(pgm) No specific problem, just trying to keep the puter clean

Discussion in 'adware, spyware & hijack cleaning' started by pgm, Apr 27, 2004.

Thread Status:
Not open for further replies.
  1. pgm

    pgm Registered Member

    Joined:
    Apr 27, 2004
    Posts:
    9
    Here is the log file.
    No specific problem, just trying to stay ahead in the spyware battle.
    Please review.
    Thanks.


    Logfile of HijackThis v1.97.7
    Scan saved at 11:36:38 PM, on 4/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\laptopowner\Desktop\HijackThis.exe
    C:\Documents and Settings\laptopowner\Desktop\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.lib.unc.edu/htbin/config
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\laptopowner\Application Data\Mozilla\Profiles\default\0bgwo8zp.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {310BD666-1EA3-4453-AF49-7C65D107030A} (mw4_baseCtl Class) - https://mail.kenan-flagler.unc.edu/exchweb/cabs/usa/mw4_base.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/268ada55c0b0197f4915/netzip/RdxIE2.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{127A5CB1-D3BE-4A9E-B563-73C8E8F53235}: Domain = kenan-flagler.unc.edu
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC36AE9-7D4B-4D8F-A196-624D6EBD51F3}: Domain = kenan-flagler.unc.edu
    O17 - HKLM\System\CS1\Services\Tcpip\..\{127A5CB1-D3BE-4A9E-B563-73C8E8F53235}: Domain = kenan-flagler.unc.edu
    O17 - HKLM\System\CS2\Services\Tcpip\..\{127A5CB1-D3BE-4A9E-B563-73C8E8F53235}: Domain = kenan-flagler.unc.edu
    O17 - HKLM\System\CS3\Services\Tcpip\..\{127A5CB1-D3BE-4A9E-B563-73C8E8F53235}: Domain = kenan-flagler.unc.edu
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
  3. pgm

    pgm Registered Member

    Joined:
    Apr 27, 2004
    Posts:
    9
    Thanks UNZY,

    I was also wondering about this one:

    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/0203...everContent.cab

    I don't know what it is and CleverContent sounds spamy to me (but perhaps I'm just paranoid and it's legit)

    Also FYI I don't think I said, I'm running WinXP Professional, and have run the latest versions of Spyware Blaster and Spybot.

    Thanks much.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi pgm,

    Any O16 item you don't recognize or use any more can be fixed without ill side-effects.
    As soon as you need them they will be put back or you will be prompted to accept, depending on your settings for that site.
    Read this topic and yo may find some tricks to stay clean, you didn't know yet:
    https://www.wilderssecurity.com/showthread.php?t=27971

    Regards,

    Pieter
     
  5. pgm

    pgm Registered Member

    Joined:
    Apr 27, 2004
    Posts:
    9
    Thanks I read the other post and made several updates. You all are awesome! :D
     
Thread Status:
Not open for further replies.