¿ Is this Bad?

Discussion in 'adware, spyware & hijack cleaning' started by lovelyperson, May 19, 2004.

Thread Status:
Not open for further replies.
  1. lovelyperson

    lovelyperson Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    8
    o_O Hello All,

    After running Ad-aware and Spybot S&D, which both came up clean, I am submitting a HijackThis Log File for your comments. After my son made some downloads, a couple of items appear to have added themselves to the current logfile.

    The first item added itself yesterday, the second has been on for longer and I just wondered if item 2 is deleteable with no grave effect. Item 1 has no identification and concerns me more. ¿Is there a method for finding out what the DPF codes are related to? If there is I think it would save a lot of unnecessary postings. Obviously if a 'name' is attached to the DPF, a Google search usually tells you its origin and its relation to your recent downloads/surfing etc.

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Full Logfile below.

    Thanks for your very valuable time taken to help.

    Cheers ;) lovelyperson

    Logfile of HijackThis v1.97.7
    Scan saved at 7:14:10, on 19/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\Archivos de programa\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Archivos de programa\Norton Personal Firewall\ccPxySvc.exe
    C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\mHotKey.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\Archivos de programa\Hispasec\CheckDialer\ChkDial.exe
    C:\Archivos de programa\AnalogX\CookieWall\cookie.exe
    C:\Archivos de programa\Creative\Mouse Optical\mouse_2k.exe
    C:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
    C:\Archivos de programa\Kirby Alarm\kirbyalarm.exe
    C:\Archivos de programa\Messenger\msmsgs.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Documents and Settings\DAD\Configuración local\Temp\Directorio temporal 15 para hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [CHotkey] mHotKey.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [CheckDialer] C:\Archivos de programa\Hispasec\CheckDialer\ChkDial.exe
    O4 - HKLM\..\Run: [CookieWall] C:\Archivos de programa\AnalogX\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [CreativeMouse ] C:\Archivos de programa\Creative\Mouse Optical\mouse_2k.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [DialerSpy] C:\Archivos de programa\DialerSpy\dspy.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Eraser] C:\Archivos de programa\Eraser\eraser.exe -hide
    O4 - Global Startup: Kirby Alarm.lnk = C:\Archivos de programa\Kirby Alarm\kirbyalarm.exe
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O9 - Extra button: Coches (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mov: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -

    http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37953.16875
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) -

    http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58813F6D-B90C-4C77-8F81-426E4901B2DD}: NameServer = 213.0.184.85 213.0.184.88
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi lovelyperson,

    Normally that entry looks like this:
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    (You can google for the CLSID as well. ;) )

    You can fix the items you listed without problems. If you ever need them you will be prompted to install them again.
    Read here how to change your settings so that these ActiveX elements don't sneak in:
    https://www.wilderssecurity.com/showthread.php?t=27971

    Regards,

    Pieter
     
  3. lovelyperson

    lovelyperson Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    8
    :) Pieter_Arntz,

    Thanks for your reply.

    I am pleased to say I always keep my Internet settings as described in your suggested 'read' guide, only changing them when I actually need to make a download of a new program etc.

    When I am informed on-screen that my settings don't allow me to download, I alter TWO settings to agree to the download and continue, resetting them to refusal status afterwards. It looks like I only need to 'activate' the 'Download of Archives' command and not both as I was doing.

    Again thank you for your help and best wishes for the remainder of 2004.

    Cheers ;) lovelyperson
     
Thread Status:
Not open for further replies.