gdelaune Posted November 22, 2005 Share Posted November 22, 2005 Dear Tarun, I have followed all of the instructions on the PC Maintenance page and have the following log to post. Already arriving at this site, my issue has reoccured . . . that is that my browser gets highjacked by pages/items like: jamster starware upspiral search-h The PC Maintenance sequence caught a number of items . . . so it may be better now, but I have already (at least) seen a JAMSTER highjack. Thanks in advance for any help!!!! Greg Log File: (also attached) Logfile of HijackThis v1.99.1 Scan saved at 19.32.31, on 21/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by102fd.bay102.hotmail.msn.com/cgi-...11b&fti=yes R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://by102fd.bay102.hotmail.msn.com/cgi-...11b&fti=yes R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.ofoto.com/downloads/hmpr/HMPR_W..._1/axhomepr.cab O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?321 O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\j42q0ef5eh2.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel File Transfer - Intel Corporation - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel Corporation - C:\WINDOWS\system32\cba\pds.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Link to comment Share on other sites More sharing options...
Ultimate Predator Posted November 22, 2005 Share Posted November 22, 2005 Tarun will run through thism, but I can see things that may need deleting... I would also download and update the antispyware from; www.ewido.com do a full scan, as the PC Maintence doesn't include that. Link to comment Share on other sites More sharing options...
gdelaune Posted November 22, 2005 Author Share Posted November 22, 2005 Tarun will run through thism, but I can see things that may need deleting... I would also download and update the antispyware from; www.ewido.com do a full scan, as the PC Maintence doesn't include that. <{POST_SNAPBACK}> Thank you for the quick reply. I ran CCleaner as part of the PC Maintenance process . . . unless there is something I am not understanding!? I will check into the EWIDO thing right away. Thank you. greg Link to comment Share on other sites More sharing options...
Ultimate Predator Posted November 22, 2005 Share Posted November 22, 2005 Well, you know you download the programs, and then you scan them on your PC? I the download didn't work or something (its not an online scanner with all programs combined), I can give you seperate links.... Link to comment Share on other sites More sharing options...
gdelaune Posted November 22, 2005 Author Share Posted November 22, 2005 OK! I have downloaded and run the EWIDO software. It caught A LOT of stuff . . . in particular of the "Look2Me" variety. I reran the CCleaner and rerand Hijack this to create a new log: Thanks!!! (btw . . . as soon as I went on line, a JAMSTER window hijacked me again!) New Log: GDelaune-hijackthis_Log02 (also attached . . . do I need to attache it also?) Logfile of HijackThis v1.99.1 Scan saved at 13.52.49, on 22/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\NavNT\defwatch.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\NavNT\vptray.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\WINDOWS\System32\hphmon05.exe C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe C:\WINDOWS\MXOALDR.EXE C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe C:\Program Files\SSC\NSCTOP.EXE C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\QUICKENW\QWDLLS.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\ams_ii\hndlrsvc.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\cba\xfr.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by102fd.bay102.hotmail.msn.com/cgi-...11b&fti=yes R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://by102fd.bay102.hotmail.msn.com/cgi-...11b&fti=yes R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.ofoto.com/downloads/hmpr/HMPR_W..._1/axhomepr.cab O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?321 O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\k8800ilme8qa0.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel File Transfer - Intel Corporation - C:\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel Corporation - C:\WINDOWS\system32\cba\pds.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Link to comment Share on other sites More sharing options...
hazelnut Posted November 22, 2005 Share Posted November 22, 2005 Welcome to Lunarsoft gdelaune, shouldn't be too long now before you get help with your log, with some people being in America ( as Tarun is ) we have to wake for them to wake up!! Link to comment Share on other sites More sharing options...
gdelaune Posted November 22, 2005 Author Share Posted November 22, 2005 Welcome to Lunarsoft gdelaune, shouldn't be too long now before you get help with your log, with some people being in America ( as Tarun is ) we have to wake for them to wake up!! <{POST_SNAPBACK}> Yes, yes . . . they do sleep much accross the pond. Seriously!!! I am just happy to get some help. I am not dying . . . but these things are really annoying . . . and anyway . . . I am learning a lot in the process. Does it look like I have all my ducks in a row and ready for review? Greg Link to comment Share on other sites More sharing options...
Administrator Tarun Posted November 22, 2005 Administrator Share Posted November 22, 2005 Generated by Tarun's HijackThis Converter v0.44 Beta. Default-color items are optional, red are known to be malicious. Changed registry value R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by102fd.bay102.hotmail.msn.com/cgi-...11b&fti=yes R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://by102fd.bay102.hotmail.msn.com/cgi-...11b&fti=yes Created registry value R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com Enumeration of existing IE's BHO's O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll Enumeration of existing IE's toolbars O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll Enumeration of suspicious auto-loading registry entries O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe Extra IE context menu items O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html Downloaded Program Files item O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.ofoto.com/downloads/hmpr/HMPR_W..._1/axhomepr.cab O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?321 O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\k8800ilme8qa0.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) You will also want to run Look2Me Fix. Link to comment Share on other sites More sharing options...
gdelaune Posted November 22, 2005 Author Share Posted November 22, 2005 Hello, Thank you very much for reviewing this. Sorry, but I am new at this. The Look2Mefix I am sure is self expanitory, but am I to understand that I want to delete the item in red from my registry? What about the other items? Is there a set of standard directions for how to proceed with your advice? Greg Link to comment Share on other sites More sharing options...
