Steve Posted August 3, 2004 Share Posted August 3, 2004 Hijack This! is a small app that examines every program set to start when you boot up your PC. It also gives a list of any "browser helper objects" such as toolbars etc. It's useful because once you know how to use it, you can delete any spyware and some trojans/viruses from your machine and also eliminate any unnecessary startup entries to boost your PC's performance. Here's an example of a log taken from my own PC......... Logfile of HijackThis v1.97.7Scan saved at 06:55:57, on 03/08/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Avant Browser\iexplore.exeC:\DOCUME~1\Steve\LOCALS~1\Temp\Rar$EX00.612\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cache3-brhm.server.ntli.net:8080R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*;windowsupdate.microsoft.com;v4.windowsupdate.microsoft.com;download.windowsupdate.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startguiO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htmO8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htmO8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htmO8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htmO8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htmO8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htmO8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htmO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab This is a good example of a clean log with no crap other than a few extra features added by installing Avant. If you want to post a log then download Hijack This! HERE. Unzip the program to a folder of it's own (don't run it yet) and then reboot your PC. Once it's rebooted, run Hijack This! and click Scan Now (bottom left). Once the scan is complete click Save Log (also bottom left) and save the log somewhere. Open the log and cut and paste the contents into this thread. You may ask why you would want to do this? Well there are two reasons. Firstly if you are having any weird problems with your PC such as strange homepages or items added to your favourites etc. and secondly, you may just wanna try and get your PC as streamlined as possible for optimum performance. Either way, I'll take a look at the log for you and advise you what needs to be sorted (if anything). Quote Link to comment Share on other sites More sharing options...
Mixologist Posted August 5, 2004 Share Posted August 5, 2004 Hey Sig, do you think you could run a quick check on my log, i just wanna make sure i have nothing fishy going on... Logfile of HijackThis v1.97.7Scan saved at 1:05:34 PM, on 8/5/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG6\avgserv.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG6\avgcc32.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Java\j2re1.4.2_05\bin\jusched.exeC:\WINDOWS\System32\rundll32.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\logonui.exeC:\Program Files\AIM\aim.exeC:\Documents and Settings\Jay\My Documents\download\Hijack this\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by7fd.bay7.hotmail.msn.com/cgi-bin/...93f1f2e&fti=yesO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUPO4 - HKLM\..\Run: [Check] scvhost.exeO4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exeO4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHookO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)O9 - Extra button: AIM (HKLM)O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cabO16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8060.3000462963O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cabO16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{566D12CB-046E-4892-8298-F5C820828C29}: NameServer = 209.198.87.24 209.198.87.40 Quote Link to comment Share on other sites More sharing options...
Steve Posted August 5, 2004 Author Share Posted August 5, 2004 There's only one thing in there I would be wary about but it isn't serious. Do you have Viewpoint Media Player installed? It can install when you install AOL Instant Messenger which I see from the log you have. There's some discussion as to whether Viewpoint is spyware, but if you don't use it, then remove it via Add/Remove Programs in the Control Panel. There are a couple of minor changes you can make. Run Hijack This! again and this time check these items to be fixed......... O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab Before you fix them, I'll tell you what they are........ The top one is the Real Player update control that runs in the background wasting memory. Definitely get rid of that. If you run a later log and you see it again, then search your PC for realsched.exe and rename it to realsched.old, then fix the entry using Hijack This! again. That file is not needed for Real Player to run. You might also consider replacing Real Player with Real Alternative. The second one down is that Viewpoint thing. If you remove that with Add/Remove then that entry might not show in the log when you come to remove it. If it does, then get rid of it. The third one down automatically checks for updates to Java. Again, it's not needed as you can do that manually when required. Remove that one. The fourth one is to do with Nvidia drivers and again it's simply not needed. Remove it. The last one is to do with Incredimail. If you use that program (shame on you!) then keep it, otherwise remove it. Select whichever of those 5 you decide you want to remove, close ALL browser windows then hit Fix Checked. Then reboot and you should be sorted. You might not notice any difference, but there will be 4 less system processes running in the background on your machine, and one less dodgy browser helper object. Quote Link to comment Share on other sites More sharing options...
