0
   

Hjt log- browser hijack

Forums: Computers
Email this Topic Print this Page
 
 
dadpad
 
Reply Mon 26 Sep, 2005 06:39 am
i recieved good advice on a recent query re my inability to access microsoft update and thank timber for his time and trouble.
Following is a recent hijack this log
I have had trouble with browser hijacking but after following the instructions in the "do this first" thread believe i have this under control.
i would like it if someone (timberlandanko?) could look at this log and advise if there are any items that need attention. In particular i had trouble with "my websearch" and "new.net". I would also like any advice on Mru list. Spybot tells me there are 7 or 8 items in this list what does that mean and what do i do with it?
What is mailskinner?
I have bolded the entries that i dont recognise.
Can i safely remove those entries below with (file missing) added.
any other advice would be appreciated.

in addition i have posted the last ewido report made just prior to this hjt hope all this is usefull.
many thanks in anticipation.


Logfile of HijackThis v1.99.1
Scan saved at 8:03:28 PM, on 26/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EmpireEarthIISetup.exe] C:\DOWNLO~1\EMPIRE~1.EXE /r
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\david.MP4DBD16CABA2C\Desktop\stuff\tempry\LimeWire\LimeWire.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwarefilter.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb055YYAU_ZNxdm119YYSE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123836844750
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37240.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4587/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C93162F-AE6C-4288-9769-20EE0D1BB071}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECEDF859-ECFB-4ED4-8C05-F21EED19AF94}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{6C93162F-AE6C-4288-9769-20EE0D1BB071}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{6C93162F-AE6C-4288-9769-20EE0D1BB071}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\..\{6C93162F-AE6C-4288-9769-20EE0D1BB071}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Owner\Desktop\cwshredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:01:34 PM, 26/09/2005
+ Report-Checksum: ADA4DE24

+ Scan result:

HKU\S-1-5-21-448539723-839522115-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-448539723-839522115-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-448539723-839522115-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-448539723-839522115-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKU\S-1-5-21-448539723-839522115-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
C:\Documents and Settings\keith\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\keith\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup


::Report End
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 0 • Views: 2,999 • Replies: 5
No top replies

 
timberlandko
 
  1  
Reply Mon 26 Sep, 2005 11:20 pm
I suggest you go to Add/Remove Programs and uninstall MailSkinner; while it is not clearly yuckware in-and-of-itself (there is discussion either way), over the past couple months it consistently has shown up in conjunction with yuckware. I suggest also you uninstall AdwareFilter; it is a known rogue antispyware app that itself serves adds, apart from providing false positives as a goad to purchase. If anything named or very closely resembling "MyWebSearch" "FunWebProducts", or "SmileyCentral" appears in Add/Remove Programs, uninstall that, too.

Print out these instructions, perform any recommended updates or online scans first, then, as directed, disconnect from the internet and remain disconnected until the process has been completed and you are advised to reconnect and post your results here. Please be sure to perform the steps in the order and manner listed.

Update Ad Aware SE, EWIDO, Microsoft Antispyware, and Spybot S&D, without running scans; just update them and close them.


Go to TrendMicro Housecall, and run the free online spyware scan, saving the report when it has completed, then run the free virus scan, saving its report only if it reports it detected but could not clean or delete something.

With that done, disconnect from the internet (if necessary, physically unplug your phoneline or your broadband interface cable from your machine) and with no other windows or browsers running, launch HJT, and place a checkmark next to each of ONLY these entries, if found:

O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwarefilter.exe
O8 - Extra context menu item: Search-http://bar.mywebsearch.com/menusearch.html?p=ZSzeb055YYAU_ZNxdm119YYSE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Owner\Desktop\cwshredder.exe (file missing)

Note: the text string highlighted above in red may appear as a different random text string; what you are looking for is anything related to "mywebsearch"

Click "Fix Checked". When the process has completed, do not reboot; search for and delete if found the following folders:

C:\Program Files\MailSkinner <--- Delete just the named subfolder (in bold), not the parent folder.
C:\Program Files\AdwareFilter <--- Delete just the named subfolder (in bold), not the parent folder.
C:\Program Files\MyWebSearch <--- Delete just the named subfolder (in bold), not the parent folder.

Assuming you have performed the downloads and installs recommended in the preliminary yuckware removal process, you should have CCleaner installed. Launch it, and perform a full system scan-and-clean, then boot into safe mode.

Launch Ad-Aware SE, and perform a full system scan-and-clean per the instructions outlined in the preliminary yuckware removal process. Unless prompted by Ad-Aware SE to reboot to permit running at startup in order to complete a removal, do not reboot. If Ad-Aware SE does request permission to run at next boot, permit it, reboot normally, let the scan-and-clean run to completion, then reboot into safe mode once more.

When Ad-Aware SE has completed, launch Microsoft Antispyware, and perform a full system scan-and-clean per the instructions outlined in the preliminary yuckware removal process. When the scan-and-clean has completed, do not reboot.

Launch EWIDO, and perform a full system scan-and-clean per the instructions outlined in the preliminary yuckware removal process. When the scan-and-clean has completed, save the log and do not reboot.

