Hijackthis log

Discussion in 'adware, spyware & hijack cleaning' started by mattyl, Mar 19, 2004.

Thread Status:
Not open for further replies.
  1. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    Could somebody please check this log. Ad-aware and spybot have been run with the latest updates and trendmicro which found and deleted a few virus/troj. Unfortunetly I don't know the names b/c it was my friends computer and I was helping him over the phone. Once that was all done he still had a few probs (one being the system 32 folder opening when he booted up - think that is one of the 04 [] entries) so I asked him to download and run hijack this. Here is his log - thanks a lot for taking a look!

    Logfile of HijackThis v1.97.7
    Scan saved at 3:49:24 PM, on 3/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\WindowsUpd1.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\AOL COMPANION\COMPANION.EXE
    C:\Program Files\Adelphia eSupport Assistant\bin\mpbtn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Tom and Lisa\Desktop\New
    Folder\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program
    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    C:\Program
    Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {DE80BF98-EF07-CF1C-C2C3-F85D74EA50DA} -
    C:\WINDOWS\system32\cojrfiao.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
    C:\Program
    Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
    Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program
    Files\Real\RealPlayer\RealPlay.exe
    SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
    Foundation\CFD.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1
    \MotiveSB.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -
    atboottime
    O4 - HKLM\..\Run: [rvqvmlvx] C:\WINDOWS\jlmbpprn.exe
    O4 - HKLM\..\Run: [XEPCC] C:\WINDOWS\XEPCC.exe
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd1.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - Global Startup: Adelphia eSupport Assistant.lnk = C:\Program
    Files\Adelphia eSupport Assistant\bin\matcli.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
    Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL
    Companion\companion.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1
    \MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) -
    http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall
    /xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    Object) -
    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks again,
    mattyl
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi mattyl,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {DE80BF98-EF07-CF1C-C2C3-F85D74EA50DA} -
    C:\WINDOWS\system32\cojrfiao.dll

    O4 - HKLM\..\Run: [rvqvmlvx] C:\WINDOWS\jlmbpprn.exe
    O4 - HKLM\..\Run: [XEPCC] C:\WINDOWS\XEPCC.exe
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd1.exe

    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

    Then reboot and delete:
    C:\WINDOWS\jlmbpprn.exe
    c:\WINDOWS\System32\zzb.exe
    And could you please mail a copy of
    C:\WINDOWS\WindowsUpd1.exe
    to the address in my profile.

    Thanks in advance,

    Pieter
     
  3. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    Hi Pieter,

    Thanks very much for the quick response! Can you please explain how to send a copy of WindowsUpd1.exe? Can I do this by just attatching that .exe file in the email? Thanks again! You are of much help to MANY!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi mattyl,

    Since most providers will fish out any .exe files from the mail, it would be better to zip the file up.

    Which is quite easy in XP.
    Rightclick an empty space in explorer while you are in C:\WINDOWS
    choose New > Compressed folder (folder with a belt)
    Name it sysupd1.zip and drag&drop WindowsUpd1.exe into that folder.

    Then follow the explanation here
    http://www.freeserve.com/help/beginnerguides/emailmadeeasy/emailattachfile.htm
    on how to attach files to mail.

    Regards,

    Pieter
     
  5. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    Thanks Pieter. Sending the zipped up file now.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Excellent. Got it. :)

    I will spread it among the spyware fighters asap.

    Regards,

    Pieter
     
  7. mattyl

    mattyl Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    83
    should i have deleted that file? i wasn't sure if you wanted to check it out first... im assuming i should since you are sending it out to the spyware fighters! thanks again - you are great!

    mattyl
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Nuke it at will mattyl.

    I'm pretty sure it's spyware.
    If it ever turns out you need a copy, drop me a mail. ;)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.