Huw Posted August 5, 2004 Share Posted August 5, 2004 Logfile of HijackThis v1.98.0Scan saved at 22:42:19, on 05/08/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Norton Internet Security\NISUM.EXEC:\Program Files\Canon\BJCard\Bjmcmng.exeC:\WINDOWS\System32\drivers\CDAC11BA.EXEC:\Program Files\Norton Internet Security\ccPxySvc.exeC:\WINDOWS\System32\gearsec.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\PREVX\Prevx Home\PXAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Microsoft Hardware\Keyboard\type32.exeC:\Program Files\Canon\BJPV\TVMon.exeC:\Program Files\Canon\BJCard\BJLaunch.exeC:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\E-Color\Common\IconMgr.exeC:\Program Files\Palm\HOTSYNC.EXEC:\Program Files\PREVX\Prevx Home\SAGUI.exeC:\Program Files\E-Color\E-Color Indicator\TICIcon.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Tim\Desktop\Huw\Apps\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"O4 - HKLM\..\Run: [bJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exeO4 - HKLM\..\Run: [bJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXEO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXEO4 - Global Startup: PowerReg Scheduler.exeO4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28177.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/060fd34065efe5863d16/...ip/RdxIE601.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...ler/install.cabO16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} (Illuminatus 4.5 IE Plugin) - http://www.digitalworkshop.co.uk/ilm450.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cabO16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...352/mcfscan.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{0E1863F1-1B19-4E66-BE5A-51BE41C21E8B}: NameServer = 195.92.195.95 195.92.195.94O17 - HKLM\System\CS1\Services\Tcpip\..\{0E1863F1-1B19-4E66-BE5A-51BE41C21E8B}: NameServer = 195.92.195.95 195.92.195.94 cheers Quote Link to comment Share on other sites More sharing options...
Steve Posted August 5, 2004 Author Share Posted August 5, 2004 Do you use Yahoo! Companion? Personally I think it's toss. Anyway, you can remove it via Add/Remove in the Control Panel if it bothers you, otherwise keep it. Also, is it worth having MSN Messenger set to start when you boot up? Do you use it that often? If you don't then disable it in the options menu of MSN. You can always start it from it's shortcut or start menu entry. You've got a couple of pieces of spyware for sure in that log. Here's a breakdown of the things I think you should remove.......... O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - Global Startup: PowerReg Scheduler.exe O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...ler/install.cab The first two are related to Nvidia drivers. You don't need them unless you have multiple monitors. If you don't then remove them. The third is the updater for Java. Not needed as you can check manually from time to time. Remove it. The fourth is to do with spyware. This brings targetted ads to your machine and definitely needs to go! The final entry is to do with Wild Tangent, another company closely linked with spyware. Definitely remove this one. Run Hijack This! again, check any of the items mentioned above that you choose to remove and click Fix Checked. Ensure there are NO browser windows open when you do this. Then simply reboot. You'll have three less processes running and you'll have removed two spyware elements meaning less ads and popups. Quote Link to comment Share on other sites More sharing options...
Huw Posted August 5, 2004 Share Posted August 5, 2004 cheers mate. i have msn running pretty much all the time when the computer is on, either me, my brother or my sister are on most of the day... Quote Link to comment Share on other sites More sharing options...
Mixologist Posted August 7, 2004 Share Posted August 7, 2004 Sigma, thanks for checking, haven't had time to do it though but soon lol Quote Link to comment Share on other sites More sharing options...
Steve Posted August 7, 2004 Author Share Posted August 7, 2004 No problem mate. There was nothing to worry about in your log anyway. Just a couple of tweaks. Quote Link to comment Share on other sites More sharing options...
iexist Posted August 13, 2004 Share Posted August 13, 2004 Yo Sigma, peep my log and tell me if anything is up cause I dont know what to make of any of this. Logfile of HijackThis v1.98.2Scan saved at 12:22:35 PM, on 8/13/2004Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\iexist\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.comR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.comR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dllO2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - (no file)O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dllO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLLO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htmO9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exeO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab Quote Link to comment Share on other sites More sharing options...