Launch Spybot S&D, and perform a full system scan per the instructions outlined in the preliminary yuckware removal process, fixing anything Spybot S&D finds and reports in red. Unless prompted by Spybot S&D to reboot to permit running at startup in order to complete a removal, do not reboot. If Spybot S&D does request permission to run at next boot, permit it, reboot normally, let the scan run to completion, fixing anything Spybot S&D finds and reports in red, then reboot into safe mode once more.

Launch CCleaner, select "Issues", select "Scan for Issues", and when the scan has completed, select "Fix Selected Issues". You will be asked if you wish to create a registry backup - click "Yes" and note where the backup will be placed (by default, that will be in your "My Documents" folder - I think it better to create a daughter folder named something like "Backups" within CCleaner's parent folder in your Programs folder). Select "Fix All Issues" and confirm. Do not reboot,

Still in CCleaner, select "Cleaner" and perform a full system scan-and-clean. Reboot normally.

When your machine has rebooted, but not connected to the internet, immediately run HJT, fixing nothing, just saving the log, then run EWIDO, saving its log.

Connect to the internet, navigate back here, and post the Trend Antispyware log, both EWIDO logs, and the HJT log. Post the Trend Antivirus log only if it reported it detected but could not clean or delete something.
0 Replies
 
timberlandko
 
  1  
Reply Mon 26 Sep, 2005 11:29 pm
Addendum -
dadpad wrote:
I would also like any advice on Mru list. Spybot tells me there are 7 or 8 items in this list what does that mean and what do i do with it?

That's a non-critical item - a "Most Recently Used" list,you may clear it or not at your option.
Quote:
What is mailskinner?

As mentioned above, it appears to be related to Smiley Central/FunwebProducts, and while it is new, it has all the hallmarks of being something most folks don't want. I'll have a better idea what's up with it when I see your next logs - it may be something thats gonna require a bit more work.

Quote:
I have bolded the entries that i dont recognise.
Can i safely remove those entries below with (file missing) added.
any other advice would be appreciated.

Anything listed as "File Missing" should be fixed; its an orphan registry entry pointing nowhere.
0 Replies
 
dadpad
 
  1  
Reply Tue 27 Sep, 2005 08:55 am
Following are hjt and ewido logs as requested.
some notes
No enteries resembling mailskinner, adwarefilter, mywebsearch.funwebs or smiley central appear in add/remove programs. 2 programs without names were present. I will uninstall these asap.

no new updates were available for any spyware scanning tools used

no option appeared to be available to save a report in trend micro spywear scan some items were detected and cleaned. I tried to copy past the report but was unsuccessfull.

nothing detected in trend micro virus scan

I have discovered it is usefull toindividually scan each user account. (there are 4 user accounts) it may be usefull to mention this in your preliminary threads.

hjt log files delete........ as suggested files deleted

an error message was recieved. error#52 Bad file name or number in sub getlongpath(?.exe)
I ran hjt in user 1 and "fixed" files as suggested. I "switched" user accounts to user 2 and ran a second hjt scan, 1 mywebsearch file name was apparent and i attempted to "fix", this is when the error message appeared. I again switched users and logged off user 1, logged back into user 2 and ran a further hjt scan no "mywebs" files were apparent. and no error message came up.

In C:\program files I deleted 1 "mywebs" (note the name as "mywebs" not "mywebsearch") file.

in safe mode ad aware needed to be reconfigured (and needs to be reconfigured before each use)

I have also spent some time deleting "limewire" files from "my docs", "program files" and sundry other folders.

Again many thanks for your assistance It would be customary here to provide you with a 6 pack timber' but this would seem a tad difficult. perhaps you would be satisfied with the thought. Its the thought that counts. Very Happy



FIRST EWIDO RUN
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:20:21 PM, 27/09/2005
+ Report-Checksum: 3A4999B6

+ Scan result:

C:\Documents and Settings\keith\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\system32\EGDACCESS_1064.dll -> Dialer.Generic : Cleaned with backup


::Report End

LAST HJT RUNLogfile of HijackThis v1.99.1
Scan saved at 12:19:58 AM, on 28/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123836844750
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37240.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4587/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C93162F-AE6C-4288-9769-20EE0D1BB071}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECEDF859-ECFB-4ED4-8C05-F21EED19AF94}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{6C93162F-AE6C-4288-9769-20EE0D1BB071}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{6C93162F-AE6C-4288-9769-20EE0D1BB071}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\..\{6C93162F-AE6C-4288-9769-20EE0D1BB071}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

LAST EWIDO RUN
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:07:21 AM, 28/09/2005
+ Report-Checksum: 8B27AAFE

+ Scan result:

No infected objects found.


::Report End
0 Replies
 
timberlandko
 
  1  
Reply Tue 27 Sep, 2005 10:40 am
Good feedback, and pretty good looking log. There's one orphan entry that should be fixed by HJT:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Other than that, looks like you're good to go. Test your system for a while to make sure things are as they should be, then run a full system scan-and-clean with CCleaner, reboot into safe mode, defrag your machine, and go ahead and reenable System Restore. Stay Safe Out There
0 Replies
 
dadpad
 
  1  
Reply Wed 28 Sep, 2005 02:06 am
My symantec anti virus reports it is unable to scan
error message reads..... could not start scan engine returned error#0x2000058.
auto protect is reports it is enabled. this is not a real drama at this stage but worth noting. I will add/remove and reinstall from disc and see what happens.
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » Hjt log- browser hijack
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 05/05/2024 at 06:01:59