Hijackthis log

Could somebody please check this log. Ad-aware and spybot have been run with the latest updates and trendmicro which found and deleted a few virus/troj. Unfortunetly I don't know the names b/c it was my friends computer and I was helping him over the phone. Once that was all done he still had a few probs (one being the system 32 folder opening when he booted up - think that is one of the 04 [] entries) so I asked him to download and run hijack this. Here is his log - thanks a lot for taking a look!

Logfile of HijackThis v1.97.7
Scan saved at 3:49:24 PM, on 3/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\WindowsUpd1.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL COMPANION\COMPANION.EXE
C:\Program Files\Adelphia eSupport Assistant\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom and Lisa\Desktop\New
Folder\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program
Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DE80BF98-EF07-CF1C-C2C3-F85D74EA50DA} -
C:\WINDOWS\system32\cojrfiao.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
C:\Program
Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1
\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [rvqvmlvx] C:\WINDOWS\jlmbpprn.exe
O4 - HKLM\..\Run: [XEPCC] C:\WINDOWS\XEPCC.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd1.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - Global Startup: Adelphia eSupport Assistant.lnk = C:\Program
Files\Adelphia eSupport Assistant\bin\matcli.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL
Companion\companion.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1
\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) -
http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall
/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again,
mattyl

 

Hi mattyl,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {DE80BF98-EF07-CF1C-C2C3-F85D74EA50DA} -
C:\WINDOWS\system32\cojrfiao.dll

O4 - HKLM\..\Run: [rvqvmlvx] C:\WINDOWS\jlmbpprn.exe
O4 - HKLM\..\Run: [XEPCC] C:\WINDOWS\XEPCC.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd1.exe

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

Then reboot and delete:
C:\WINDOWS\jlmbpprn.exe
c:\WINDOWS\System32\zzb.exe
And could you please mail a copy of
C:\WINDOWS\WindowsUpd1.exe
to the address in my profile.

Thanks in advance,

Pieter

 

Hi Pieter,

Thanks very much for the quick response! Can you please explain how to send a copy of WindowsUpd1.exe? Can I do this by just attatching that .exe file in the email? Thanks again! You are of much help to MANY!

 

Hi mattyl,

Since most providers will fish out any .exe files from the mail, it would be better to zip the file up.

Which is quite easy in XP.
Rightclick an empty space in explorer while you are in C:\WINDOWS
choose New > Compressed folder (folder with a belt)
Name it sysupd1.zip and drag&drop WindowsUpd1.exe into that folder.

Then follow the explanation here
http://www.freeserve.com/help/beginnerguides/emailmadeeasy/emailattachfile.htm
on how to attach files to mail.

Regards,

Pieter

 

Thanks Pieter. Sending the zipped up file now.

 

Excellent. Got it.

I will spread it among the spyware fighters asap.

Regards,

Pieter

 

should i have deleted that file? i wasn't sure if you wanted to check it out first... im assuming i should since you are sending it out to the spyware fighters! thanks again - you are great!

mattyl

 

Nuke it at will mattyl.

I'm pretty sure it's spyware.
If it ever turns out you need a copy, drop me a mail.

Regards,

Pieter