|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
May 20th, 2004, 03:07 PM
|
|||
|
|||
I'm a young oldie. Stupidly thought my machine had good defences, till a month ago
Had all the 'right' un's I thought; [AdAw, SpyBotS&D, SpyBlaster, etc], but suddenly found I couldn't System Restore, had changed Browser warnings that immunisation didn't cure, and a lot of 'wrong paths' on SpyBot log. Think I'm going to have to end up restoring Windows XP Pro, and dreading the thought ~ will the fact that I'm awaiting a new XP Pro laptop maybe help the restoration process ~ Here's my HijackThis log! Anyone not mind helping an old geeza?
Logfile of HijackThis v1.97.7 Scan saved at 15:29:25, on 20/05/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\SYSTEM32\tbctray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\Program Files\Microsoft Office\Office10\msoffice.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\DigiGuide\client01.exe C:\Program Files\Webshots\WebshotsTray.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\MiniPopupKiller\mpk.exe C:\AstroWare\SolarFire\SOLFIRE.EXE C:\Documents and Settings\E.H.Bayley\Desktop\Downloaded Spyware Programmes\HiJack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/u...en/default.htm O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\downloaded programs\adobeacrobat\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {2645D297-DD4B-4DD3-BAB0-34D4BB8F7EE6} - C:\Program Files\MiniPopupKiller\cpw.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe" O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: DigiGuide.lnk = C:\Program Files\DigiGuide\client.exe O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Image Transfer.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/eno/x/enscp1x.exe O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058623uk.exe O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - http://www.cult3d.com/download/cult.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - http://office.microsoft.com/officeup...ntent/opuc.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://64.156.31.77/058716uk.exe O16 - DPF: {469843DD-EBB3-4661-B0A6-E6FE590240C9} - http://olympustele.com/connect/dialer.cab O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab O16 - DPF: {7380B862-BA18-4529-8972-C66B82AA5D1D} (AccountTracking Class) - http://moneymanager.egg.com/customer...nttracking.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...616.4453819444 O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - http://livenj01.rightnowtech.com/wil.../java/RntX.cab O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.33/EPlugin.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{EA2C486B-A9E2-45B2-9DBF-D3A40B1DBB4A}: NameServer = 158.152.1.58,158.152.1.43 |
|
#3
May 23rd, 2004, 03:13 PM
|
|||
|
|||
|
Re: I'm a young oldie. Stupidly thought my machine had good defences, till a month ago
Thanks for that Unzy!
Having said that, I am still perturbed to understand why AdAware daily, on boot-up, still detects:- POSSIBLE BROWSER HIJACK ATTEMPT ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ obj[0]=RegData : Software\Microsoft\Internet Explorer\Main obj[1]=RegData : Software\Microsoft\Internet Explorer\Main which is also daily reported by SpyBot and SpyBlaster as an attempt to change my IE browser, [set by me to about:blank as my preference; and which I daily ask it to be restored to, having quarantined the above AdAw objects]. Spyblaster indicates http://www.microsoft.com/isap/redir.dll?prd={SUB_PRD}&cid={SUB_CLSID}&pver}={SUB_PVER}ar=home is the intended change. I am beginning to wonder whether both refer to about:blank and I am facilitating circular paths? Having investigated my inability to System Restore to any date earlier than April this year, and my Event Log, I have realised that my Windows XP Pro registery has been interfered with or is corrupt [COMDLG32.OCX cannot be located, and 0xc0000001 errors], and seemingly will have to be reinstalled. This fills me with some trepidation. Will my, now imminent, receipt of a new Windows XP Pro laptop, maybe enable me to secure such reinstallation on my Desktop PC in, what would decidedly be, a less hazardous route than the norm with just a standalone? Your aid is very much appreciated as I am entering upon foreign territory! Regards . . . Apogean |
|
#4
May 23rd, 2004, 05:59 PM
|
|||
|
|||
|
Re: I'm a young oldie. Stupidly thought my machine had good defences, till a month ag
The fact that you have set your homepage to "about:blank" is the cause of these warnings.
This setting can also be caused by one of the nastiest Coolweb variants, which is identfied, but not totally removed by AdAware. The program is unable to tell that this is a legitimate blank, and not a CW blank! There are two alternatives, either live with the warnings, or change you homepage  |
|
#6
May 27th, 2004, 04:41 AM
|
||||
|
||||
|
Re: I'm a young oldie. Stupidly thought my machine had good defences, till a month ago
Although they are probably under control by SpywareBlaster I would fix these entries:
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/eno/x/enscp1x.exe O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058623uk.exe O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binari...dtc32_EN_XP.cab O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://64.156.31.77/058716uk.exe O16 - DPF: {469843DD-EBB3-4661-B0A6-E6FE590240C9} - http://olympustele.com/connect/dialer.cab O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/so...tiveXPlugin.cab O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.33/EPlugin.cab Put a checkmark in front of them in HijackThis, close all IE windows and click Fix checked. Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
