Hijack This log - Chynco

Discussion in 'adware, spyware & hijack cleaning' started by chynco, Jun 18, 2004.

Thread Status:
Not open for further replies.
  1. chynco

    chynco Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    4
    Help! I have really annoying pop ups and programs installing every couple minutes. I've run adaware and spybot and others but to no avail. Thank you.


    Logfile of HijackThis v1.97.7
    Scan saved at 3:12:54 AM, on 6/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Evoluent\VERTIC~1\mouseElf.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\Grxp4exe.exe
    C:\Program Files\NuonSoft\WallpaperCycler\wallpapercycler.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\Program Files\yzdock\YzDock.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Larry\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.184.26.129:3128
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Documents and Settings\Larry\Application Data\Mozilla\Profiles\default\1ldpwelu.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Larry\Application Data\Mozilla\Profiles\default\1ldpwelu.slt\prefs.js)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O3 - Toolbar: dupe save - {F1BD43EA-36DC-73C5-C764-AF9FCDF74718} - C:\PROGRA~1\CORNTI~1\KeepInfo.dll (file missing)
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NuonSoft Wallpaper Cycler StartupHelper] C:\Program Files\NuonSoft\WallpaperCycler\StartupHelper.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\Evoluent\VERTIC~1\mouseElf.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\Run: [ShowCool] C:\PROGRA~1\For Ace Build\idle close.exe
    O4 - HKLM\..\Run: [QD FastAndSafe] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Mail Scanner] C:\Program Files\PDG 3\mailscan.exe
    O4 - HKCU\..\Run: [Desktop Cycler Changer] C:\Program Files\Desktop Cycler\Changer.exe
    O4 - HKCU\..\Run: [ActiveMultiWallpaper] C:\Program Files\BlackMoon\ActiveMultiWallpaper\Changer.exe
    O4 - Startup: Shortcut to YzDock.lnk = C:\Program Files\yzdock\YzDock.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/ win/QuickTimeInstaller.exe
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.4626851852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1AEB2BF7-8291-4B6D-BC95-7BB98289175F}: NameServer = 207.69.188.185,207.69.188.186
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3622015A-FB06-4AA8-B386-741B08D970FA}: NameServer = 207.69.188.185,207.69.188.186
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A27A709F-0230-437C-8C2E-E158A9F36942}: NameServer = 207.69.188.185,207.69.188.186
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi chynco,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Documents and Settings\Larry\Application Data\Mozilla\Profiles\default\1ldpwelu.slt\prefs.js)

    O3 - Toolbar: dupe save - {F1BD43EA-36DC-73C5-C764-AF9FCDF74718} - C:\PROGRA~1\CORNTI~1\KeepInfo.dll (file missing)

    O4 - HKLM\..\Run: [ShowCool] C:\PROGRA~1\For Ace Build\idle close.exe

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

    Then reboot into safe mode and delete:
    C:\PROGRAM FILES\For Ace Build <= entire folder

    Then reboot normally and copy&paste the bold into an Internet Explorer Address Bar.
    javascript:navigator.userAgent
    Post the result that appears in the IE screen please.

    Regards,

    Pieter
     
  3. chynco

    chynco Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    4
    Hi Pieter,

    Thanks for your help, I've done what you've told me and here is the message:

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {3B97C145-C17B-46E5-95E6-F4B37EF9AA13})

    There are still pop-ups.

    here is the new Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:35:54 PM, on 6/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Evoluent\VERTIC~1\mouseElf.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\Grxp4exe.exe
    C:\Program Files\NuonSoft\WallpaperCycler\wallpapercycler.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\Program Files\yzdock\YzDock.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\eZula\mmod.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Larry\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.184.26.129:3128
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Larry\Application Data\Mozilla\Profiles\default\1ldpwelu.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Larry\Application Data\Mozilla\Profiles\default\1ldpwelu.slt\prefs.js)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [NuonSoft Wallpaper Cycler StartupHelper] C:\Program Files\NuonSoft\WallpaperCycler\StartupHelper.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\Evoluent\VERTIC~1\mouseElf.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - Startup: Shortcut to YzDock.lnk = C:\Program Files\yzdock\YzDock.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.4626851852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1AEB2BF7-8291-4B6D-BC95-7BB98289175F}: NameServer = 207.69.188.185,207.69.188.186
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3622015A-FB06-4AA8-B386-741B08D970FA}: NameServer = 207.69.188.185,207.69.188.186
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A27A709F-0230-437C-8C2E-E158A9F36942}: NameServer = 207.69.188.185,207.69.188.186
     
  4. chynco

    chynco Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    4
    Thank you for all your help, but after much searching I found out I had "VX2.betterinternet" spyware from Look2me. I was told to use thier uninstaller and it has seemed to work. Hopefully this spyware free status will stay for a long time.

    Again, thank you Pieter.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Chynco,

    That is what I feared and why I wanted to see your useragent.
    Would you mind checking up on their uninstaller?

    Download VX2Finder from this link:
    http://tools.zerosrealm.com/VX2Finder.exe

    Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

    Copy and paste the contents of the log into your next reply here.

    Regards,

    Pieter
     
  6. chynco

    chynco Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    4
    Hi Pieter,

    Here's the log from VX2 finder:

    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called:

    User Agent String---
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    So their uninstaller actually works.
    Good to know if all else fails. :)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.