HijackThis log review request - used AdAware

hi, i hope i've followed all the steps. here is my log:


Logfile of HijackThis v1.97.7
Scan saved at 1:28:39 PM, on 5/8/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\WINNT\anvshell.exe
C:\Program Files\Creative\SBLive2k\Program\CTAvTray.EXE
C:\Program Files\SVA Player\SVAPLAYER.EXE
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\MOZILLA\Mozilla.exe
D:\MOZILLA\components\talkback.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\Documents and Settings\Administrator\wrar330.exe
C:\Documents and Settings\Administrator\wrar330.exe
C:\Documents and Settings\Administrator\wrar330.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX04.759\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll (file missing)
O2 - BHO: (no name) - {CD209A08-98B5-4669-AF9F-447AC5253356} - C:\WINNT\System32\CSapp.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive2k\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe
O4 - HKLM\..\Run: [PrizeSurfer] C:\Program Files\RCPrograms\v2\prizesurfer.exe
O4 - HKLM\..\Run: [AStart] C:\WINNT\AStart
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINNT\ARUpdate.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\program files\softwin\bitdefender standard edition\bdnagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\MOZILLA\Mozilla.exe" -turbo
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive2k\Program\CTAvStub.EXE EAX.AVI
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

i'm experiencing a variety of problems; stuff such as not being able to perform certain functions, my ability to search for files has been disabled; clicking on urls in emails no longer works; pasting urls from emails into my browser does not work; i am running in "active desktop recovery mode" for some reason; i have a "welcome to netscape quality feedback agent" popup plaguing me too. these are jst a few off the top of my head and my pc shuts down on its own volition. oh yeah, another thing is i can;t reply to emails: i get an error message saying "msimn has created errors...".

any advice imparted would be greatly appreciated.

 

Hi subterfuge,

Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll (file missing)

O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll (file missing)
O2 - BHO: (no name) - {CD209A08-98B5-4669-AF9F-447AC5253356} - C:\WINNT\System32\CSapp.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll (file missing)

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe

O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE

O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe
O4 - HKLM\..\Run: [PrizeSurfer] C:\Program Files\RCPrograms\v2\prizesurfer.exe

O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINNT\ARUpdate.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL

Then reboot into safe mode and delete:
C:\Program Files\SVA Player <= entire folder
C:\Program Files\RCPrograms <= entire folder
C:\WINNT\ARUpdate.exe
C:\Program Files\webHancer <= entire folder

Regards,

Pieter

 

hi, and thanks for your reply Pieter.

i've followed your instructions and unzipped HijackThis to a folder of its own.
i'm unsure of what i am to do next though. when you say "check the following items in HiJackThis" are you referring to the items that start with "O2 - BHO: Clear Search - ...." and end with "O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL"?

where in HijackThis do i check these items? or do you mean "check" as in, look for these items? if so, where do i look for them. am i supposed to use HJT to scan first then follow these instructions, or am i to check these items before scanning. sorry, i'm confused. thanks again for the help so far!

EDIT - ok, i went ahead and ran a scan with HJT now saved in its own folder and i see what you mean now. i'll see if i can go through the rrest of your instructions now.

 

hi Pieter,

i went into safe mode and attempted to delete the folders/files you said to, however i could only find 2 out of the 4 you said to purge.


C:\Program Files\SVA Player <= entire folder
C:\Program Files\RCPrograms <= entire folder
C:\WINNT\ARUpdate.exe
C:\Program Files\webHancer <= entire folder

i was unable to find the last 2 in the specified areas.

any suggestions?

this is what the log looks like now:

Logfile of HijackThis v1.97.7
Scan saved at 12:40:59 PM, on 5/10/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\WINNT\anvshell.exe
C:\Program Files\Creative\SBLive2k\Program\CTAvTray.EXE
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\MOZILLA\Mozilla.exe
D:\MOZILLA\components\talkback.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
C:\Documents and Settings\Administrator\hijackthis1977\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive2k\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [AStart] C:\WINNT\AStart
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\program files\softwin\bitdefender standard edition\bdnagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\MOZILLA\Mozilla.exe" -turbo
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive2k\Program\CTAvStub.EXE EAX.AVI
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Seeing that your log is clean now, those were probably just orphaned registry entries that HijackThis found.

Read here for some preventive measures:
https://www.wilderssecurity.com/showthread.php?t=27971
One of the most urgent ones for you, would be to get a updated version of IE.

Regards,

Pieter

 

thank you for the diagnosis. should i get an updated version of IE even if i'm using mozilla? do i need to be using IE or can i delete it if i'm using a different browser? i'll read the other thred you gave the link for - thanks.

 

Using Mozilla would be an improvement, but I would still install IE6 and all it's updates. Not only because they are an integral part of Windows, but also because you will need it at times.

Regards,

Pieter