HijackThis Log Analysis

Discussion in 'adware, spyware & hijack cleaning' started by Will, Jun 11, 2004.

Thread Status:
Not open for further replies.
  1. Will

    Will Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    3
    I have run Bazooka, Spybot: S&D, and AdAware, removing all discoveries they presented. In addition, I performed a largely inclusive system scan with BitDefender as well as AVG, handling all findings appropriately. Yet certain problems persist. The full window game, Warcraft III: Frozen Throne, often minimizes (in clutch moments, no less). Lots of the fonts in my Explorer window are displayed larger than normal. Lastly, my "start" button has entirely disappeared. It shows up as I shut down my computer, only to vanish before Windows starts again.
    I am running on a laptop made by L (www.go-l.com). It has a 2.8 ghz processor, 1 gb RAM, 70 GB hard, and a Radeon 9600. Beyond that, I am unsure of system specs.

    Please analyze my HijackThis Log for me. I will forever be in your debt. ;)

    Logfile of HijackThis v1.97.7
    Scan saved at 1:58:05 PM, on 6/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\TopDesk\TopDesk.exe
    D:\Temp\ClipTrak\ClipTrak.exe
    C:\WINDOWS\zhzqo.exe
    D:\MYSOFT~1\AVG\avgcc32.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Start Killer\StartKiller.exe
    D:\MYSOFT~1\AVG\avgserv.exe
    C:\Program Files\Billionton\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\SSCMntr.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\AnalogX MaxMem\maxmem.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\PROGRA~1\BILLIO~1\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\MyIE2\MyIE.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    D:\My Software\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe Acrobat\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\My Software\Spybot Search and Destroy\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - D:\My Software\Systweak\Advanced System Optimizer\IEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\TopDesk.exe
    O4 - HKLM\..\Run: [ClipTrak] D:\Temp\ClipTrak\ClipTrak.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [wirto] C:\WINDOWS\zhzqo.exe
    O4 - HKLM\..\Run: [AVG_CC] D:\MYSOFT~1\AVG\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Start Killer] C:\Program Files\Start Killer\StartKiller.exe
    O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX MaxMem\maxmem.exe
    O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
    O4 - Global Startup: BTTray.lnk = ?
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Download by Morgul - C:\Program Files\Morgul\ieext_cp.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Register in Morgul - C:\Program Files\Morgul\ieext_reg.htm
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MYSOFT~1\Office\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.6600925926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/downplug.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    this is what has removed your start button
    C:\Program Files\Start Killer\StartKiller.exe and you obviously installed it so the cure is uninstall it


    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R3 - Default URLSearchHook is missing
    O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
    O4 - HKLM\..\Run: [wirto] C:\WINDOWS\zhzqo.exe
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/downplug.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\zhzqo.exe

    then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

    as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
    while in the temp folder, select view and select details.
    then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
    select all the files/folders except the today ones and delete them all.

    and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally & see if that cures it
     
  3. Will

    Will Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    3
    Start button fixed. Minimization fixed, so far. What can I do to mend the bogus IE font? Also, comp is running way slower than it should.

    _________________________________________________________________

    Logfile of HijackThis v1.97.7
    Scan saved at 12:29:42 AM, on 6/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\MYSOFT~1\AVG\avgserv.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\SSCMntr.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\TopDesk\TopDesk.exe
    D:\Temp\ClipTrak\ClipTrak.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\Program Files\Billionton\Bluetooth Software\BTTray.exe
    C:\Program Files\AnalogX MaxMem\maxmem.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\PROGRA~1\BILLIO~1\BLUETO~1\BTSTAC~1.EXE
    D:\My Software\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe Acrobat\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\My Software\Spybot Search and Destroy\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - D:\My Software\Systweak\Advanced System Optimizer\IEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\TopDesk.exe
    O4 - HKLM\..\Run: [ClipTrak] D:\Temp\ClipTrak\ClipTrak.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [AVG_CC] D:\MYSOFT~1\AVG\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Start Killer] C:\Program Files\Start Killer\StartKiller.exe
    O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX MaxMem\maxmem.exe
    O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
    O4 - Global Startup: BTTray.lnk = ?
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Download by Morgul - C:\Program Files\Morgul\ieext_cp.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Register in Morgul - C:\Program Files\Morgul\ieext_reg.htm
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MYSOFT~1\Office\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.6600925926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    check view/textsize and see if it's set to medium

    then to check for something please do this

    Download VX2Finder from this link:
    http://tools.zerosrealm.com/VX2Finder.exe


    Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

    Copy and paste the contents of the log into your next reply here.
     
  5. Will

    Will Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    3
    Font fixed. Now I feel stupid. I was looking in Internet Options. :oops:


    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called:

    User Agent String---
    MyIE2 IEAK
     
Thread Status:
Not open for further replies.