HJT log

Discussion in 'adware, spyware & hijack cleaning' started by Shelb, Feb 17, 2004.

Thread Status:
Not open for further replies.
  1. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    Hi,
    I am helping a friend rid his pc of spyware. So far Ad Aware, Spybot S&D, etc.. has cleaned tons of things off the pc.

    As a final measure, I had him send me a HJT log. From what I can tell (from my limited knowledge :D) it is fairly clean. Not sure if he wants to keep the searchbars, but there is one O2 - BHO entry I could not identify. Wanted to get a second opinion.

    See below.

    Logfile of HijackThis v1.97.7
    Scan saved at 15:21:46, on 17/02/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\PGPsdkServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\ggviewer67-65.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
    C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\Documents and Settings\sokari\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr...rch/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/radio/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/...gen/default.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr...rch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:83
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.107-big.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: Systran40stand.IEPlugIn - {EDDEB5CF-6CC3-11D6-ABAA-00B0D094B576} - C:\Program Files\Systran\4_0\Standard\IEPlugIn.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.107-big.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
    O8 - Extra context menu item: Summarize Using Copernic Summarizer - C:\Program Files\Copernic Summarizer\Web\SummarizePage.htm
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
    O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldlingo.com/UP62768/P...pword=lingocnet
    O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldlingo.com/UP62768/P...pword=lingocnet
    O9 - Extra button: Summarize (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: Translate Page (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: LiveSummarizer (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra 'Tools' menuitem: Summarize Using Copernic Summarizer (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9E753720-3E64-446B-9C59-08B7705D6EEE}: Domain = direcpceu.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9E753720-3E64-446B-9C59-08B7705D6EEE}: NameServer = 195.238.50.254,195.238.40.3,195.238.50.254
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Shelb,

    Looking at the log I'd say you did a great job.

    This one can be fixed:
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)

    That is a leftover of cleaning out Kontiki.

    Regards,

    Pieter
     
  3. Shelb

    Shelb Registered Member

    Joined:
    Dec 3, 2003
    Posts:
    76
    That's the one that I couldn't indentify :)
    Always like to get an expert opinion.
    Thank you very much to taking the time to check it out!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    No problem. :)

    Pieter
     
Thread Status:
Not open for further replies.