Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

need HJT log analysis [resolved]

Started by mieledio , Sep 04 2005 08:56 PM

  • Please log in to reply

#1
mieledio
Posted 04 September 2005 - 08:56 PM

mieledio

    Member

  • Member
  • PipPip
  • 27 posts
Sorry my title and description aren't more specific; that's all I really know so I can't tell you any more. However, so that you'll know what's happened so far:

* I've follow the instructions on the "start here" topic as closely as I knew how to do and have succeeded in cleaning out a lot of junk, but there's still more that nothing seems able to find

* I've run Microsoft's Beta Anti-Spyware, CleanUp, AdAware, SpySubtract/CWShredder, Spybot, Ewido, TrendMicro (online), and TrojanHunter and have found and deleted stuff with all of them... which, I fear, could be part of the problem. I could be wrong though. I don't really know anything; it just seems like overkill to me and it kind of scares me that I've run so many different programs. (Looking for a little reassurance here...... :tazz: )

* I have Norton AntiVirus running at all times with weekly scheduled scans; it hasn't found anything at all for months and months.

* I'm running Win XP Pro 5.1 SP2 with IE 6.0 SP2. I can provide lots more system information if you need it but I'll leave it at that for now.

* My main problem now is *constant* pop-ups/pop-unders. It's usually (probably 95% of the time) from www.icannews.com, but occasionally it's something else. I often notice, when it's something else, that it's closely related to whatever website I'm currently viewing, which is what makes me think I have some sort of trojan downloader or something like that. As an example of how many I get, I've closed probably 8 or 10 of them since I started typing this post, and I'm a pretty good typist. And that's not an unusual number at all.

* One other thing is happening, but I don't know if it's the result of malware or if it's something else wrong with my computer. I frequently (but not nearly as often as the pop-ups; maybe once or twice per hour) get a DOS prompt window with a box over it that says "16 bit MS-DOS Subsystem -- C:\WINDOWS\TEMP\upd209.exe -- The NTVDM CPU has encountered an illegal instruction. CS:11c2 IP:0186 OP:63 61 74 69 6f Choose 'Close' to terminate the application." [The --s above represent hard returns.] Under that are two buttons, Close and Ignore; if I click Ignore, nothing at all happens (that I can see, anyway), but if I click Close it goes away.

*Oh, and I almost forgot to mention: My system often (sometimes as often as several times an hour) stops responding for anywhere from a couple of minutes to... I don't know... maybe half an hour and I can't seem to do anything about it. I try opening the Task Manager and stopping any tasks that are not responding, but that often doesn't work and the Task Manager stops responding as well.

I'm sorry to write so much, but I'm trying to give you as much information as I can in hopes that it will help you find my problem(s). If you do, I'll be eternally grateful. I'm at my wits' end.

I'll post this and then put the HJT log in a reply post as instructed. Thanks again.
  • 0

Advertisements

#2
mieledio
Posted 04 September 2005 - 08:58 PM

mieledio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Logfile of HijackThis v1.99.1
Scan saved at 09:18:02 PM, on 09/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\NPDORNT.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\npdor\npdor.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://web.ask.com/web?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://web.ask.com/web?q=%s
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O3 - Toolbar: Ask Jeeves Bar - {43D9E6F0-1776-4897-AE14-ECEDECBAFEC0} - C:\WINDOWS\system32\askbarAB.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Hti] C:\npdor\npdor.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Ask Jeeves Search - res://C:\WINDOWS\system32\askbarAB.dll/cmd-search-selection
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Dictionary Search - res://C:\WINDOWS\system32\askbarAB.dll/cmd-search-selection-word
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.altavista.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.biblegateway.net
O15 - Trusted Zone: *.biography.com
O15 - Trusted Zone: *.cnn.com
O15 - Trusted Zone: *.doverpublications.com
O15 - Trusted Zone: *.doverpublishing.com
O15 - Trusted Zone: *.esc18.net
O15 - Trusted Zone: *.esc4.net
O15 - Trusted Zone: *.flinnsci.com
O15 - Trusted Zone: *.geekstogo.com
O15 - Trusted Zone: *.greenfieldonline.com
O15 - Trusted Zone: *.hpolsurveys.com
O15 - Trusted Zone: *.m-w.com
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.marcopolo-education.org
O15 - Trusted Zone: *.miami.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mysurvey.com
O15 - Trusted Zone: *.nationalgeographic.com
O15 - Trusted Zone: *.npdor.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.postini.com
O15 - Trusted Zone: *.refdesk.com
O15 - Trusted Zone: *.spywarewarrior.com
O15 - Trusted Zone: tea.state.tx.us
O15 - Trusted Zone: *.utexas.edu
O15 - Trusted Zone: *.webccat.org
O15 - Trusted Zone: *.webelements.com
O15 - Trusted Zone: *.webmd.com
O15 - Trusted Zone: *.yucatan.com
O15 - Trusted Zone: *.ztelligence.com
O15 - Trusted IP range: 10.120.31.28
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} (AJ Installer Control) - http://sp.ask.com/do...askbar-inst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\KDDHE319.DLL
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: NPDOR File Monitor Service (NFMService) - Unknown owner - C:\WINDOWS\System32\NPDORNT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#3
coachwife6
Posted 10 September 2005 - 03:40 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi M. Welcome to GTG. Sorry you were missed on the first go-round, but we'll get you cleaned up this time. :tazz:

