At a loss to fix Son's PC pls look Hijack Log

Discussion in 'adware, spyware & hijack cleaning' started by Truthster, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. Truthster

    Truthster Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    1
    Reloaded latest network card driver, Manually set network settings,Ran Spybot search and destroy (it found nothing) ran verylatest AdAware6 (it cleared out some minor stuff), Computer still is unable to access the web. Network card is working and the computer claims that it is connected. IE and netscape can't connect.Here is the Hijack this log file.
    Can ANYONE help ? I'm not too techie, am actually machinist.
    Thanks T'ster

    Logfile of HijackThis v1.97.7
    Scan saved at 6:12:15 AM, on 6/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\PROGRA~1\SEEKDE~1\Thatlocks.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\WINDOWS\System32\devldr32.exe
    D:\ANTI SPYWARE\Spybot - Search & Destroy\TeaTimer.exe
    D:\ANTI SPYWARE\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    N3 - Netscape 7: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Documents and Settings\Kon\Application Data\Mozilla\Profiles\default\48vsex4e.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Kon\Application Data\Mozilla\Profiles\default\48vsex4e.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\ANTI SPYWARE\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: procfacegrey - {7C31C85F-8DBB-539B-336D-5F16FC1C76A9} - C:\PROGRA~1\CAKEOP~1\Surf time.dll
    O4 - HKLM\..\Run: [Auto EPSON Stylus C84 Series on cdrw-bu] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P39 "Auto EPSON Stylus C84 Series on cdrw-bu" /O18 "\\CDRW-BU\EPSONc84" /M "Stylus C84"
    O4 - HKLM\..\Run: [Auto EPSONc84 on DOTS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P21 "Auto EPSONc84 on DOTS" /O15 "\\DOTS\EPSONc84" /M "Stylus C84"
    O4 - HKLM\..\Run: [Auto EPSON Stylus C84 Series on cdrw-bu (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P48 "Auto EPSON Stylus C84 Series on cdrw-bu (Copy 1)" /O44 "\\CDRW-BU\EPSON Stylus C84 Series on CDRW-BU" /M "Stylus C84"
    O4 - HKLM\..\Run: [\\cdrw-bu\EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P33 "\\cdrw-bu\EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Cash Free] C:\PROGRA~1\SEEKDE~1\Thatlocks.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\ANTI SPYWARE\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38115.3869907407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ED1AB05D-C585-47BD-842B-B91EE8B04C27}: NameServer = 63.240.76.4,204.127.198.4
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi Truthster

    Open Task Manager, click Processes tab. End the following process:

    WToolsA.exe

    Close Task Manager.

    Check the following items in HijackThis - close ALL windows\browsers except Hijackthis and click "Fix checked":

    Any idea what this is ?
    O3 - Toolbar: procfacegrey - {7C31C85F-8DBB-539B-336D-5F16FC1C76A9} - C:\PROGRA~1\CAKEOP~1\Surf time.dll
    if UNKNOWN - pls. check

    C:\PROGRA~1\SEEKDE~1\Thatlocks.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    N3 - Netscape 7: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Documents and Settings\Kon\Application Data\Mozilla\Profiles\default\48vsex4e.slt\prefs.js)

    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Kon\Application Data\Mozilla\Profiles\default\48vsex4e.slt\prefs.js)
    Could you pls. check this one !

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [Cash Free] C:\PROGRA~1\SEEKDE~1\Thatlocks.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\PROGRA~1\SEEKDE~1
    C:\Program Files\Common files\WinTools

    Then reboot and use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Then use the Disk Cleanup Utility to empty all your Temp folders.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
Thread Status:
Not open for further replies.