Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My Hijack log


  • Please log in to reply

#1
djack

djack

    Member

  • Member
  • PipPip
  • 10 posts
I thought I was smarter than this but this has got me stumped. Here's my hijack log.

Logfile of HijackThis v1.97.7
Scan saved at 2:50:14 PM, on 12/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\drivers\KodakCCS.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\ZONELABS\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
E:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
E:\Documents and Settings\papi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.atomservers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.atomservers.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - E:\Program Files\SysShield Tools\Internet Eraser\pkext.dll
O3 - Toolbar: AbsoluteShield - {EE9DD090-902D-4623-9360-FB7D8666202B} - E:\Program Files\SysShield Tools\Internet Eraser\AbsoluteBar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = E:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AbsoluteShield Internet Eraser (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8329.7516550926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
  • 0

Advertisements


#2
djack

djack

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I could really us a hand or just a point in another direction. I've read other post with the same problem and tried all the suggestions but I can't get rid if this page. Any suggestions would be appreciated.
  • 0

#3
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Log looks clear. Tried resetting your homepage?
  • 0

#4
djack

djack

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I thought it looked clear too from running all the suggestions from this site which has helped a lot because I found other things on my system and was able to get rid of them. When I reset my homepage it I can pull up only one browser that shows the correct page, the next time I open it it's right back to the about:blank page which is a search page of course. I've found this path in the source h t t p : / / w w w . 3 1 4 z d e c . b i z / s e x t r a c k e r . h t m l and added the domian to my restricted stites but that didn't work either. I think the page is somewhere on my system becasue it pulls up even when I select to work offline.
  • 0

#5
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Download the free VX2 Cleaner
  • here
  • Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
  • Install the VX2 Cleaner
  • Start Ad-Aware SE build 1.05
  • Go to “Plug-ins”
  • Select the VX2 Cleaner plug-in and click “Run Plugin”
  • If your computer isn't infected, click "close"
If your computer is infected:
  • Select “Clean System”
  • Reboot your computer
  • Scan your computer with Ad-Aware
  • Remove any VX2 objects detected
  • Reboot your computer again
  • Run a second scan to make sure the files have been removed from your computer

  • 0

#6
djack

djack

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
No go. This is the page from [bleep]. any other suggestions?
  • 0

#7
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
See the HijackThis link in my signature, download the latest version (1.99) and post a fresh log. :tazz:
  • 0

#8
djack

djack

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile of HijackThis v1.99.0
Scan saved at 5:48:07 PM, on 12/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\drivers\KodakCCS.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\ZONELABS\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Program Files\Office10\OUTLOOK.EXE
C:\Program Files\Office10\WINWORD.EXE
E:\Program Files\Windows Media Player\wmplayer.exe
E:\Documents and Settings\papi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.atomservers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.atomservers.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - E:\Program Files\SysShield Tools\Internet Eraser\pkext.dll
O3 - Toolbar: AbsoluteShield - {EE9DD090-902D-4623-9360-FB7D8666202B} - E:\Program Files\SysShield Tools\Internet Eraser\AbsoluteBar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = E:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
O4 - Global Startup: Free WebSite Tools.lnk = E:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINNT\System32\Shdocvw.dll
O9 - Extra button: AbsoluteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - E:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - E:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ptssvc - KODAK - E:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown - E:\WINNT\System32\ScsiAccess.EXE (file missing)
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - E:\WINNT\system32\ZONELABS\vsmon.exe
  • 0

#9
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O23 - Service: ScsiAccess - Unknown - E:\WINNT\System32\ScsiAccess.EXE (file missing)

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Reboot and post a fresh lob.
  • 0

#10
djack

djack

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
It came right back...

Logfile of HijackThis v1.99.0
Scan saved at 8:12:42 AM, on 12/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\drivers\KodakCCS.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\ZONELABS\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\WINNT\ibs.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.atomservers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.atomservers.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - E:\Program Files\SysShield Tools\Internet Eraser\pkext.dll
O3 - Toolbar: AbsoluteShield - {EE9DD090-902D-4623-9360-FB7D8666202B} - E:\Program Files\SysShield Tools\Internet Eraser\AbsoluteBar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] E:\WINNT\msconfig.exe /auto
O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = E:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINNT\System32\Shdocvw.dll
O9 - Extra button: AbsoluteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - E:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://166.139.105.1...sCamControl.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - E:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ptssvc - KODAK - E:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - E:\WINNT\system32\ZONELABS\vsmon.exe
  • 0

Advertisements


#11
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Click on start, then run, and type services.msc and press the OK button.

You will now see the services window with a listing of all your services. Scroll through the services and see if you have a service with the following name:

Plug and Play svc service (pnpsvc)

Let me know if this is there.
  • 0

#12
djack

djack

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I have "Plug and Play" listed. should I see it listed as "plug and Play svs services"?
  • 0

#13
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download and install the program Registry Lite from here:

http://www.geekstogo...=download&id=29

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters\\ServiceDll

And press enter. You will now be presented with new information in the right and left sections of the program. In the right section you should see the ServiceDll value highlighted. Double-click on it and write down the name of the dll found there. This is the infection we need to remove.
  • 0

#14
djack

djack

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
bad link, it get the following message:
You have specified an invalid id, if you followed this link, please inform the webmaster here
  • 0

#15
djack

djack

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I found the program with google and installed it but it can't locate that registry value. I manually traced the path and there's no "pnpsvs" under services. There's "plug and play" and under that there's only "Security".
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP