HijackThis log is here.. Please help!

Discussion in 'adware, spyware & hijack cleaning' started by smanepalli, May 25, 2004.

Thread Status:
Not open for further replies.
  1. smanepalli

    smanepalli Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    Hi, I have installed Ad-aware 6 and it removed files that it found to be infected. The ran was successful.
    I ran HijackThis and here is the content of my log ....

    Logfile of HijackThis v1.97.7
    Scan saved at 9:42:44 AM, on 5/25/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\WINNT\System32\cisvc.exe
    c:\PROGRA~1\NavNT\DefWatch.exe
    C:\WINNT\System32\domtimec.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\WS_FTP Pro\ftpsched.exe
    C:\PROGRA~1\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
    C:\WINNT\System32\mgabg.exe
    C:\PROGRA~1\NavNT\NavRoam.exe
    C:\PROGRA~1\NavNT\rtvscan.exe
    C:\WINNT\system32\nutsrv4.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Support.com\bin\tgsrvc.exe
    C:\Program Files\Serena Software\ChangeMan\ds\client\vcs_nt_service.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\PDesk\PDesk.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\WS_FTP Pro\ftpqueue.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINNT\System32\cidaemon.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.yahoo.com/search/options
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insite.bankofamerica.com/insite/index.shtml
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bank of America
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxyconfig.bankofamerica.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
    O4 - HKLM\..\Run: [SwdisUsrPCN.B000BCD02060B] "C:\PROGRA~1\Tivoli\Lcf\Dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\2\wdusrpcn.env"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
    O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
    O4 - HKCU\..\RunOnce: [MS Setup] C:\Program Files\Windows Media Player\wmplayer.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://insite.bankofamerica.com/insite/index.shtml
    O15 - Trusted Zone: *.knowledgenet.com
    O16 - DPF: Sametime Meeting Room Client ST25PF1 - http://crpjvfncs01.bankofamerica.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauth/internetwasherpro.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2033dc0bd96b60de3619/netzip/RdxIE601.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://63.240.55.130/media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37847.3372222222
    O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://crpjvfncs01.bankofamerica.com/sametime/STMeetingRoomClient/STJNILoader.cab
    O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://certificates.bankofamerica.com/cms/capicom.cab
    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab
    O16 - DPF: {B3014671-7872-4671-BE73-5D05EB5B2AF5} (Infragistics UltraGrid Control 2.0) - http://otonline.bankofamerica.com/cabs/IGUltraGrid20.CAB
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://sep.boa.kpmgconsulting.net/viewer/activeXViewer/activexviewer.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553541000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DCB98BE9-88EE-4AD0-9790-2B169E8D5BBB} - http://www.humanconcepts.com/viewer/hcinstall.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://techspan.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fl.bankofamerica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fl.bankofamerica.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fl.bankofamerica.com
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi smanepalli,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com

    O4 - HKCU\..\RunOnce: [MS Setup] C:\Program Files\Windows Media Player\wmplayer.exe

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2033dc0bd96b60de3619/netzip/RdxIE601.cab

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab

    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab

    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab

    Then reboot.

    Regards,

    Pieter
     
  3. smanepalli

    smanepalli Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    Hello Pieter, Thanks so much for your quick response. I did what you told and now I am free from the xxxware! Yahoooooooooo! I am so excited to surf without those sprouting popups anymore. Thanks so much!

    SM
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
Thread Status:
Not open for further replies.