Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Ebay & Yahoo Showing in Text Only


  • Please log in to reply

#1
BrianasMom

BrianasMom

    New Member

  • Member
  • Pip
  • 7 posts
Here's my log-

Logfile of HijackThis v1.99.1
Scan saved at 10:33:27 AM, on 8/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Legato\AXIM ™\AXIM.exe
C:\Program Files\Legato\AXIM ™\EventHandler.exe
C:\MAILROOM\Bin\Mrmlnc32.exe
C:\Program Files\Microsoft Outlook\OFFICE11\OUTLOOK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\CLSINC\WBWIN\WB32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\heather\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AXIM ™] C:\Program Files\Legato\AXIM ™\AXIM ™.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [znhisj] c:\windows\system32\bplrvni.exe r
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - Global Startup: unidoc.lnk = C:\MAILROOM\Bin\Mrmlnc32.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll (file missing)
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...34/sdcregie.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124461016656
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.2 [ENU]) - https://www.imagine....rk/iedpwenu.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SGV.local
O17 - HKLM\Software\..\Telephony: DomainName = SGV.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SGV.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SGV.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Download Process Explorer by Systernals from HERE
Unzip Process Explorer.

Open your C:\Windows\System32 folder and locate bplrvni.exe
Don't delete it yet, because you can't for the moment.
Leave your system32 folder open with the view on that bad file.

Now, doubleclick on procexp.exe

You'll see all the running processes there.
Search for c:\windows\system32\bplrvni.exe
Doubleclick on c:\windows\system32\bplrvni.exe

A new window will open.
You'll see several tabs on top.
Make sure the Threads is selected.
(normally that one will open by default)
You'll see two instances of that c:\windows\system32\bplrvni.exe in there.
Select the first one and click Kill
Answer YES at the prompt.

Now delete bplrvni.exe from your system32 folder.

Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s

O2 - BHO: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll (file missing)

O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [znhisj] c:\windows\system32\bplrvni.exe r

O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe

O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll (file missing)
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\systb.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Download and run CWShredder from:
http://www.trendmicro.com/cwshredder/
Use the Fix button.

Reboot into safe mode and delete:
C:\WINDOWS\System32\winshost.exe

Boot back to normal and post a new log.

Regards,
  • 0

#3
BrianasMom

BrianasMom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I have opened the Process Explorer, but do not see the .exe program-

This is what is shows when I save it-

Process PID CPU Description Company Name
System Idle Process 0 78.79
Interrupts n/a 1.52 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 4.55
smss.exe 384
csrss.exe 620
winlogon.exe 652
services.exe 696
svchost.exe 896
EventHandler.exe 3348 Handles Messages From AXIM.exe , This program does not run in a standalone mode. Documentum
msmsgs.exe 2060 Messenger Microsoft Corporation
svchost.exe 996
svchost.exe 1168
svchost.exe 1200
spoolsv.exe 1312
DefWatch.exe 1456
Rtvscan.exe 1548 7.58
lsass.exe 708
explorer.exe 2668 Windows Explorer Microsoft Corporation
hkcmd.exe 2976 hkcmd Module Intel Corporation
VPTray.exe 552 Symantec AntiVirus Symantec Corporation
AXIM.exe 968 Runs Actions Based On Plugins And Hotkeys And Captures Data From Other Programs Documentum
OUTLOOK.EXE 3844 Microsoft Office Outlook Microsoft Corporation
msimn.exe 820 Outlook Express Microsoft Corporation
IEXPLORE.EXE 3264 Internet Explorer Microsoft Corporation
WB32.EXE 332
IEXPLORE.EXE 2448 Internet Explorer Microsoft Corporation
procexp.exe 3656 7.58 Sysinternals Process Explorer Sysinternals

