Please help with Log File

I am running Windows 2000 and IE 5. I started having a number of problems with Popups more specifically with the Lycos search engine, second thought, and others. I have managed to fix number of problems with the most recent versions and updates of SpyBot and Adware thanks to information in this forum. I am still having popup problems and am looking for some help with my HiJack log file (see below). Thanks for your help.


Logfile of HijackThis v1.97.7
Scan saved at 1:14:43 PM, on 6/17/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
D:\Program Files\Winamp\Winampa.exe
C:\WINNT\System32\usiqaa.exe
D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\WINNT\System32\bqos2.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Alogserv] D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PFO Check Settings] pfochk.exe
O4 - HKLM\..\Run: [PMedia] C:\PROGRA~1\COMMON~1\Media\winsrvc.exe
O4 - HKLM\..\Run: [Olive System] C:\WINNT\System32\szchost.exe
O4 - HKLM\..\Run: [buzcjo] C:\WINNT\System32\usiqaa.exe
O4 - HKLM\..\Run: [bqos2.exe] C:\WINNT\System32\bqos2.exe
O4 - HKLM\..\Run: [CreateCD] D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [forcoedos.exe] C:\WINNT\System32\forcoedos.exe
O4 - HKCU\..\Run: [bqos2.exe] C:\WINNT\System32\bqos2.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSTRAF\Cache\SelectedContextSearch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3

 

Hello otto,

Run Hijackthis again with all browsers closed and check these items and then on Fix:

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll

O4 - HKLM\..\Run: [PMedia] C:\PROGRA~1\COMMON~1\Media\winsrvc.exe
O4 - HKLM\..\Run: [Olive System] C:\WINNT\System32\szchost.exe
O4 - HKLM\..\Run: [buzcjo] C:\WINNT\System32\usiqaa.exe
O4 - HKLM\..\Run: [bqos2.exe] C:\WINNT\System32\bqos2.exe

Reboot the computer into safe mode

Make sure you can view all hidden files and folders

Find and delete these files/folders:

C:\PROGRA~1\COMMON~1\Media
C:\WINNT\System32\szchost.exe
C:\WINNT\System32\usiqaa.exe
C:\WINNT\System32\bqos2.exe

Reboot.

Run an online virus scan here: (check the autofix box also)

http://housecall.trendmicro.com/

Let me know the results. One of the things in your log suggested you had a trojan. I just want to make sure there is nothing else in your computer virus related.

Run Hijackthis again and post a new log here.

 

Thanks for the help. I did as you suggested and the new log file is below. I was unable to find the szchost.exe but was able to delete everything else. Do I need to do anything else? Thanks again!

Logfile of HijackThis v1.97.7
Scan saved at 3:18:56 PM, on 6/23/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
D:\Program Files\Winamp\Winampa.exe
D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Alogserv] D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PFO Check Settings] pfochk.exe
O4 - HKLM\..\Run: [CreateCD] D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [forcoedos.exe] C:\WINNT\System32\forcoedos.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3

 

Hello,

Yes, there is a little more to do.

Run Hijackthis again with all browsers closed and check these items and then on Fix:

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O4 - HKCU\..\Run: [forcoedos.exe] C:\WINNT\System32\forcoedos.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

Reboot back into safe mode and look for these files and delete:

C:\WINNT\System32\forcoedos.exe
C:\Program Files\TV Media <<<<<<<<<<<this is a folder

Reboot and post a new log again.

 

I did as you suggested and here is the new log file. Do I get a clean bill of health now?


Logfile of HijackThis v1.97.7
Scan saved at 1:35:56 PM, on 6/24/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
D:\Program Files\Winamp\Winampa.exe
D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Alogserv] D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PFO Check Settings] pfochk.exe
O4 - HKLM\..\Run: [CreateCD] D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3

 

Hello,

One more clean up and then you should be good.

Run HJT again and check this one and Fix:

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)

Reboot.

Here is a link for you to go to that will give you suggestions on how to keep your computer safe:
https://www.wilderssecurity.com/showthread.php?t=27971

Happy Surfing!