Derek, updated Hijack log and TDS log

Discussion in 'adware, spyware & hijack cleaning' started by Beth, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. Beth

    Beth Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    3
    Derek,
    Thanks so much for your help with this. The instructions were very easy to follow.

    I did everything you said to do in my original post/response with one exception - after I scanned using TDS; your instructions were to "save as text" and I never found that option. So I copied and pasted the bottom window showing what TDS found. I hope that can give you the needed information. Also is my "revised" Hijack This log. Other than that, everything worked exactly as you said it would. From the results of the TDS scan, it looks like my "dear" Brother did more than just come and let the dog out while I was gone for a couple of days!!!! LOL

    The only thing I have left to do is to download and install a new version of windows media player.

    Here's the info from TDS:

    18:59:16 [NTFS ADS] Stream found - c:\documents and settings\beth\local settings\temporary internet files\content.ie5\a9gvqpi5\jump[1].#:
    18:59:17 [NTFS ADS] Stream found - c:\documents and settings\beth\local settings\temporary internet files\content.ie5\a9gvqpi5\members.bignaturals[1].#:
    19:01:13 [NTFS ADS] Stream found - c:\documents and settings\beth\local settings\temporary internet files\content.ie5\z8pfbpce\thumbnails[1].ä:Ç


    Here's the latest HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:36:04 PM, on 4/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\WINDOWS\System32\notepad.exe
    C:\Documents and Settings\Beth\My Documents\Download\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Beth\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Central"
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass/worldclass-ob-assets.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1065141611531
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?315
    O17 - HKLM\System\CCS\Services\Tcpip\..\{32875C72-CC9B-4539-8334-4A610B1B4779}: NameServer = 205.188.146.146
    O17 - HKLM\System\CS1\Services\Tcpip\..\{32875C72-CC9B-4539-8334-4A610B1B4779}: NameServer = 205.188.146.146




    If you have any other suggestions, please let me know. The entire time I was doing everything you told me to, I had NO windows pop-up and tell me I had a virus!!! Everything seems to be working just fine. Crossing my fingers that when I download and install the Media Player things will stay fine!

    Thanks again for your help and guidance.
    Also if there's every a need to get a good review or recommendation for this site, please let me know I'd be more than happy to let people know how great this site/forum is.

    Beth
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Beth, that kind of warnings is indeed in the TDS main console: if in your configuration you have the console logging on, everything happening on that screen is in your TDS directory\logs\ in the folder of the month and date you're looking for. Really handy, from there you can copy the parts you need.

    The other alarms from scans are in teh bottom console, for thiose you select one of them, rightclick and save as text, which will be in your TDS directory in the scandump.txt file which is overwritten each time you save a new scan there, which was the log Derek meant.

    Just to clariry!

    You can safely ignore NTFS ADS Streams smaller then 90 bytes, maybe smaller then 256 bytes even, but good to know if they exist at all.
    They're in your windows temp folder so if they're innocent disappear after caches cleaning. But don't do nothing till you found out their size and till Derek tells you to do anything more then finding out about the files and fix anything anywhere at all.
    Good luck with the HJT and expert's advice!
     
Thread Status:
Not open for further replies.