Administrator Tarun Posted November 22, 2005 Administrator Share Posted November 22, 2005 Yep, anything red in the log is malicious. Run the l2mfix.bat to check for Look2Me. Link to comment Share on other sites More sharing options...
hazelnut Posted November 22, 2005 Share Posted November 22, 2005 Hello, Thank you very much for reviewing this. Sorry, but I am new at this. The Look2Mefix I am sure is self expanitory, but am I to understand that I want to delete the item in red from my registry? What about the other items? Is there a set of standard directions for how to proceed with your advice? Greg <{POST_SNAPBACK}> If you are unsure about how to follow Tarun's advice, ask him again what you are unsure of. Also this may help if you read it. http://www.ccleaner.com/index.php?showtopic=1720 Link to comment Share on other sites More sharing options...
gdelaune Posted November 22, 2005 Author Share Posted November 22, 2005 If you are unsure about how to follow Tarun's advice, ask him again what you are unsure of. Also this may help if you read it. http://www.ccleaner.com/index.php?showtopic=1720 <{POST_SNAPBACK}> thank you Tarun and Hazlenut. I will process all of this in my little brain and on my computer and get back to you with thanks . . . or question. Best, Greg Edit1: Look2Mefix is asking for a password. I looked around on the web and could not find anything. Do you know this password? Greg Edit2: Nevermind I think I found the password. Greg Edit3: HOORAAAAAAAH!!!!! I THINK THAT IT WORKED! I had one red item that I deleted/fixed with Hijackthis and I ran the Look2MeFix successfully. I did not mess with anything else in the log. Please let me know if that sounds like a sustainable solution or not. THANKS A MILLION. I HAVE BEEN WORKING ON THIS OFF AND ON FOR TWO MONTHS! THANK YOU. GREG Link to comment Share on other sites More sharing options...
Ultimate Predator Posted November 22, 2005 Share Posted November 22, 2005 I would also recommened getitng rid of all the other bits and pieces that were left up. Unless they tamper with programs, or unless you are using some of them (I have a list below in which you might be using, you might as wel get rid of the rest, it will only cleanup and make the PC run more faster: Stuff That You May Not Want To Delete: Changed registry value R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by102fd.bay102.hotmail.msn.com/cgi-...11b&fti=yes R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://by102fd.bay102.hotmail.msn.com/cgi-...11b&fti=yes Assuming that your Home page is the link? Enumeration of existing IE's BHO's O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll Assuming you use Spybot, and you use google toolbar? Enumeration of existing IE's toolbars O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll Assuming you use google toolbar? Enumeration of suspicious auto-loading registry entries O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe Go through all these, and if you recognise the name, and you believe that startup helps, then keep it. But having that many start-ups cannot be good for your PC.... That's all. You should be safe to delete the rest, you might want to check with Tarun first... Link to comment Share on other sites More sharing options...
gdelaune Posted November 23, 2005 Author Share Posted November 23, 2005 Hello UP, Thank you very much for taking the time to respond. So let me see if I understand you. All of the Items that you listed are things that I probably want to keep . . . but those startups that I don't use I can eliminate. For instance, I don't use quicken anymore, so I will delete those startups. Those items on Tarun's list that are NOT on your list are things that I can proabably delete? . . . or put another way: The things that you listed are probably all I need to keep . . . and even some of those I can eliminate (startups). Am I understanding you? Greg BTW: I DO use Spybot, the Google toolbar and Hotmail is my home page Link to comment Share on other sites More sharing options...
SenutyEnool Posted November 23, 2005 Share Posted November 23, 2005 That's all. You should be safe to delete the rest, you might want to check with Tarun first... <{POST_SNAPBACK}> Not meaning to belittle Ultimate's help, he's got some very good suggestions there , but even as he suggested wait for an answer from Tarun, he's the resident Guru on HJT logs. And welcome to Lunarsoft too Cheers :P Link to comment Share on other sites More sharing options...
Ultimate Predator Posted November 23, 2005 Share Posted November 23, 2005 Not meaning to belittle Ultimate's help, he's got some very good suggestions there , but even as he suggested wait for an answer from Tarun, he's the resident Guru on HJT logs. Indeed, definitely check though him, but that's stuff I found. You may want to create a restore point on your PC so that if you delete something you don't want, you can restore it back to normal. Link to comment Share on other sites More sharing options...
gdelaune Posted November 23, 2005 Author Share Posted November 23, 2005 Not meaning to belittle Ultimate's help, he's got some very good suggestions there , but even as he suggested wait for an answer from Tarun, he's the resident Guru on HJT logs. Indeed, definitely check though him, but that's stuff I found. You may want to create a restore point on your PC so that if you delete something you don't want, you can restore it back to normal. <{POST_SNAPBACK}> thank you both. I am continuing to fiddle with this and that, removing uneeded programs and watching how the log changes . . . moving slowly and carefully . . . and using restore points. Removing Quicken already cleared out the related global starts. My sense is that I am in more of a fine tuning phase now . . . after the big success of eliminating the cause of my browser hijacks. Thanks again. Greg Link to comment Share on other sites More sharing options...
Ultimate Predator Posted November 23, 2005 Share Posted November 23, 2005 I think thats how you should be, and then set yourself up with the relevant security programs: https://forums.lunarsoft.net/index.php?showtopic=311 Link to comment Share on other sites More sharing options...
Administrator Tarun Posted November 23, 2005 Administrator Share Posted November 23, 2005 I only list what's truly safe to remove. My application used to say Safe to remove, but it got redundant. You can refer to my post of the log analysis to see what can go. Or you can repost a log now and get an updated version. Link to comment Share on other sites More sharing options...
Ultimate Predator Posted November 23, 2005 Share Posted November 23, 2005 But if I was to delete all that stuff with ebay toolbar in my log, then it would effect ebay toolbar? Indeed deleting the ebay startup isn't great if you actually use it? It may be safe, but if you use it, you do not want to get rid of it, as I have shown above with this log. Link to comment Share on other sites More sharing options...
Recommended Posts