HijackThis log is here.. Please help!

Discussion in 'adware, spyware & hijack cleaning' started by smanepalli, May 25, 2004.

Thread Status:
Not open for further replies.
  1. smanepalli

    smanepalli Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    Hi, I have installed Ad-aware 6 and it removed files that it found to be infected. The ran was successful.
    I ran HijackThis and here is the content of my log ....

    Logfile of HijackThis v1.97.7
    Scan saved at 9:42:44 AM, on 5/25/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\WINNT\System32\cisvc.exe
    c:\PROGRA~1\NavNT\DefWatch.exe
    C:\WINNT\System32\domtimec.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\WS_FTP Pro\ftpsched.exe
    C:\PROGRA~1\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
    C:\WINNT\System32\mgabg.exe
    C:\PROGRA~1\NavNT\NavRoam.exe
    C:\PROGRA~1\NavNT\rtvscan.exe
    C:\WINNT\system32\nutsrv4.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Support.com\bin\tgsrvc.exe
    C:\Program Files\Serena Software\ChangeMan\ds\client\vcs_nt_service.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\PDesk\PDesk.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\WS_FTP Pro\ftpqueue.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINNT\System32\cidaemon.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.yahoo.com/search/options
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insite.bankofamerica.com/insite/index.shtml
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bank of America
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxyconfig.bankofamerica.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
    O4 - HKLM\..\Run: [SwdisUsrPCN.B000BCD02060B] "C:\PROGRA~1\Tivoli\Lcf\Dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\2\wdusrpcn.env"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
    O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
    O4 - HKCU\..\RunOnce: [MS Setup] C:\Program Files\Windows Media Player\wmplayer.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://insite.bankofamerica.com/insite/index.shtml
    O15 - Trusted Zone: *.knowledgenet.com
    O16 - DPF: Sametime Meeting Room Client ST25PF1 - http://crpjvfncs01.bankofamerica.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauth/internetwasherpro.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2033dc0bd96b60de3619/netzip/RdxIE601.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://63.240.55.130/media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37847.3372222222
    O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://crpjvfncs01.bankofamerica.com/sametime/STMeetingRoomClient/STJNILoader.cab
    O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://certificates.bankofamerica.com/cms/capicom.cab
    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab
    O16 - DPF: {B3014671-7872-4671-BE73-5D05EB5B2AF5} (Infragistics UltraGrid Control 2.0) - http://otonline.bankofamerica.com/cabs/IGUltraGrid20.CAB
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://sep.boa.kpmgconsulting.net/viewer/activeXViewer/activexviewer.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553541000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DCB98BE9-88EE-4AD0-9790-2B169E8D5BBB} - http://www.humanconcepts.com/viewer/hcinstall.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://techspan.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fl.bankofamerica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fl.bankofamerica.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fl.bankofamerica.com
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi smanepalli,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com

    O4 - HKCU\..\RunOnce: [MS Setup] C:\Program Files\Windows Media Player\wmplayer.exe

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2033dc0bd96b60de3619/netzip/RdxIE601.cab

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab

    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab

    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab

    Then reboot.

    Regards,

    Pieter
     
  3. smanepalli

    smanepalli Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    Hello Pieter, Thanks so much for your quick response. I did what you told and now I am free from the xxxware! Yahoooooooooo! I am so excited to surf without those sprouting popups anymore. Thanks so much!

    SM
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.