Steve Posted August 13, 2004 Author Share Posted August 13, 2004 Have you installed Limewire at any point in the past? Also, do you mean for your homepage to be that weird search engine? Quote Link to comment Share on other sites More sharing options...
iexist Posted August 13, 2004 Share Posted August 13, 2004 yeah i installed limewire...still use it cause its the only good p2p search i know really.... and as for the search engine, i dunno what youre talkin about..so i would guess i didnt mean for that to be there.. my homepage is msn.com, but i remember at one point....my default search through my browser went through seek2seek or something like that. and seek2seek is garbage. Quote Link to comment Share on other sites More sharing options...
Steve Posted August 13, 2004 Author Share Posted August 13, 2004 OK. Well uninstall Limewire cos it has spyware in it. No doubt that's what made your search options the way they are. Just go to Add/Remove programs in the control panel and get rid of it. You should also ditch that crap Panicware Popup Stopper while you're there because IE now has a popup stopper built in (as part of SP2). While you're removing those, look in Add/Remove and see if you can find an entry for Lime Shop or Limewire Shop and remove it. Don't worry if you can't find it. After removing those items, run Hijack This! again and put a check mark next to any of these (some may not be there this time)......... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - (no file) O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm Make sure you don't miss any! Now make sure you have no browser windows open at all (IMPORTANT!) and hit Fix Checked. Reboot your PC and remove these folders if they exist............. C:\Program Files\Panicware C:\Program Files\LimeShop Then reboot again. Start IE and go to Tools then Internet Options. Click on the Programs tab and hit Reset Default Web Settings. You may need to reset your homepage to MSN after that but otherwise everything should be cool. Doing the above will fix your spyware and browser hijacking issues and will also get rid of the screen that nags you to register your graphics card. Also, you have several Nvidia programs loading that don't need to be loaded - this fixes that too. Finally, you have a couple of extra programs (Qttask.exe and Realsched.exe) that don't need to be running all the time - again, this will fix that. Quote Link to comment Share on other sites More sharing options...
iexist Posted August 13, 2004 Share Posted August 13, 2004 ok, well since im ridding of limewire, whats another search software to use? or is there? other than soulseek? Quote Link to comment Share on other sites More sharing options...
Steve Posted August 13, 2004 Author Share Posted August 13, 2004 There's a few mate. See the thread in the DVKB about file sharing. There's a link to Kazaa Lite Resurrection in there. If you want a Gnutella client (same as Limewire) then try Shareaza.......... http://www.shareaza.com/?id=download Quote Link to comment Share on other sites More sharing options...
iexist Posted August 13, 2004 Share Posted August 13, 2004 cool, appreciate the help sigma. you da man!!!!!! ima take care of that shit when i get back to my pad. im bout to go pick up my mixer in a few. holla back! Quote Link to comment Share on other sites More sharing options...
iexist Posted August 13, 2004 Share Posted August 13, 2004 i found limeshop in my add/remove programs, but i cannot remove/uniinstall it....nothing happens really....hmm Quote Link to comment Share on other sites More sharing options...
Steve Posted August 13, 2004 Author Share Posted August 13, 2004 Don't worry about it man. Just follow the instructions above and delete the Limeshop folder. It might be an idea to run a decent registry cleaner once you've done all the stuff I said, just to tidy things up a bit. Quote Link to comment Share on other sites More sharing options...
iexist Posted August 13, 2004 Share Posted August 13, 2004 yeah i have registry mechanic. you recommend something different? Quote Link to comment Share on other sites More sharing options...
Steve Posted August 13, 2004 Author Share Posted August 13, 2004 No, not really mate. As long as you've used Registry Mechanic before and it works then it's fine. I use a program called RegSeeker although it probably does the same thing. Quote Link to comment Share on other sites More sharing options...
iexist Posted August 13, 2004 Share Posted August 13, 2004 word, yeah man, seems up to par....umm, how do you uninstall hijackthis!..... when i go to delete it it says.... " blah blah blah, could make other programs not work..." Quote Link to comment Share on other sites More sharing options...
