hijackThis log

Discussion in 'adware, spyware & hijack cleaning' started by snowbound, Jan 16, 2004.

Thread Status:
Not open for further replies.
  1. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi everyone :)

    Having problems accessing my email today,don't know why. o_O

    Comp. has been a little slow at bootup last few times so iam a little suspicious(paranoid ;))

    I see some things not familiar from last log. I ran adaware.

    How's it look?

    Logfile of HijackThis v1.97.6
    Scan saved at 4:47:22 PM, on 1/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NSClean\BOClean\BOClean.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\PROGRA~1\NSClean\BOClean\BOCSEC.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Steve\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hispeed.rogers.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hispeed.rogers.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [BOCleanautostart] C:\PROGRA~1\NSClean\BOClean\BOClean.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
    O15 - Trusted Zone: http://www.citibank.com
    O15 - Trusted Zone: http://sea2fd.sea2.hotmail.msn.com
    O15 - Trusted Zone: http://hispeed.rogers.com
    O15 - Trusted Zone: http://www.wilderssecurity.com
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.7324768519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
     
  2. Kulsar

    Kulsar Registered Member

    Joined:
    Dec 10, 2003
    Posts:
    17
    IMHO I don't see a problem wilth your list but you coud remove these to speed things up.

    4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Kulsar,

    I must disagree with that last one.
    Fixing that will remove imon.dll from the winsock and snowbounds mail would no longer be scanned ny NOD32.

    The other two have probably been there from the start so they should not be responsible for the slowdown.

    snowbound,

    If you decide to fix something, remember to unzip hijackthis.exe to a folder of its own.
    It cannot make backups the way your un it now.

    Did you change anything prior to the slowdowns?

    Do you have System Restore enabled?

    Your log is clean by the way.

    Regards,

    Pieter
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Pieter :)

    I have made no changes prior to my email problems.

    Yes i have systems restore enabled.

    Pieter is it necessary to fix the first 3 that Kulsar suggested?

    Thanks




    snowbound
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Oh, i should say it is hotmail that i can't access.

    Outlook is ok.






    snowbound
     
  6. Kulsar

    Kulsar Registered Member

    Joined:
    Dec 10, 2003
    Posts:
    17
    Ta for the advise ;)

    The other ones I mentioned as they aren't really necessary at startup, but are not related to the problem
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    thank u Pieter and Kulsar :)

    To make a long story short i tried a few different things and got hotmail working again :)

    I would like to thank Merjin for developing these two excellent apps, HijackThis and CWshredder.

    Combined they are some of the best tools i have seen to find malware and get rid of it.

    Keep up the good work Merjin :D

    We all thank u for it. :)



    snowbound
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi snowbound,

    Good to hear you sorted that mailproblem out. :)

    The ones Kulsar listed are all related to your nVidia card.
    It is not necessary to fix them, but it also isn't really required that they start up.
    nwiz and NvCplDaemon start up on my system as well, since that makes it easier to acces the control panel for the videocard. I use that quite often for cloning my screen on tv.

    And I could not agree more about Merijn.
    Don't tell him, but I am glad his holiday is almost over. :p

    Regards,

    Pieter
     
  9. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    oops, i spelt Merijn's name wrong :rolleyes:

    Hope he doesn't notice. ;)

    I will leave these entries alone as i want to use my TV also with my computer.

    Sometimes comp. is slow but i think it is just traffic in my area as iam on broadband.

    Thanks to all for your help. :)




    snowbound
     
Thread Status:
Not open for further replies.