HJT Log

Discussion in 'adware, spyware & hijack cleaning' started by dadgad, May 28, 2004.

Thread Status:
Not open for further replies.
  1. dadgad

    dadgad Registered Member

    Joined:
    May 28, 2004
    Posts:
    7
    Greetings-

    I've been having hideous problems with browser hijackers. Particularly from zestyfind.com and this url http://65.61.157.153/AdServer/MemTurbo/Adm/ad.htm

    I keep trying to clean out with Spybot, Adaware and Pest Patrol, but it either is never gone or keeps coming back.

    I'd appreciate any advice you all have from this HJT Log. Thx...

    Logfile of HijackThis v1.97.7
    Scan saved at 3:19:54 PM, on 5/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\SYSTEM32\tbctray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    c:\Program Files\PestPatrol\CookiePatrol.exe
    c:\Program Files\PestPatrol\PPMemCheck.exe
    c:\Program Files\PestPatrol\PPControl.exe
    C:\Program Files\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
    O4 - HKLM\..\RunOnce: [PPClean Remove at boot] C:\PPCleanDeleteAtReboot.bat
    O4 - HKLM\..\RunOnce: [Pest Cleaning] "c:\Program Files\PestPatrol\ppclean.exe" clean ts:20040528151740961 suite 2
    O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38086.5272569444
    O17 - HKLM\System\CCS\Services\Tcpip\..\{29F2B240-55AC-44F3-9E36-DBD0D188A33D}: NameServer = 204.89.253.1,204.89.253.2
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi dadgad,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing

    Then download VX2Finder from this link:
    http://tools.zerosrealm.com/VX2Finder.exe

    Run Vx2Finder, click on the *click to find VX2.BetterInternet* button. Then click *make log*.

    Copy and paste the contents of the log into your next reply here.

    Regards,

    Pieter
     
  3. dadgad

    dadgad Registered Member

    Joined:
    May 28, 2004
    Posts:
    7
    Pieter-

    You still there? Thanks kindly for the info. I have done as you suggested. Below is the log from the VX2 Finder...

    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINDOWS\System32\6go4svc.dll
    C:\WINDOWS\System32\aectres.dll
    C:\WINDOWS\System32\aytiveds.dll


    Guardian Key--- is called: GuardianPRIKL
    Asynchronous 000
    DllName C:\WINDOWS\system32\6go4svc.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {B26F38D8-53BA-4FF3-B72B-04A816E56F12}
    IDex CS2

    User Agent String---
    {B26F38D8-53BA-4FF3-B72B-04A816E56F12}
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Ah goodie. Those can all go.

    Stay off the net until all files are deleted (that is after the second reboot)

    Open VX2Finder it and click on the *click to find VX2.BetterInternet* button.

    Then select the *Delete these files* button.
    You will be left with notice about one to be deleted on reboot.
    It will ask to reboot on deletion of the last file (do that)

    After that last file is gone go to
    Start > run > type regedit enter and Navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianPRIKL

    (Note : the five letters in caps at the end may have changed [PRIKL] but it will still start with Guardian)

    Right click on the Guardiano_O?? key and select delete.
    Close Regedit.
    Reboot.

    Open VX2Finder again and select:
    User Agent$ > yes to confirm delete.
    and then
    Restore Policy

    Exit and reboot.

    Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
    Post it here with a fresh HijackThis log please.

    Regards,

    Pieter
     
  5. dadgad

    dadgad Registered Member

    Joined:
    May 28, 2004
    Posts:
    7
    OK, so far so good, but...

    Following your instructions, after I deleted the Guardian file in regedit and rebooted, I opened VX2Finder again, but the User Agent$ button was grayed out. So I stopped there and have returned humbly asking for more advice.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Could you post a new VX2finder log?

    I think I have seen something similar elsewhere.
    ~scurries off looking for his memory~

    Regards,

    Pieter
     
  7. dadgad

    dadgad Registered Member

    Joined:
    May 28, 2004
    Posts:
    7
    Latest...

    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINDOWS\System32\6ao4svc.dll
    C:\WINDOWS\System32\6fo4svc.dll
    C:\WINDOWS\System32\6go4svc.dll
    C:\WINDOWS\System32\aectres.dll
    C:\WINDOWS\System32\asaamon.dll
    C:\WINDOWS\System32\aytiveds.dll


    Guardian Key--- is called: GuardianTPOFK
    Asynchronous 000
    DllName C:\WINDOWS\system32\6go4svc.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {B26F38D8-53BA-4FF3-B72B-04A816E56F12}
    IDex CS2

    User Agent String---
    {B26F38D8-53BA-4FF3-B72B-04A816E56F12}
     
  8. dadgad

    dadgad Registered Member

    Joined:
    May 28, 2004
    Posts:
    7
    Pieter, Are you still out there?

    IN case things had changed since my last post, I've posted a new log...

    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINDOWS\System32\6ao4svc.dll
    C:\WINDOWS\System32\6fo4svc.dll
    C:\WINDOWS\System32\6go4svc.dll
    C:\WINDOWS\System32\6yo4svc.dll
    C:\WINDOWS\System32\aectres.dll
    C:\WINDOWS\System32\asaamon.dll
    C:\WINDOWS\System32\aytiveds.dll


    Guardian Key--- is called: GuardianIPOHG
    Asynchronous 000
    DllName C:\WINDOWS\system32\6go4svc.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {B26F38D8-53BA-4FF3-B72B-04A816E56F12}
    IDex CS2

    User Agent String---
    {B26F38D8-53BA-4FF3-B72B-04A816E56F12}
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi dadgad,

    Stay off the net until all files are deleted (that is after the second reboot)

    Open VX2Finder it and click on the *click to find VX2.BetterInternet* button.
    Select the files that show up in the window
    Then select the *Delete these files* button.
    You will be left with notice about one to be deleted on reboot.
    It will ask to reboot on deletion of the last file (do that)

    After that last file is gone go to
    Start > run > type regedit enter and Navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianIPOHG

    (Note : the five letters in caps at the end may have changed [IPOHG] but it will still start with Guardian)

    Right click on the Guardiano_O?? key and select delete.
    Close Regedit.
    Reboot.

    Open VX2Finder again and select:
    User Agent$ > yes to confirm delete.
    and then
    Restore Policy

    Exit and reboot.

    Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
    Post it here with a fresh HijackThis log please.

    Regards,

    Pieter
     
  10. dadgad

    dadgad Registered Member

    Joined:
    May 28, 2004
    Posts:
    7
    Hi Pieter-

    Latest...

    Logfile of HijackThis v1.97.7
    Scan saved at 11:41:46 PM, on 6/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\SYSTEM32\tbctray.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38086.5272569444
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{29F2B240-55AC-44F3-9E36-DBD0D188A33D}: NameServer = 204.89.253.1,204.89.253.2


    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called:

    User Agent String---
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi dadgad,

    Good job sofar. :)

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/

    Then reboot and you should be fine.

    Please read How did this happen and can I prevent it?

    Regards,

    Pieter
     
  12. dadgad

    dadgad Registered Member

    Joined:
    May 28, 2004
    Posts:
    7
    Done-

    Thank you so much for all your kind assistance!
     
Thread Status:
Not open for further replies.