Please check this HT Log (one embedded; one uploaded)

Discussion in 'adware, spyware & hijack cleaning' started by TCat, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. TCat

    TCat Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    8
    Attention Please:

    At startup, this log is in effect:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:41:31 PM, on 6/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\NALNTSRV.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\wm.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\System32\dpmw32.exe
    C:\WINDOWS\System32\NWTRAY.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    D:\Downloads\Popup Killers\another ie popup killer 2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\xnxoquky.exe
    C:\PROGRA~1\SLOWLE~1\DefaultBias.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\docume~1\tcoulter\locals~1\temp\msbb.exe
    C:\WINDOWS\nwtybkd.exe
    C:\Program Files\Internet Optimizer\actalert.exe
    C:\Program Files\WindowsSA\omniscient.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    D:\Downloads\SpyWare\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=ftpproxy.epa.gov:8080
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O1 - Hosts: 134.67.204.21 rtprrms.rtp.epa.gov rtprrms
    O1 - Hosts: 134.67.204.30 rtprrms2.rtp.epa.gov rtprrms2
    O1 - Hosts: 134.67.204.19 rtpmic.rtp.epa.gov rtpmic
    O1 - Hosts: 134.67.204.12 rtoaqps2.rtp.epa.gov rtoaqps2
    O1 - Hosts: 134.67.205.29 rtpoaqps.rtp.epa.gov rtpoaqps
    O1 - Hosts: 134.67.204.48 muarc1.rtp.epa.gov muarc1
    O1 - Hosts: 134.67.206.30 rtpemad.rtp.epa.gov rtpemad
    O1 - Hosts: 134.67.206.27 rtpemad2.rtp.epa.gov rtpemad2
    O1 - Hosts: 134.67.213.28 rtp-vabs.rtp.epa.gov rtp-vabs
    O1 - Hosts: 134.67.204.46 rtairmail1.rtp.epa.gov rtairmail1
    O1 - Hosts: 134.67.204.47 rtairmail2.rtp.epa.gov rtairmail2
    O1 - Hosts: 134.67.204.11 rtairmail3.rtp.epa.gov rtairmail3
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {C2C7CC26-F9FD-926C-916C-C7A4343D60F1} - C:\PROGRA~1\CASTEL~1\about save.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Corn chin - {7E106A43-2706-4608-D775-167487F624D6} - C:\PROGRA~1\CASTEL~1\about save.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [aiepk] D:\Downloads\Popup Killers\another ie popup killer 2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [fqyxyqfyp] C:\WINDOWS\System32\xnxoquky.exe
    O4 - HKLM\..\Run: [plus pop] C:\PROGRA~1\SLOWLE~1\DefaultBias.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [msbb] c:\docume~1\tcoulter\locals~1\temp\msbb.exe
    O4 - HKLM\..\Run: [nwtybkd] C:\WINDOWS\nwtybkd.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O15 - Trusted Zone: http://www.ibm.com
    O15 - Trusted Zone: http://www.lotus.com
    O15 - Trusted Zone: http://www.novell.com
    O15 - Trusted Zone: http://www.oracle.com
    O15 - Trusted Zone: http://www.symantec.com
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22b57c37f6bdf37e5020/netzip/RdxIE601.cab
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/ClickYesToContinue/bridge.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38016.4341898148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    ***************************
    ***************************
    However, checking IE6 properties, it shows this as Homepage URL:
    http://amazingautossearch.com/passthrough/index.html?http://about:blank

    I change my home page to RefDesk.com, launch IE6, and it loads the right
    Home Page.

    I scan with HijackThis and get this log (HijackThis after load IE6).
    (Please See attached file: hijackthis after load IE6.log, uploaded)

    I KILL these (6) obvious ones:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://amazingautossearch.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://amazingautossearch.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    amazingautossearch.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://amazingautossearch.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://amazingautossearch.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://amazingautossearch.com/searchbar.html

    and it still loads AmazingAutoSearch.com as Home Page !! Which
    additional ones should be removed?

    What, pray tell, can I do now?

    Thanks,
    Tommy
     

    Attached Files:

  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Also fix these items.
    Close all browser windows before clicking Fix


    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll

    O2 - BHO: (no name) - {C2C7CC26-F9FD-926C-916C-C7A4343D60F1} - C:\PROGRA~1\CASTEL~1\about save.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll

    O3 - Toolbar: Corn chin - {7E106A43-2706-4608-D775-167487F624D6} - C:\PROGRA~1\CASTEL~1\about save.dll

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [fqyxyqfyp] C:\WINDOWS\System32\xnxoquky.exe

    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [msbb] c:\docume~1\tcoulter\locals~1\temp\msbb.exe
    O4 - HKLM\..\Run: [nwtybkd] C:\WINDOWS\nwtybkd.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/20...inue/bridge.cab

    If you can, please send these files to submit@diamondcs.com.au

    C:\Program Files\ClearSearch\Loader.exe
    C:\Program Files\ClearSearch\CSIE.DLL
    C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    C:\WINDOWS\mxTarget.dll
    C:\WINDOWS\2_0_1browserhelper2.dll
    C:\WINDOWS\wsem218.dll
    C:\WINDOWS\Downloaded Program Files\bridge.dll
    C:\PROGRA~1\CASTEL~1\about save.dll
    C:\WINDOWS\nem218.dll
    C:\PROGRA~1\CASTEL~1\about save.dll
    C:\WINDOWS\System32\xnxoquky.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    c:\docume~1\tcoulter\locals~1\temp\msbb.exe
    C:\WINDOWS\nwtybkd.exe
     
  3. TCat

    TCat Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    8
    Re: Please check this HT Log (uploaded)

    Thanks Gavin. I sent you a message to Submit@diamondcs.com.au with some of the files you requested, as well as some other info.

    The AmazingAutoSearch hijack continues, but it's (the log list) getting a bit cleaner. I'm attaching the latest, after attempting your solution.

    Thanks.
     
Thread Status:
Not open for further replies.