Please help with Log File

Discussion in 'adware, spyware & hijack cleaning' started by otto, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. otto

    otto Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    3
    I am running Windows 2000 and IE 5. I started having a number of problems with Popups more specifically with the Lycos search engine, second thought, and others. I have managed to fix number of problems with the most recent versions and updates of SpyBot and Adware thanks to information in this forum. I am still having popup problems and am looking for some help with my HiJack log file (see below). Thanks for your help.


    Logfile of HijackThis v1.97.7
    Scan saved at 1:14:43 PM, on 6/17/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\mgabg.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\ups.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\PDesk\PDesk.exe
    D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    D:\Program Files\Winamp\Winampa.exe
    C:\WINNT\System32\usiqaa.exe
    D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    C:\WINNT\System32\bqos2.exe
    D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijack\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [Alogserv] D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [PFO Check Settings] pfochk.exe
    O4 - HKLM\..\Run: [PMedia] C:\PROGRA~1\COMMON~1\Media\winsrvc.exe
    O4 - HKLM\..\Run: [Olive System] C:\WINNT\System32\szchost.exe
    O4 - HKLM\..\Run: [buzcjo] C:\WINNT\System32\usiqaa.exe
    O4 - HKLM\..\Run: [bqos2.exe] C:\WINNT\System32\bqos2.exe
    O4 - HKLM\..\Run: [CreateCD] D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKCU\..\Run: [forcoedos.exe] C:\WINNT\System32\forcoedos.exe
    O4 - HKCU\..\Run: [bqos2.exe] C:\WINNT\System32\bqos2.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
    O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSTRAF\Cache\SelectedContextSearch.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello otto,

    Run Hijackthis again with all browsers closed and check these items and then on Fix:

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll

    O4 - HKLM\..\Run: [PMedia] C:\PROGRA~1\COMMON~1\Media\winsrvc.exe
    O4 - HKLM\..\Run: [Olive System] C:\WINNT\System32\szchost.exe
    O4 - HKLM\..\Run: [buzcjo] C:\WINNT\System32\usiqaa.exe
    O4 - HKLM\..\Run: [bqos2.exe] C:\WINNT\System32\bqos2.exe

    Reboot the computer into safe mode

    Make sure you can view all hidden files and folders

    Find and delete these files/folders:

    C:\PROGRA~1\COMMON~1\Media
    C:\WINNT\System32\szchost.exe
    C:\WINNT\System32\usiqaa.exe
    C:\WINNT\System32\bqos2.exe

    Reboot.

    Run an online virus scan here: (check the autofix box also)

    http://housecall.trendmicro.com/

    Let me know the results. One of the things in your log suggested you had a trojan. I just want to make sure there is nothing else in your computer virus related.

    Run Hijackthis again and post a new log here.
     
  3. otto

    otto Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    3
    Thanks for the help. I did as you suggested and the new log file is below. I was unable to find the szchost.exe but was able to delete everything else. Do I need to do anything else? Thanks again!

    Logfile of HijackThis v1.97.7
    Scan saved at 3:18:56 PM, on 6/23/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\mgabg.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\ups.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\PDesk\PDesk.exe
    D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    D:\Program Files\Winamp\Winampa.exe
    D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\hijack\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [Alogserv] D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [PFO Check Settings] pfochk.exe
    O4 - HKLM\..\Run: [CreateCD] D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKCU\..\Run: [forcoedos.exe] C:\WINNT\System32\forcoedos.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
     
  4. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Yes, there is a little more to do.

    Run Hijackthis again with all browsers closed and check these items and then on Fix:

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O4 - HKCU\..\Run: [forcoedos.exe] C:\WINNT\System32\forcoedos.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Reboot back into safe mode and look for these files and delete:

    C:\WINNT\System32\forcoedos.exe
    C:\Program Files\TV Media <<<<<<<<<<<this is a folder

    Reboot and post a new log again.
     
  5. otto

    otto Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    3
    I did as you suggested and here is the new log file. Do I get a clean bill of health now?


    Logfile of HijackThis v1.97.7
    Scan saved at 1:35:56 PM, on 6/24/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\mgabg.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\ups.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\PDesk\PDesk.exe
    D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    D:\Program Files\Winamp\Winampa.exe
    D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\hijack\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [Alogserv] D:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [PFO Check Settings] pfochk.exe
    O4 - HKLM\..\Run: [CreateCD] D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = D:\Program Files\QBOOKSW\Components\QBAgent\qbdagent2002.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3F5DA8D6-76D1-4094-9912-7E6B06F6D581}: NameServer = 209.166.65.1,209.166.64.3
     
  6. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    One more clean up and then you should be good.

    Run HJT again and check this one and Fix:

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)

    Reboot.

    Here is a link for you to go to that will give you suggestions on how to keep your computer safe:
    https://www.wilderssecurity.com/showthread.php?t=27971

    Happy Surfing!
     
Thread Status:
Not open for further replies.