Process: explorer.exe Pid: 2668

Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event \BaseNamedObjects\ShellReadyEvent
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event \BaseNamedObjects\crypt32LogoffEvent
Event
Event
Event
Event \BaseNamedObjects\HPlugEjectEvent
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event \BaseNamedObjects\FaxSvcRPCStarted-1ed23866-f90b-4ec5-b77e-36e8709422b6
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event \BaseNamedObjects\mixercallback
Event \BaseNamedObjects\hardwaremixercallback
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\Documents and Settings\heather\Desktop
File C:\Documents and Settings\All Users\Desktop
File C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\CD Burning
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\Documents and Settings\All Users\Start Menu
File C:\Documents and Settings\heather\Cookies\index.dat
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File \Device\NamedPipe\ntsvcs
File C:\Documents and Settings\heather\Application Data\Microsoft\Internet Explorer\Quick Launch
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File \Device\WMIDataDevice
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\Documents and Settings\heather\PrintHood
File \Device\LanmanRedirector\SGVSBS\USERS\heather\My Documents
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\Documents and Settings\heather\Favorites\Links
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\Documents and Settings\heather\Local Settings\History\History.IE5\index.dat
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
File C:\Documents and Settings\heather\Local Settings\Temporary Internet Files\Content.IE5\index.dat
File \Dfs
File C:\Documents and Settings\heather\Start Menu
File \Device\KSENUM#00000002
File \Device\KsecDD
File C:\Documents and Settings\heather
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
IoCompletion
IoCompletion
IoCompletion
IoCompletion
Key HKCU\Software\Microsoft\Plus!\Themes\Apply
Key HKCU\Software\Microsoft\Internet Explorer\Security\P3Sites
Key HKCR\HTTP\shell
Key HKLM\SOFTWARE\Microsoft\Windows\Shell
Key HKCU\Software\Microsoft\Windows\ShellNoRoam
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Key HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
Key HKLM
Key HKU
Key HKCU\Software\Microsoft\Internet Explorer\Security\P3Global
Key HKCU\Software\Classes\CLSID
Key HKCU\Software\Microsoft\Windows\Shell
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Key HKCR\Applications\WB32.EXE
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key HKCU
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKCU\Software\Classes
Key HKCR\Applications\WB32.EXE
Key HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Key HKLM\SYSTEM\Setup
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKCR
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\c:!documents and settings!heather!cookies!
Mutant
Mutant \BaseNamedObjects\WininetStartupMutex
Mutant
Mutant
Mutant
Mutant \BaseNamedObjects\_SHuassist.mtx
Mutant
Mutant
Mutant \BaseNamedObjects\oleacc-msaa-loaded
Mutant
Mutant \BaseNamedObjects\c:!documents and settings!heather!local settings!temporary internet files!content.ie5!
Mutant \BaseNamedObjects\c:!documents and settings!heather!local settings!history!history.ie5!
Mutant
Mutant
Mutant
Mutant
Mutant \BaseNamedObjects\WininetConnectionMutex
Mutant
Mutant \BaseNamedObjects\WininetProxyRegistryMutex
Mutant \BaseNamedObjects\_!MSFTHISTORY!_
Mutant \BaseNamedObjects\ExplorerIsShellMutex
Mutant
Mutant
Mutant
Mutant \BaseNamedObjects\MidiMapper_Configure
Mutant \BaseNamedObjects\MidiMapper_modLongMessage_RefCnt
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant
Port
Port
Port \RPC Control\OLEa4
Port
Port
Port
Port
Port
Port
Port
Port
Port
Port
Port
Port
Port
Port
Port
Port
Port
Port
Section
Section \BaseNamedObjects\C:_Documents and Settings_heather_Local Settings_Temporary Internet Files_Content.IE5_index.dat_16171008
Section \BaseNamedObjects\C:_Documents and Settings_heather_Cookies_index.dat_753664
Section \BaseNamedObjects\C:_Documents and Settings_heather_Local Settings_History_History.IE5_index.dat_1032192
Section \BaseNamedObjects\UrlZonesSM_heather
Section
Section \BaseNamedObjects\mmGlobalPnpInfo
Section \BaseNamedObjects\WDMAUD_Path_Size
Section \BaseNamedObjects\WDMAUD_Path_Size
Section \BaseNamedObjects\WDMAUD_Callbacks
Section \BaseNamedObjects\ShimSharedMemory
Section \BaseNamedObjects\__R_00000000000c_SMem__
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
Semaphore
Semaphore
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore \BaseNamedObjects\shell.BitBucket.GlobalDirtyCount
Semaphore \BaseNamedObjects\shell.BitBucket.NumDeleters
Semaphore
Semaphore
Semaphore \BaseNamedObjects\PowerProfileRegistrySemaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore \BaseNamedObjects\shell.{6D5313C0-8C62-11D1-B2CD-006097DF8C11}
Semaphore
Semaphore
Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Semaphore
Semaphore \BaseNamedObjects\shell.{090851A5-EB96-11D2-8BE4-00C04FA31A66}
Semaphore
Semaphore
Thread explorer.exe(2668): 3596
Thread explorer.exe(2668): 3340
Thread explorer.exe(2668): 2868
Thread explorer.exe(2668): 800
Thread explorer.exe(2668): 3128
Thread explorer.exe(2668): 3128
Thread explorer.exe(2668): 1076
Thread explorer.exe(2668): 2832
Thread explorer.exe(2668): 1344
Thread explorer.exe(2668): 3888
Thread explorer.exe(2668): 3536
Thread explorer.exe(2668): 3128
Thread explorer.exe(2668): 2964
Thread explorer.exe(2668): 1888
Timer
Timer
Token NT AUTHORITY\SYSTEM
Token SGV\heather
Token NT AUTHORITY\SYSTEM
Token SGV\heather
Token SGV\heather
WindowStation \Windows\WindowStations\WinSta0
WindowStation \Windows\WindowStations\WinSta0
WmiGuid
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList
Section


