Is My Computer Safe? Part 1

Discussion in 'adware, spyware & hijack cleaning' started by jure, Mar 15, 2004.

Thread Status:
Not open for further replies.
  1. jure

    jure Registered Member

    Joined:
    Mar 15, 2004
    Posts:
    4
    Hi,

    Read the log by LowWaterMark about scanning with Ad-aware 6 build 6.181 and then with Hijack-This, posting the logs and asking for assistance to see if my computer has been/is compromised by spyware and such nasties....

    Result from Hijack-This:

    Logfile of HijackThis v1.97.7
    Scan saved at 23:53:29, on 14.3.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    D:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    D:\WINDOWS\System32\inetsrv\inetinfo.exe
    D:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    D:\PROGRA~1\Iomega\System32\AppServices.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\WINDOWS\System32\tcpsvcs.exe
    D:\WINDOWS\System32\snmp.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\F-Secure\Common\FSMA32.EXE
    D:\WINDOWS\System32\mqsvc.exe
    D:\Program Files\F-Secure\Common\FSMB32.EXE
    D:\Program Files\F-Secure\Common\FCH32.EXE
    D:\Program Files\F-Secure\Common\FAMEH32.EXE
    D:\WINDOWS\System32\mqtgsvc.exe
    D:\Program Files\F-Secure\Common\FNRB32.EXE
    D:\Program Files\F-Secure\Common\FIH32.EXE
    D:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    D:\WINDOWS\sm56hlpr.exe
    D:\WINDOWS\System32\atiptaxx.exe
    D:\Program Files\F-Secure\Common\FSM32.EXE
    D:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
    D:\WINDOWS\System32\javaw.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
    D:\Program Files\Alarm\Alarm Tray.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Documents and Settings\Administrator\Desktop\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer v6
    R3 - Default URLSearchHook is missing
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - D:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - D:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "D:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [FastTVSync] "D:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
    O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "D:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "D:\Program Files\WebSavingsfromEbates"
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Show missed alarms] D:\Program Files\Alarm\Alarm.exe
    O4 - HKCU\..\Run: [scheduler] D:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
    O4 - Startup: Alarm Clock Icon.lnk = ?
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Web Savings - file://D:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C3C94223-C0FD-4D0B-AEAB-A86B7B69BBBE}: NameServer = 223.223.223.0

    Thanks from newbie,
    Jure
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi jure,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - D:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "D:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "D:\Program Files\WebSavingsfromEbates"

    O8 - Extra context menu item: Web Savings - file://D:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB

    Then reboot and delete:
    D:\Program Files\WebSavingsfromEbates <= entire folder
    D:\Program Files\MyWay <= entire folder

    Regards,

    Pieter
     
  3. jure

    jure Registered Member

    Joined:
    Mar 15, 2004
    Posts:
    4
    Thanks Pieter,

    will do...

    Jure
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.