Please rerun hijack this and put a new log in this thread. Also,

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.

http://www.geekstogo...=30
  • 0

#4
mieledio
Posted 10 September 2005 - 04:35 PM

mieledio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
No problem on missing me before; I'm just thrilled to have the help!

Here are my log files that you requested:


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 05:31:10 PM, on 09/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\NPDORNT.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\npdor\npdor.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Administrator.D9BWM521\Desktop\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://web.ask.com/web?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://web.ask.com/web?q=%s
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O3 - Toolbar: Ask Jeeves Bar - {43D9E6F0-1776-4897-AE14-ECEDECBAFEC0} - C:\WINDOWS\system32\askbarAB.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Hti] C:\npdor\npdor.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Ask Jeeves Search - res://C:\WINDOWS\system32\askbarAB.dll/cmd-search-selection
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Dictionary Search - res://C:\WINDOWS\system32\askbarAB.dll/cmd-search-selection-word
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.altavista.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.biblegateway.net
O15 - Trusted Zone: *.biography.com
O15 - Trusted Zone: *.cnn.com
O15 - Trusted Zone: *.doverpublications.com
O15 - Trusted Zone: *.doverpublishing.com
O15 - Trusted Zone: *.esc18.net
O15 - Trusted Zone: *.esc4.net
O15 - Trusted Zone: *.flinnsci.com
O15 - Trusted Zone: *.geekstogo.com
O15 - Trusted Zone: *.greenfieldonline.com
O15 - Trusted Zone: *.hpolsurveys.com
O15 - Trusted Zone: *.m-w.com
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.marcopolo-education.org
O15 - Trusted Zone: *.miami.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mysurvey.com
O15 - Trusted Zone: *.nationalgeographic.com
O15 - Trusted Zone: *.npdor.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.postini.com
O15 - Trusted Zone: *.refdesk.com
O15 - Trusted Zone: *.spywarewarrior.com
O15 - Trusted Zone: tea.state.tx.us
O15 - Trusted Zone: *.utexas.edu
O15 - Trusted Zone: *.webccat.org
O15 - Trusted Zone: *.webelements.com
O15 - Trusted Zone: *.webmd.com
O15 - Trusted Zone: *.yucatan.com
O15 - Trusted Zone: *.ztelligence.com
O15 - Trusted IP range: 10.120.31.28
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} (AJ Installer Control) - http://sp.ask.com/do...askbar-inst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\KDDHE319.DLL
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: NPDOR File Monitor Service (NFMService) - Unknown owner - C:\WINDOWS\System32\NPDORNT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe





Silent Runners:

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{43D9E6F0-1776-4897-AE14-ECEDECBAFEC0}" = "Ask Jeeves Bar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\askbarAB.dll" [file not found]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{43D9E6F0-1776-4897-AE14-ECEDECBAFEC0}" = "Ask Jeeves Bar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\askbarAB.dll" [file not found]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [file not found]

{0E17D5B7-9F5D-4FEE-9DF6-CA6EE38B68A8}\
"ButtonText" = "ieSpell"
"MenuText" = "ieSpell"
"Script" = "res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM" ["Red Egg Software"]

{1606D6F9-9D3B-4AEA-A025-ED5B2FD488E7}\
"MenuText" = "ieSpell Options"
"Script" = "res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM" ["Red Egg Software"]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\PROGRA~1\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

DefWatch, DefWatch, "C:\Program Files\NavNT\defwatch.exe" ["Symantec Corporation"]
Norton AntiVirus Client, Norton AntiVirus Server, "C:\Program Files\NavNT\rtvscan.exe" ["Symantec Corporation"]
NPDOR File Monitor Service, NFMService, "C:\WINDOWS\System32\NPDORNT.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 89 seconds, including 18 seconds for message boxes)
  • 0

#5
coachwife6
Posted 10 September 2005 - 05:06 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
What is this and do you use it?

