HijackThis Log, Help!

Discussion in 'adware, spyware & hijack cleaning' started by Ars Loqui, Jul 9, 2004.

Thread Status:
Not open for further replies.
  1. Ars Loqui

    Ars Loqui Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    2
    I was forwarded to this forum in response to a recurring problem I've been having concerning Hotmail and SpywareBlaster. To reiterate:

    So last night I'm trying to get rid of this lousy spyware/adware thing that messes with search results on Google (I've still been unable to fix this, suggestions are welcome), and one of the articles I found on the subject recommended that I download SpywareBlaster to remedy the problem. So I download the program, install it, and... nothing. I enable all protection, and... nothing. Disheartened, I proceeded to uninstall SpywareBlaster.

    I pointed my browser to my Hotmail, planning to write an uncle of mine who works in the computer biz, and I noticed that my e-mail had gone awry. I was able to log into Hotmail, but any time that I clicked anything therein my browser flashed a 'This page cannot be displayed' with the address 'http:///'. It was only through skillful manipulation that I was able to access anything at all; that is, I would click the desired link and then hit 'Stop' on my browser as soon as the page began to load. Although several images remained unloaded, I was able to finally access messages--but I needed to repeat the click-and-hit-stop process every time I wished to access a different page. Before long I began to notice a pattern: my browser was fine with loading the actual pages, but I was immediately forwarded to the 'This page cannot be displayed' page as soon as an advertisement began to load.

    As advised, I have moved the query to this forum. My HijackThis log reads as follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:19:28 PM, on 7/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\MMKeybd.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\HHVcdV5Sys\VC5Play.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Virtual CD v5\System\VC5Tray.exe
    C:\WINDOWS\Nhksrv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\HHVcdV5Sys\VC5SecS.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\SYSTEM32\rundll32.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kevin Purring.OPUS\My Documents\My Downloads\Programs\HijackThis.exe

    R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7}_ - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    O2 - BHO: (no name) - {3CD21DE8-4198-818B-1BA9-B571CE32C7E7} - C:\WINDOWS\System32\nlmafqpu.dll
    O2 - BHO: (no name) - {7D03487F-D8C6-69E8-7830-EA8F6F376A2A} - C:\WINDOWS\System32\oyuesonb.dll
    O2 - BHO: (no name) - {AB1F30EE-0778-0BAF-3A44-38C447DE2B6C} - C:\WINDOWS\System32\lzoeyywo.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus

    Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [qjwkxgxw] C:\WINDOWS\pfldqmqy.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Swapper] C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe /m
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: USB Manager.lnk = C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) -

    http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

    http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

    http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -

    https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

    http://207.188.7.150/12ef9a278a8178126a00/netzip/RdxIE601.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -

    http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37734.1643171296
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -

    http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) -

    http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -

    http://by99fd.bay99.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0438AB69-0156-4E40-8506-A1CB99953BC4}: NameServer = 192.168.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B0D2568E-EBA3-4270-B639-E4D01AC5F506}: NameServer = 192.168.0.1

    Help is appreciated, thanks in advance!

    Edit: Eh, forgot to post which spyware cleaners I used--Spybot S&D, Spysweeper, and Ad-Aware.
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi Ars Loqui

    Check the following items in Hijackthis - close ALL windows\browsers except Hijackthis and click "Fix checked":

    R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7}_ - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

    O2 - BHO: (no name) - {3CD21DE8-4198-818B-1BA9-B571CE32C7E7} - C:\WINDOWS\System32\nlmafqpu.dll
    O2 - BHO: (no name) - {7D03487F-D8C6-69E8-7830-EA8F6F376A2A} - C:\WINDOWS\System32\oyuesonb.dll
    O2 - BHO: (no name) - {AB1F30EE-0778-0BAF-3A44-38C447DE2B6C} - C:\WINDOWS\System32\lzoeyywo.dll

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [qjwkxgxw] C:\WINDOWS\pfldqmqy.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -
    http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_41.cab

    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
    https://webresponse.one.microsoft.c...iveX/winrep.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
    http://207.188.7.150/12ef9a278a8178...ip/RdxIE601.cab

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\WINDOWS\pfldqmqy.exe

    C:\Program Files\webHancer <-----folder

    Then reboot and use AdAware as described :
    HERE

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Problem gone?
     
Thread Status:
Not open for further replies.