New logfile to examine....

Discussion in 'adware, spyware & hijack cleaning' started by Fraha, Jan 8, 2004.

Thread Status:
Not open for further replies.
  1. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi all,

    Can anybody have a look at this for a colleague of mine?
    His XP computers is very slow since 2 months now he told me.
    Winupdate completed yesterday now the cleaning round!

    Here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 20:12:04, on 6-1-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norman\NPF\NPFSVICE.EXE
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\Anvshell.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\SYSTEM~1\soap.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\Norman\NPF\NPFMSG.EXE
    C:\Program Files\DV Series\Console\Watch.exe
    C:\Program Files\iMesh\Client\iMeshClient.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Gebruiker\Local Settings\Temporary Internet Files\Content.IE5\CB6ZVYDB\hijackthis[2]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www/the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.the-exit.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.the-exit.com/search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.the-exit.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.the-exit.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.the-exit.com/search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.the-exit.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.the-exit.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.the-exit.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.the-exit.com/search
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Zipclix - {319A68DB-06D0-46DA-9F93-A810D5A70836} - C:\Program Files\Zipclix\zipclix.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
    O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: NPF Messenger.lnk = ?
    O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
    O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
    O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37931.5191666667
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{10B5A3BD-953A-4001-9BC0-D701766A2E2B}: NameServer = 194.134.5.5 194.134.5.55
    O17 - HKLM\System\CS1\Services\Tcpip\..\{10B5A3BD-953A-4001-9BC0-D701766A2E2B}: NameServer = 194.134.5.5 194.134.5.55

    Thanx again!

    Frans
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi Fraha,

    Please unzip HjiackThis to a separate folder, since it will not be able to make backups now.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www/the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.the-exit.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.the-exit.com/search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.the-exit.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.the-exit.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.the-exit.com/search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.the-exit.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.the-exit.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.the-exit.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.the-exit.com/search

    O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll

    O3 - Toolbar: Zipclix - {319A68DB-06D0-46DA-9F93-A810D5A70836} - C:\Program Files\Zipclix\zipclix.dll

    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY

    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab

    Then reboot and delete:
    C:\Program Files\Httper <= entire folder
    C:\Program Files\Zipclix <= entire folder
    C:\Program Files\Common Files\CMEII <= entire folder
    C:\Program Files\Common Files\GMT <= entire folder

    Optionally also remove SystemSoap from Add/Remove Software. It does not look like it was installed by the user willingly.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.