Huw Posted September 28, 2004 Share Posted September 28, 2004 could you check my hijackthis! log please, i have been getting some weird things on my computer lately. cheers mate! Logfile of HijackThis v1.98.0Scan saved at 15:06:52, on 28/09/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Norton Internet Security\NISUM.EXEC:\WINDOWS\System32\ctfmon.exeC:\Program Files\PREVX\Prevx Home\SAGUI.exeC:\Program Files\E-Color\E-Color Indicator\TICIcon.exeC:\Program Files\Canon\BJCard\Bjmcmng.exeC:\WINDOWS\System32\drivers\CDAC11BA.EXEC:\Program Files\Norton Internet Security\ccPxySvc.exeC:\WINDOWS\System32\gearsec.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\PREVX\Prevx Home\PXAgent.exeC:\Program Files\Web_Rebates\WebRebates1.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Web_Rebates\WebRebates0.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Tim\Desktop\Huw\Apps\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"O4 - HKLM\..\Run: [bJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exeO4 - HKLM\..\Run: [bJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exeO4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exeO4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXEO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exeO4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...faa5d8e6cd7ad71O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28177.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/060fd34065efe5863d16/...ip/RdxIE601.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095701599281O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} (Illuminatus 4.5 IE Plugin) - http://www.digitalworkshop.co.uk/ilm450.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cabO16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...352/mcfscan.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{0E1863F1-1B19-4E66-BE5A-51BE41C21E8B}: NameServer = 195.92.195.94 195.92.195.95O17 - HKLM\System\CS1\Services\Tcpip\..\{0E1863F1-1B19-4E66-BE5A-51BE41C21E8B}: NameServer = 195.92.195.94 195.92.195.95 Quote Link to comment Share on other sites More sharing options...
Steve Posted September 28, 2004 Share Posted September 28, 2004 I can see some shit in there mate. Gimme 20 minutes and I'll tell you what to do. I see Norton Internet Security is doing it's job. Quote Link to comment Share on other sites More sharing options...
Huw Posted September 28, 2004 Author Share Posted September 28, 2004 cheers mate. i think it would be my brother downloading stuff again, i dunno tho! Quote Link to comment Share on other sites More sharing options...
Steve Posted September 28, 2004 Share Posted September 28, 2004 OK. First press Control/Alt/Delete and end these tasks/processes if present: - WebRebates0.exeWebRebates1.exe Go into Add/Remove Programs and look for WebRebates and SyncroAd or anything similar and uninstall them. Also remove Yahoo! Companion while you're there. Now run HijackThis again and check off all of the following: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...faa5d8e6cd7ad71 Close ALL browser windows and hit Fix Checked. Now run Disc Cleanup from the Start menu and empty all your temp folders and the Recycle Bin. Search for these on your PC and delete them if they still exist: - C:\Program Files\Windows SyncroAd C:\Program Files\Web_Rebates Reboot, start IE and click Tools - Internet Options - Programs - Reset Web Settings. Then click on the General tab and re-enter your desired homepage and hit Apply then OK. Go to http://www.java.com and get the latest version of Java. Yours is out of date. Also consider removing Norton for something better! I suggest a combination of Sygate and Kaspersky. Quote Link to comment Share on other sites More sharing options...
Steve Posted September 28, 2004 Share Posted September 28, 2004 Oh yeah - Installing Service Pack 2 would be a good idea. It deals with some of the issues that allow crap to install on your PC without your knowledge. If you're gonna look at porn you need it. Quote Link to comment Share on other sites More sharing options...
Huw Posted September 28, 2004 Author Share Posted September 28, 2004 dope, cheers mate. syncro ad and yahoo companion weren't in the add/remove list though... Quote Link to comment Share on other sites More sharing options...
Steve Posted September 28, 2004 Share Posted September 28, 2004 I didn't think they would be mate. Quote Link to comment Share on other sites More sharing options...
Huw Posted September 28, 2004 Author Share Posted September 28, 2004 Logfile of HijackThis v1.98.0Scan saved at 15:47:00, on 28/09/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Norton Internet Security\NISUM.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Microsoft Hardware\Keyboard\type32.exeC:\Program Files\Canon\BJPV\TVMon.exeC:\Program Files\Canon\BJCard\BJLaunch.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\E-Color\Common\IconMgr.exeC:\Program Files\PREVX\Prevx Home\SAGUI.exeC:\Program Files\E-Color\E-Color Indicator\TICIcon.exeC:\Program Files\Canon\BJCard\Bjmcmng.exeC:\WINDOWS\System32\drivers\CDAC11BA.EXEC:\Program Files\Norton Internet Security\ccPxySvc.exeC:\WINDOWS\System32\gearsec.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\PREVX\Prevx Home\PXAgent.exeC:\Program Files\Messenger\msmsgs.exeC:\Documents and Settings\Tim\Desktop\Huw\Apps\HijackThis.exeC:\Program Files\Mozilla Firefox\firefox.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"O4 - HKLM\..\Run: [bJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exeO4 - HKLM\..\Run: [bJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXEO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exeO4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28177.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/060fd34065efe5863d16/...ip/RdxIE601.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095701599281O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} (Illuminatus 4.5 IE Plugin) - http://www.digitalworkshop.co.uk/ilm450.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cabO16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...352/mcfscan.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab how does that look? Quote Link to comment Share on other sites More sharing options...
Steve Posted September 28, 2004 Share Posted September 28, 2004 It's clean mate. :regular_smile: Quote Link to comment Share on other sites More sharing options...
Huw Posted September 28, 2004 Author Share Posted September 28, 2004 fabulous. muchos gracias... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.