NPDOR File Monitor Service, NFMService, "C:\WINDOWS\System32\NPDORNT.exe
  • 0

#6
coachwife6
Posted 10 September 2005 - 05:17 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
There are quite a few programs available that offer protection features to help keep a computer from getting infected. While this is normally a helpful feature, it can keep you from making the changes necessary to clean your computer. Please review the list to see which programs apply to your machine.

These programs need to be uninstalled

AdWatch

These programs can just be disabled

Microsoft Antispyware
TeaTimer
SpySweeper
Win Patrol
Spyware Guard
Pestpatrol
Regrun
Diamonds Process controller

Close all programs and all windows, leaving only HijackThis running. Please disconnect from the internet. Place a check narj against each of the following, making sure you get each one and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing

O3 - Toolbar: Ask Jeeves Bar - {43D9E6F0-1776-4897-AE14-ECEDECBAFEC0} - C:\WINDOWS\system32\askbarAB.dll (file missing)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O15 - Trusted Zone: *.altavista.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.biblegateway.net
O15 - Trusted Zone: *.biography.com
O15 - Trusted Zone: *.cnn.com
O15 - Trusted Zone: *.doverpublications.com
O15 - Trusted Zone: *.doverpublishing.com
O15 - Trusted Zone: *.esc18.net
O15 - Trusted Zone: *.esc4.net
O15 - Trusted Zone: *.flinnsci.com
O15 - Trusted Zone: *.geekstogo.com
O15 - Trusted Zone: *.greenfieldonline.com
O15 - Trusted Zone: *.hpolsurveys.com
O15 - Trusted Zone: *.m-w.com
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.marcopolo-education.org
O15 - Trusted Zone: *.miami.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mysurvey.com
O15 - Trusted Zone: *.nationalgeographic.com
O15 - Trusted Zone: *.npdor.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.postini.com
O15 - Trusted Zone: *.refdesk.com
O15 - Trusted Zone: *.spywarewarrior.com
O15 - Trusted Zone: tea.state.tx.us
O15 - Trusted Zone: *.utexas.edu
O15 - Trusted Zone: *.webccat.org
O15 - Trusted Zone: *.webelements.com
O15 - Trusted Zone: *.webmd.com
O15 - Trusted Zone: *.yucatan.com
O15 - Trusted Zone: *.ztelligence.com
O15 - Trusted IP range: 10.120.31.28

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} (AJ Installer Control) - http://sp.ask.com/do...askbar-inst.cab
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\KDDHE319.DLL

Click on Fix Checked when finished and exit HijackThis.

Please reboot and post a fresh HijackThis log and we will take another look to see how we did. :tazz:
  • 0

#7
mieledio
Posted 10 September 2005 - 05:18 PM

mieledio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
It's a program that tracks my internet usage as part of a consumer information panel of which I'm a member. I've had it for years on several different computers, long before this "infestation", so I don't think it's anything malicious at all. However, if you think it would help, either with my problems or with your analysis, I can certainly uninstall it. And if, in your experienced opinion, you think it might not be a healthy thing to have installed, I won't reinstall it later. It's really no big deal either way.

Thanks again for your help.

Edi
  • 0

#8
coachwife6
Posted 10 September 2005 - 05:19 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I thought it was a survey....just didn't know if it was something you wanted there. Just keep it. We will weed out the bad stuff and look at that at the end. :tazz:
  • 0

#9
mieledio
Posted 10 September 2005 - 05:29 PM

mieledio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Just to clarify before I do anything wrong:

Do you mean that (1) I should *manually* uninstall/disable the programs that you listed and *then* run the fix on HJT, or (2) I should just run the fix on HJT as you instructed and *that* will take care of the uninstalling/disabling part?
  • 0

#10
coachwife6
Posted 10 September 2005 - 05:34 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Uninstall/disable the programs listed, IF you have them. Then proceed with the fix. Those programs will prevent hijack this from cleaning up your computer. :tazz:
  • 0

Advertisements

#11
mieledio
Posted 10 September 2005 - 06:31 PM

mieledio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Well, I did it, at least as well as I could. A lot (all?) of my anti-spyware products are evidently set to open at startup and I can't find where to turn that off, so I'm just re-exiting them after I reboot. I hope that's ok.

More importantly, the first time I rebooted and reconnected to the internet, I instantly got so many popups that I lost count, and so fast that I couldn't keep up with them to close them AND my system stopped responding and I tried and tried to get it back at least enough to reboot and it finally shut itself down with some sort of a fatal error so at least I could finally reboot.

The good news is that I haven't had a single popup since I rebooted the second time, so we'll see.

