Logfile help (merged)

Discussion in 'adware, spyware & hijack cleaning' started by evolution1, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. evolution1

    evolution1 Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    3
    Logfile help

    Hi guys. Big thanks for the help. I ran SpyBot, and then here's the logfile:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:25:27 PM, on 27/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\nbntyz.exe
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\AzureBay\New York Screen Saver\WPChanger.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\Program Files\AOL 7.0\waol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.utoronto.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [jwwdmspevdfpg] C:\WINDOWS\System32\nbntyz.exe
    O4 - HKLM\..\Run: [inapkrct] C:\WINDOWS\inapkrct.exe
    O4 - HKCU\..\Run: [AIM] C:\AOL Instant Messenger\aim.exe -cnetwait.odl
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O4 - Global Startup: WPChanger.lnk = C:\Program Files\AzureBay\New York Screen Saver\WPChanger.exe
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{37DD67AE-31D4-4DA0-8343-853AD4AA9ADA}: NameServer = 205.188.146.146
    O17 - HKLM\System\CS1\Services\Tcpip\..\{37DD67AE-31D4-4DA0-8343-853AD4AA9ADA}: NameServer = 205.188.146.146
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Logfile help

    HI evolution1

    Download cwshredder here Close all browser windows and click on the fix/next button.

    Unfortunately ONLY running SpybotS&D is not enough.

    Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
    Install by double-clicking on the downloaded file.
    After installing but before running, update Ad-aware by using its Globe icon.
    After updating, shutdown and restart Ad-aware.
    Ad-aware is ready to scan and clean your system following these steps:

    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    Press "Scan Now"
    Check option "Use Custom scanning options"
    Check option "Activate In-Depth Scan"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Press "Next" to let Ad-aware scan your drives...
    If it finds "bad" files and registry keys, press "Next" again
    Right-click in that pane and choose "select all"
    Press "next"
    When it asks to remove all checked items, Press "OK"
    Close Ad-aware, reboot your system .

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Run HJT again and pls. post a FRESH log. Thanks.
     
  3. evolution1

    evolution1 Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    3
    Logfile help, pt. 2

    evolution1 - I have merged your most recent log into this thread. Please keep all posts/replies to this current thread by hitting the Post Reply button. Thank you - snap


    Here's my HijackThis logfile. I ran Spybot, CWShredder, and Ad-Aware. Can anyone briefly tell me as well what each of these programs do, and why running only SpyBot, let's say, will not do the trick. As well, after running three different programs, why do I still have to post a logfile? Last thing: am I supposed to leave quarantined Ad-Aware items in quarantine or can I delete them? Thanks a lot!

    Logfile of HijackThis v1.97.7
    Scan saved at 11:29:38 AM, on 29/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\nbntyz.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\AzureBay\New York Screen Saver\WPChanger.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.utoronto.ca/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [jwwdmspevdfpg] C:\WINDOWS\System32\nbntyz.exe
    O4 - HKLM\..\Run: [inapkrct] C:\WINDOWS\inapkrct.exe
    O4 - HKCU\..\Run: [AIM] C:\AOL Instant Messenger\aim.exe -cnetwait.odl
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O4 - Global Startup: WPChanger.lnk = C:\Program Files\AzureBay\New York Screen Saver\WPChanger.exe
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    Last edited by a moderator: Jun 29, 2004
  4. evolution1

    evolution1 Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    3
    Just bumping...
     
  5. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi evolution1

    As well, after running three different programs, why do I still have to post a logfile? Last thing: am I supposed to leave quarantined Ad-Aware items in quarantine or can I delete them?

    Why?? Because your computer is NOT clean yet.

    You should leave the quarantined items in Ad aware till you are SURE - everything is running fine -

    Check the following items in HIjackThis - close ALL windows\browsers except Hijackthis and click "Fix checked":

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <-----optional

    O4 - HKLM\..\Run: [jwwdmspevdfpg] C:\WINDOWS\System32\nbntyz.exe

    O4 - HKLM\..\Run: [inapkrct] C:\WINDOWS\inapkrct.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <-----optional


    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files IF still present:

    C:\WINDOWS\System32\nbntyz.exe
    C:\WINDOWS\inapkrct.exe

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log. < ONLY to see IF the baddies are gone.
     
Thread Status:
Not open for further replies.