Steve Posted August 13, 2004 Author Share Posted August 13, 2004 Hijack This! doesn't need uninstalling. It's just an executable file. You can just delete it by right clicking it and choosing delete. I see you've put it in a folder on the desktop, so just right click the folder and delete it. It's worth keeping the zip file you downloaded cos it's small and useful. Quote Link to comment Share on other sites More sharing options...
iexist Posted August 13, 2004 Share Posted August 13, 2004 sigma = god Quote Link to comment Share on other sites More sharing options...
rygon Posted August 24, 2004 Share Posted August 24, 2004 ok sigma..got my hijack thingy.... Logfile of HijackThis v1.97.7Scan saved at 12:05:07, on 24/08/04Platform: Windows 98 SE (Win9x 4.10.2222A)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXEC:\WINDOWS\SYSTEM\MSTASK.EXEC:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\WINDOWS\LOADQM.EXEC:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXEC:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXEC:\WINDOWS\SYSTEM\QTTASK.EXEC:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXEC:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\WINDOWS\SYSTEM\PSTORES.EXEC:\WINDOWS\TEMP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.comR3 - URLSearchHook: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)O2 - BHO: (no name) - {330bc580-c1e5-11d7-ba23-00d059ea5f63} - (no file)O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCXO3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)O3 - Toolbar: (no name) - {330bc581-c1e5-11d7-ba23-00d059ea5f63} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorunO4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exeO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUPO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottimeO4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exeO4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -serviceO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exeO4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStartO4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0O4 - HKCU\..\Run: [Oamd] C:\WINDOWS\Application Data\btto.exeO8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.htmlO8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.htmlO8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.htmlO9 - Extra button: Real.com (HKLM)O9 - Extra button: Corel Network monitor worker (HKLM)O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM)O9 - Extra button: Corel Network monitor worker (HKCU)O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKCU)O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dllO12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cabO16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://sm.sexhound.com/lsdialer.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cabO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://fdl.msn.com/public/chat/msnchat45.cabO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exeO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineSweeper.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/SolitaireShowdown.cabO16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CABO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.4839351852O16 - DPF: {FFFF0003-4547-101A-A3C9-08002B2F49FB} - http://www.dikai.com/em-meuk.exeO16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn298.exeO16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn298.exeO16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab Quote Link to comment Share on other sites More sharing options...
Steve Posted August 24, 2004 Author Share Posted August 24, 2004 OK mate well you have at least one trojan. This one......... TrojanDownloader.Win32.Keenval There is also one file on there that I am suspicious of because I don't know what it does and there is no reference to it on Google at all. That's this file here............. O4 - HKCU\..\Run: [Oamd] C:\WINDOWS\Application Data\btto.exe You also have at least one dialler (Sexhound dialler) but as you are using broadband that's not so much of a problem. All of this shit might be slowing you up though so you need to do this. I'm gonna include the btto.exe file in this cos I'm almost certain it's dodgy............... Press Control/Alt/Delete and end the task for the following if they are running - don't worry if they're not................. wupdater.exebtto.exe Now run Hijack This! again, close ALL browser windows and put a check mark next to the following and fix them. Make sure you get them all............. R3 - URLSearchHook: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file) O2 - BHO: (no name) - {330bc580-c1e5-11d7-ba23-00d059ea5f63} - (no file) O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file) O3 - Toolbar: (no name) - {330bc581-c1e5-11d7-ba23-00d059ea5f63} - (no file) O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKCU\..\Run: [Oamd] C:\WINDOWS\Application Data\btto.exe O9 - Extra button: Real.com (HKLM) O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://sm.sexhound.com/lsdialer.cab O16 - DPF: {FFFF0003-4547-101A-A3C9-08002B2F49FB} - http://www.dikai.com/em-meuk.exe O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn298.exe O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn298.exe O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab Now you need to empty out your temporary internet files. Next, reboot and delete the following............ C:\WINDOWS\Application Data\btto.exe C:\Program Files\Common files\updater\wupdater.exe Reboot one more time and you should be good to go. Quote Link to comment Share on other sites More sharing options...
Steve Posted August 24, 2004 Author Share Posted August 24, 2004 I should just add that if you know what the btto.exe file is and you are certain it's safe then leave it alone. Otherwise include it in the removal steps above. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.