I have no idea what to do!
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Get the rest of the instructions done.

Then post a new HijackThis log.
Do not reboot your computer after posting it untill you get a reply.
This malware changes it's filename everytime you reboot.

Regards,
  • 0

#5
BrianasMom

BrianasMom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I did do the rest, but it still isn't working- I can't get into yahoo at all and Ebay has only the text! Did I possibly do something wrong or delete something I shouldn't have?

Here's my new log-

Logfile of HijackThis v1.99.1
Scan saved at 3:11:48 PM, on 8/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\MAILROOM\Bin\Mrmlnc32.exe
F:\CLSINC\WBWIN\WB32.EXE
C:\Program Files\Microsoft Outlook\OFFICE11\OUTLOOK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\heather\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AXIM ™] C:\Program Files\Legato\AXIM ™\AXIM ™.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - Global Startup: unidoc.lnk = C:\MAILROOM\Bin\Mrmlnc32.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...34/sdcregie.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124461016656
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.2 [ENU]) - https://www.imagine....rk/iedpwenu.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SGV.local
O17 - HKLM\Software\..\Telephony: DomainName = SGV.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SGV.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SGV.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Quite possible. Easiest way to repair any of tha damage would be to install SP2 for XP and IE: http://www.microsoft...p2/default.mspx

This will replace/renew a lot of sytem files and might cure your problem.

Your log is clean now, so that should be no problem.

Let us know if it works.

Regards,
  • 0

#7
BrianasMom

BrianasMom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I just tried to click on the link and it says the page can not be displayed- the same thing it does for Yahoo- I keep hitting refresh, but nothing happens.....
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Can you find this file:

C:\WINDOWS\System32\drivers\etc\hosts

Rightclick and rename it to hosts.bak
Then try again.

Regards,
  • 0

#9
BrianasMom

BrianasMom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
It says I cannot rename hosts- access is denied!
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
That makes me real curious.
Can you rightclick the file and choose Open With ... Notepad

Select the content and post it please.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP