[Done] hijack log review

Discussion in 'adware, spyware & hijack cleaning' started by blitzburgh21, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. blitzburgh21
    Offline

    blitzburgh21 Registered Member

    Hey, can I email my hijack log to one of you cuz my pc wont allow me to post that big of an amount. i just need a normal check up. Thanks a ton.
  2. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Hi blitzburgh21,

    You can upload the Hijackthis.log (best to change the extension from .log to .txt) as an attachment in your next reply post.

    When you click on the Post Reply button, just scroll down the page a bit and click on the "Manage Attachments" button. A box will pop up, and where it says: File to Upload, click on the "Choose" button. This will open a disply to your hard drive where you can navigate to the Hijackthis.txt file and choose it. Then click on the "Upload" button, and in a few minutes the file will attach to your post here. Then just click on the "Submit Reply" button and your post will show up in your thread along with the attachment. :)

    Regards,

    snap
  3. blitzburgh21
    Offline

    blitzburgh21 Registered Member

    Re: hijack log review

    I tried doing exactly what you said but it just isn't working for me.
  4. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Hi litzburgh21,

    Save the hijackthis.log file as hijackthis.txt and email it to me. You can find my email addy in my Profile. Look under the "Additional Information" section in the lower left. When I receive it, I'll copy & paste it here in your thread. :)

    Regards,

    snap
  5. blitzburgh21
    Offline

    blitzburgh21 Registered Member

    Re: hijack log review

    Alright, I'll do that. Thanks a bunch.


    added received hijackthis log - snap


    Logfile of HijackThis v1.97.5
    Scan saved at 10:52:54 PM, on 6/27/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)


    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\Nhksrv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfl.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll
    O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll
    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: rcddtreaell - {9564c979-c46a-45a6-ae18-e98b9d56378c} - C:\DOCUME~1\ERICRU~1\APPLIC~1\qussslcrlld.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Ktm8r9.exe
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe
    O4 - HKLM\..\Run: [_10000C] C:\WINDOWS\System32\_10000C.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspace.com/Java/cs4fs084.cab
    O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud3.sports.sc5.yahoo.com/java/y/nflgcst1008_x.cab
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1069623962731
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify204.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.9.9/tukati.cab
    Last edited by a moderator: Jun 28, 2004
  6. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Hi blitzburgh21,

    Before you start, create a permanent folder on your C: drive (example: C:\HJT) and move HijackThis into it's own folder. HijackThis must run from it's own folder as It creates backups in the folder it is ran from, so if you should need to put anything back, you will have those backups to restore from.

    Next, make sure you have all files and folders viewable:
    Click Start > My Computer >Select the Tools menu >click Folder Options >Select the View Tab. Under the "Hidden files and folders" heading, select Show hidden files and folders. UN-check the "Hide protected operating system files (recommended)" option. Then click Yes.

    I am not seeing the usual random exe files running for peper, but just to be on the safe side, click here to download the PeperFix tool.
    Save it to your desktop then doubleclick on it. Click 'Find and Fix' and let it run. You must be connected to the internet for it to work.
    reboot if prompted.

    _____

    Rescan with Hijackthis and place a check beside the following items in HijackThis.
    Close ALL browsers and any other open windows, except HijackThis, and click *Fix checked:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll
    O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll

    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O3 - Toolbar: rcddtreaell - {9564c979-c46a-45a6-ae18-e98b9d56378c} - C:\DOCUME~1\ERICRU~1\APPLIC~1\qussslcrlld.dll (file missing)

    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Ktm8r9.exe
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe
    O4 - HKLM\..\Run: [_10000C] C:\WINDOWS\System32\_10000C.exe

    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
    http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify204.cab

    Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Find and delete the following listed in bold:
    C:\WINDOWS\System32\Ktm8r9.exe
    C:\WINDOWS\System32\automove.exe
    C:\WINDOWS\System32\_10000C.exe
    C:\Program Files\Internet Keyword <--the entire folder

    While still in safe mode, navigate to to C:\Documents and Settings\your user name\Local Settings\Temp\ <--- select everything in that folder and delete it (do not delete the Temp folder itself though).

    Then navigate to the C:\windows\temp\ and delete everything in there too except the following folders, Temporary Internet Files, Cookies and History folders (leave those)

    And clear your IE cache: open IE --> Tools --> Internet Options --> click on "Delete Files" and put a check in the box for "Off line contents", click OK, then click the "History" button, then click "yes" to clear it, then "OK" to close the Internet Options Panel.


    *******

    Reboot your computer normally.

    Then before you do anything else, go to Microsoft's Update Site, download and install ALL the Critical Updates listed for XP and IE6 installed.

    Followup with a scan from Spybot S&D and AdAware6.

    Download Spybot Search&Destroy, install, and bring it up-to-date by pressing the "OnLine" button, then the "Search for Updates" button.

    1. Put a check inside the items listed for download and install them.
    2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
    3. Once Spybot S&D is finished removing the items, close the program and restart your computer.

    Download Ad-Aware6, install, and bring it up-to-date by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.

    Follow these instructions for setting up Ad-Aware for a full scan:
    How To Perform a "Full Scan" with Ad-Aware6.

    Then do a system scan at one of these on-line scan sites: Free Services

    Rescan with Hijackthis and post a new log here in this thread to be checked.

    Regards,

    snap

    PS - because you will be going into safe mode, you may want to print these instructions out first, or save them to a .txt file so you can easily follow them.
    Last edited: Jun 28, 2004
  7. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Re-opened thread to post Log received by email - snap


    Here's the log:

    Logfile of HijackThis v1.97.5
    Scan saved at 6:33:12 PM, on 7/9/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\MSGINAV.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Netropa\OSD.exe
    C:\WINDOWS\Nhksrv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfl.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: rcddtreaell - {9564c979-c46a-45a6-ae18-e98b9d56378c} - C:\DOCUME~1\ERICRU~1\APPLIC~1\qussslcrlld.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Microsoft Gina V Encryption] MSGINAV.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - HKCU\..\RunOnce: [Microsoft Gina V Encryption] MSGINAV.EXE
    O4 - Startup: QuickShelf '95.lnk = C:\BOOKS95\QSHELF95.EXE
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspace.com/Java/cs4fs084.cab
    O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud3.sports.sc5.yahoo.com/java/y/nflgcst1008_x.cab
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1069623962731
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.9.9/tukati.cab
  8. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Hi blitzburgh21,

    I apologize for the delay in replying to your thread (I missed the email you sent me with the above revised log).

    You do still need to put Hijackthis.exe into a folder of it's own.

    First, uninstall the Viewpoint Manager through the Add/Remove Programs in the Control Panel.

    Then reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    With only Hijackthis open, and all other browsers closed, place a check beside the following and click *Fix checked:

    O3 - Toolbar: rcddtreaell - {9564c979-c46a-45a6-ae18-e98b9d56378c} - C:\DOCUME~1\ERICRU~1\APPLIC~1\qussslcrlld.dll (file missing)
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML


    Delete the following folder:

    C:\Program Files\Viewpoint <--the folder

    _______

    I am not finding anything on this file. It could be related to Encarta's Dictionary. Do you recognize it? If not, include it also to be fixed.
    O4 - Startup: QuickShelf '95.lnk = C:\BOOKS95\QSHELF95.EXE


    I also could not find very much information on this file either, but it is suspicious. Do you recognize it at all? If not, please include it with the above to be fixed.

    O4 - HKLM\..\Run: [Microsoft Gina V Encryption] MSGINAV.EXE
    O4 - HKCU\..\RunOnce: [Microsoft Gina V Encryption] MSGINAV.EXE

    Could you please zip up a copy of the msginav.exe (it can be found in the C:\Windows\System32 folder) and email it to the following addresses for analysis. Include a link back to this thread in the body of the email. (Don't confuse it with the Msgina.dll which is a legitimate windows file.)

    submit AT diamondcs.com.au
    samples At nod32.com

    (replace the At with @)

    Next, upload the 'msginav.exe' file at Kaspersky for a scan. (let me know what the scan results are please).

    You may have to configure your computer to show Hidden Files and Folders
    Click Start > My Computer >Select the Tools menu >click Folder Options >Select the View Tab.
    Under the "Hidden files and folders" heading, select Show hidden files and folders.
    UN-check the "Hide protected operating system files (recommended)" option.
    Then click Yes.


    Reboot your computer back into normal mode, and download the newest version of Hijackthis 1.98.0-hotfix. Put it into a folder of it's own, please.

    You still need to go to Windows Update and download and install ALL "Critical Updates and Service Packs". The Service Packs and Critical Updates will patch numerous security holes in IE and Windows, otherwise you are going to get reinfected over and over again.

    Once you have done the above, please rescan with hijackthis, and copy & paste the log here in your next reply.

    Regards,

    snap
  9. blitzburgh21
    Offline

    blitzburgh21 Registered Member

    Re: hijack log review

    ok thanks snap. Hey dont worry about the late reply, u guys seem like u already work your butts off enough! anyways, i'll do everything u said above, but the windows update will not work for me. the main problem is my d-link adapter. another friend that i know has d-link has the same problems with me. the page just wont load and eventually says page cannot be displayed after a few minutes. i dunno if its interference or what between rooms. i got 54 mbps though, which isnt bad right? could u tell me if u know any possible solutions?
  10. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Hi blitzburgh21,

    I have a D-Link (604) also, and I have no problems getting to any pages. Is it just the on-line scan sites you are unable to get to load? (sorry, I just re-read your post and for some reason the brain saw on-line scans rather than Windows Update. Still, good to check the hosts file just in case. ;)

    You could check your Hosts file to make sure it hasn't been compromised.

    Download Toadbee's hoster: http://members.aol.com/toadbee/hoster.zip
    Unzip the hoster.exe to a permanent folder (example c:\hoster). Double-click the 'hoster.exe' file and the contents of the Hosts file will appear in the window on the left. You will be able to edit, remove unwanted lines, and save the Hosts file.

    If there are lines below this one:
    127.0.0.1 localhost

    And you did not enter them yourself, then you can click the "Restore Original Hosts" button. That will remove any lines below the localhost line.

    If the Hosts file is normal, then it may be something else blocking you from the site. You may be able to get to the sites after fixing the above files.

    Let me know how it goes.

    Regards,

    snap

    *just thought of something else. Make sure you have Active X enabled for the Windows Update site. Probably the best way is to just open IE -->Tools -->Internet Options and click on Security Tab (make sure you are in the Internet Zone) and click the "Default Level" button. Ok your way out and try Windows Update again.
    Last edited: Jul 26, 2004
  11. blitzburgh21
    Offline

    blitzburgh21 Registered Member

    Re: hijack log review

    ok, thanks alot. i'll try everything u said! hopefully that will fix up some things.
  12. blitzburgh21
    Offline

    blitzburgh21 Registered Member

    Re: hijack log review

    Hey, well, that old log was missing some things strangely that u told me to download. and i couldn't find that exe file u wanted me to send you. i looked all through that folder. i'll just send you a new hijack log from the updated hijackthis. o yea, and can u tell me how to put something in "a folder of its own?" thanks. im sending u the email now.
    btw, the dlink still doesnt let me use windows update. also, i cant search ebay or upload pics on my website either. my friend has the exact same problems with his too and he has a dlink adapter. i did those things on my grandparents pc and it worked fine.
  13. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Posting log received by email


    Logfile of HijackThis v1.98.1
    Scan saved at 2:22:56 PM, on 8/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\WINDOWS\Nhksrv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Netropa\OSD.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Eric Russell\Desktop\HijackThis1981.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfl.com/
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: rcddtreaell - {9564c979-c46a-45a6-ae18-e98b9d56378c} - C:\DOCUME~1\ERICRU~1\APPLIC~1\qussslcrlld.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Microsoft Gina V Encryption] MSGINAV.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
    O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: QuickShelf '95.lnk = C:\BOOKS95\QSHELF95.EXE
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspace.com/Java/cs4fs084.cab
    O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud3.sports.sc5.yahoo.com/java/y/nflgcst1008_x.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.9.9/tukati.cab
  14. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Hi blitzburgh21,

    I found this site that does an excellent job of describing how to create a new folder: http://russelltexas.com/malware/createhjtfolder.htm
    (Scroll down that page a bit until you come to the words "Important: Create a folder on the C: drive called C:\HJT.", then follow the instructions)

    Once you have made the new folder on your C drive, move Hijackthis.exe off of your desktop and into the new folder.

    Next, make sure you have all files and folders viewable:
    How to Show Hidden Files and Folders

    Since you will be doing this while disconnected from the internet and in safe mode, so you may want to save the following instructions to a .txt document so you can read it easily while off-line (or you can print it out, whichever is easiest for you).

    Disconnect from the internet.

    Boot your computer into safe mode by tapping the F8 key just before windows begins to load.
    Here are more instructions on how to get into Safe Mode.


    Make sure you do not have any browsers open.
    Re-scan with Hijackthis and place a check beside the following items, then press *Fix checked:

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

    O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll

    O3 - Toolbar: rcddtreaell - {9564c979-c46a-45a6-ae18-e98b9d56378c} - C:\DOCUME~1\ERICRU~1\APPLIC~1\qussslcrlld.dll (file missing)

    O4 - HKLM\..\Run: [Microsoft Gina V Encryption] MSGINAV.EXE
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
    O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


    While still in safe mode, find and delete the following file and folders highlighted in bold:

    C:\Program Files\TV Media <-the folder
    C:\Documents and Settings\All Users\Application Data\Pribi <-the folder
    C:\Documents and Settings\All Users\Application Data\IESERVICES <-folder

    C:\WINDOWS\System32\MSGINAV.EXE <-- I am not seeing this .exe file in the running processes in your last log, but check again to see if the file is present in the Windows\System32 folder, if it is, then please zip up a copy of it and email it to submit At diamondcs.com.au (replace the At with @ ).

    The little bit of information I have been able to find from googling about the file, seems to indicate it is possibly related to an AIM virus, and could be something new. So we would very much like to have a sample of it submitted for detection to be sure. If it is still present on your system, you can also upload it to Kaspersky for a scan. (Again, just as a word of caution, do not confuse it with the Msgina.dll file which is a legitimate windows file and needed for logging into Windows properly.)

    Hopefully you have downloaded AdAware and Spybot Search & Destroy and set them up as previously advised. Do a scan with both those programs while still in safe mode.

    Reboot your computer normally after doing the scans with AdAware and Spybot S& D, and go back on line.

    Since you have not been able to get your Windows Service Pack and Critical Updates, please followup with another FULL system antivirus scan: Free Services
    (disable your antivirus before doing the on-line scans so it doesn't interfer in the scan).

    Then re-enable your own antivirus scanner, make sure it is up-to-date and working properly, and do a full scan with it too.

    Try to get to Windows Update site after the above scans are finished. If you do not install the Service Pack1 for Windows XP and all the Critical Security Updates which will protect you from the numerous viruses and exploits now out on the net, you will continue to become infected over and over again. So it is extremely important you do get those brought up-to-date.

    -----
    About the problems you are having with the DLink wireless adapter, I'm afraid I am not much help with how they are set up or how to troubleshoot for them as I do not use the wireless kind. You can check out the FAQ's on installation, troubleshoot, etc., for the AirPlus Xtreme G520 PCI Adapter here: http://support.dlink.com/SupportFAQ/default.asp?model=DWL-G520_revB
    Or post a question at the DLink forum at DSLReports: http://www.dslreports.com/forum/dlink
    Hopefully one of the DLink Moderators will be able to assist with troubleshooting your connection problems and you'll be able to get to Windows Update site.
    ----

    Please post another hijackthis log after you have finished the above instructions and scans, and I must ask that you post it as soon as possible as this particular hijack cleaning forum will soon be closed, and I would like to see a final log before that happens.

    Regards,

    snap
  15. blitzburgh21
    Offline

    blitzburgh21 Registered Member

    Re: hijack log review

    Well, I did all that you said. I'm sorry, but that one msginav file you were looking for still did not show up. I didn't see it anywhere. Windows Update still doesn't work for me, which is a big problem, so I guess I'll post my problems on that forum link you gave me. I'll email u another hijack log right now.
  16. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Posting log received by email Aug 6/04


    Ok, here is another hijack log. Just FYI, my friend who had problems earlier said he just deleted EVERYTHING on his log, lol, and he said everything was fine and he just re-downloaded a couple things. I dont know if that will help me. He has an internet adapter too, not dlink though, but all websites work fine for him.

    Logfile of HijackThis v1.98.1
    Scan saved at 11:53:50 AM, on 8/6/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\Nhksrv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\HJT\HijackThis1981.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfl.com/
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - Startup: QuickShelf '95.lnk = C:\BOOKS95\QSHELF95.EXE
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspace.com/Java/cs4fs084.cab
    O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud3.sports.sc5.yahoo.com/java/y/nflgcst1008_x.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.9.9/tukati.cab
  17. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Hi blitzburgh21,

    First, your last log is now clean. There are no spyware or malware files listed there. :)

    But please, do not do what your friend did. They got lucky that they didn't delete something critical, or maybe they are not aware yet that they might have. Never delete anything with Hijackthis unless advised to do so by someone who knows how to use the tool, or you have done some research and understand what it is you are fixing. Most of what Hijackthis lists is harmless and even critical to the healthy operation of your computer and programs.

    However, you do have some unnecessary programs starting up when you turn your computer on, but these are legitimate programs and it's the user's choice to have them startup or not, so unless they are spyware/malware files, we do not have people fix legitmate running programs with Hijackthis.

    You can do a bit of research on the different programs you have set to startup, then take the steps to disable them correctly through the different programs' options and preference settings once you decide which one's you need and which one's you don't. Most can be started manually once your computer is on, but it's more a matter of how much of a convience it is for you to start programs manually.

    Here are two places you can look into to find out what files are associated with what programs and whether it is necessary to have those programs startup when you turn your computer on:

    Answers That Work - Task List Programs

    PacMan's Startup List


    Back to the issue that you are still unable to get to Windows Update site; are you also still unable to upload pictures to your website, or to search ebay as earlier mentioned? Also, are you getting any kind of error messages when you try to load Windows Update site? If there was a specific error message, then we may be able to narrow it down a bit more. Part may be due to your router configuration, or part may be due to some other program's configuration and it's interferring somehow.

    There are some other things you can try:

    I'm not that familiar with Norton Antivirus but from what I've read, Norton's does have a build-in script blocker which could be causing the issue to load the Window's update site. Try this: Right-click the system tray icon -->configure NAV -->script blocking (disable the script blocking). Try Windows update site again. If successful, reboot your computer after updating Windows, and re-enable Norton's script blocking.

    If that doesn't work, you can try these steps here:
    http://www.theeldergeek.com/sp1_no_access_autoupdate.htm

    If none of the above work, you could start a New Topic in another forum here and other members may be able to come up with some more ideas for you to try.

    Regards,

    snap
  18. blitzburgh21
    Offline

    blitzburgh21 Registered Member

    Re: hijack log review

    Alright snap, thanks for all the info and help youve given me. I'll try the Windows Update again then since I just turned off the script blocking in the NAV. No error messages would come up, FYI mainly, the site will search for updates, then it says I have 21 critical updates to install, so I click review and install to get them, and the page doesnt load fully, and eventually just says "page cannot be displayed." I'll try some of the new things you told me to do, and hopefully talk to you a bit more if I need you before this goes away.
  19. blitzburgh21
    Offline

    blitzburgh21 Registered Member

    Re: hijack log review

    I just tried updating Windows Update now, even after the steps on that other website you gave me to do, but I got this message after the percent loaded to look for critical updates: An error occurred while scanning for driver updates. We are not able to display any updated drivers for your system.
  20. snapdragin
    Offline

    snapdragin Administrator

    Re: hijack log review

    Hi blitzburgh21,

    I looked through the list on the Windows Update Troubleshooter page, but wasn't able to find the specific error that you are receiving.

    A google search brought up this page at Sniptools, where two other people have encountered the same error message: http://sniptools.com/vault/getting-errors-with-windowsupdate.htm

    Scroll down to the bottom of the page to the last 3 posts, and in Post #20, Shashank has given some steps to try. I don't know if those will resolve your problem or not, but it's worth a try.

    Feel free to open a new topic in the Other Security Issues forum. Other members may have some ideas to offer that you could also try.

    Regards,

    snap
  21. blitzburgh21
    Offline

    blitzburgh21 Registered Member

    Re: hijack log review

    Ok thanks I'll try those things.
Thread Status:
Not open for further replies.