No, wait... I spoke too soon. *sigh* There were a bunch of them but I hadn't noticed them yet because they were popunders. Oh, well. It was nice for a few seconds. :tazz:

In any case, here's my new log:


Logfile of HijackThis v1.99.1
Scan saved at 07:30:57 PM, on 09/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\NPDORNT.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\npdor\npdor.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Administrator.D9BWM521\Desktop\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://web.ask.com/web?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://web.ask.com/web?q=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Ask Jeeves Bar - {43D9E6F0-1776-4897-AE14-ECEDECBAFEC0} - C:\WINDOWS\system32\askbarAB.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Hti] C:\npdor\npdor.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Ask Jeeves Search - res://C:\WINDOWS\system32\askbarAB.dll/cmd-search-selection
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Dictionary Search - res://C:\WINDOWS\system32\askbarAB.dll/cmd-search-selection-word
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: tea.state.tx.us
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\KDDHE319.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: NPDOR File Monitor Service (NFMService) - Unknown owner - C:\WINDOWS\System32\NPDORNT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Thanks!
  • 0

#12
coachwife6
Posted 10 September 2005 - 08:15 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
To have the programs disable at startup, go to

start>>run>>and type in "msconfig" without the quotes.

Go to the start-up key and uncheck them. That way they won't start-up when you boot the computer.

Please download CleanUp! - Download - HomePage

Close all programs and all windows, leaving only HijackThis running. Please disconnect from the internet. Place a check mark against each of the following.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://web.ask.com/web?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://web.ask.com/web?q=%s

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} -

O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\KDDHE319.DLL

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):


C:\WINDOWS\system32\KDDHE319.DLL

Click on the button labeled CleanUp!.

When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.
  • 0

#13
mieledio
Posted 10 September 2005 - 09:19 PM

mieledio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Well... I tried. I had a few problems.

1. The line "R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.refdesk.com""]http://www.refdesk.com"[/url] appeared twice in the log and I didn't notice it until I was already going through the process. I didn't know whether you meant to delete both instances or only one, so I figured it was better to be safe than sorry and I only deleted one of them.

2. The line "O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\KDDHE319.DLL" did not appear in the log at all. (I see that a slightly modified version is in the new log below, but there was nothing even remotely resembling it when I went in to do the fixes. I promise! :tazz: )

3. The KDDHE319.DLL file was right where you said it would be, but when I tried to delete it (in safe mode, of course), I got a message saying "Cannot delete KDDHE319.DLL. It is being used by another person or program. Close any programs that might be using the file and try again." At that point I didn't have any programs running (not purposely, anyway), so I gave up and ran CleanUp. After running CleanUp I decided to give it another try but I still couldn't delete it.

Here's my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:15:51 PM, on 09/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\NPDORNT.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\npdor\npdor.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Administrator.D9BWM521\Desktop\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Ask Jeeves Bar - {43D9E6F0-1776-4897-AE14-ECEDECBAFEC0} - C:\WINDOWS\system32\askbarAB.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Hti] C:\npdor\npdor.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Ask Jeeves Search - res://C:\WINDOWS\system32\askbarAB.dll/cmd-search-selection
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Dictionary Search - res://C:\WINDOWS\system32\askbarAB.dll/cmd-search-selection-word
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: tea.state.tx.us
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\KDDHE319.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: NPDOR File Monitor Service (NFMService) - Unknown owner - C:\WINDOWS\System32\NPDORNT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#14
coachwife6
Posted 10 September 2005 - 09:56 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Right click on this file and tell me it's properties.

C:\WINDOWS\system32\KDDHE319.DLL

check this in hijack this.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
  • 0

#15
mieledio
Posted 10 September 2005 - 10:06 PM

mieledio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Okie-doke...



KDDHE319.DLL:

Type of file: Application Extension
Opens with: Unknown application

Location: C:\WINDOWS\SYSTEM32
Size: 408 KB (417,792 bytes)
Size on disk: 408 KB (417,792 bytes)

Created: Thursday, 14 July, 2005, 01:21:02 PM
Modified: Thursday, 14 July, 2005, 01:21:03 PM
Accessed: Today, 10 September, 2005, 10:03:49 PM

Attributes: Read-only



New log:

Logfile of HijackThis v1.99.1
Scan saved at 11:04:00 PM, on 09/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\NPDORNT.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\npdor\npdor.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Administrator.D9BWM521\Desktop\downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Ask Jeeves Bar - {43D9E6F0-1776-4897-AE14-ECEDECBAFEC0} - C:\WINDOWS\system32\askbarAB.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Hti] C:\npdor\npdor.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Ask Jeeves Search - res://C:\WINDOWS\system32\askbarAB.dll/cmd-search-selection
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Dictionary Search - res://C:\WINDOWS\system32\askbarAB.dll/cmd-search-selection-word
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: tea.state.tx.us
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\KDDHE319.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: NPDOR File Monitor Service (NFMService) - Unknown owner - C:\WINDOWS\System32\NPDORNT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP