some of that, thanks a lot!
  • 0



    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP