plesae help with log

Discussion in 'adware, spyware & hijack cleaning' started by rrrel, May 23, 2004.

Thread Status:
Not open for further replies.
  1. rrrel

    rrrel Registered Member

    Joined:
    Mar 7, 2004
    Posts:
    10
    I've posted my log before with some luck, thanks. Ok my issue now is that I keep getting new browser windows opened up to a Casino Plazzio page. Ive run Spybot, Adaware and CWShredder. (CW says I have a trojan in the win media player main executable file, It has deleted the file and I need to reinstall media player to fix the proble. Could this be my popup problem? Media player seems to still work fine.) These programs say they got rid of some infections, but my popups persist.

    I just ran all 3 programs again and then rebooted. After the reeboot I ran Hijack. Any ideas you have would be a big help. Thanks

    rrrel


    Log is as follows.....

    Logfile of HijackThis v1.97.7
    Scan saved at 4:44:56 AM, on 5/23/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\termsrv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\ismserv.exe
    C:\WINNT\System32\llssrv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\ntfrs.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\locator.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\WINNT\System32\lserver.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\dns.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AIM95\aim.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINNT\msopt.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\System32\StopzillaBHO.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [sysdll32.dll] C:\WINNT\system\sysdll32.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: ConferenceRoom Java Client - http://irc.chaosunlimited.com:8000/java/cr.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdq/downloads/msxml4.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7600.6246412037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = etotm.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = etotm.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = etotm.com
    O19 - User stylesheet: C:\WINNT\winstyle.css
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi rrrel,

    Have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINNT\msopt.dll

    O4 - HKLM\..\Run: [sysdll32.dll] C:\WINNT\system\sysdll32.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load

    O19 - User stylesheet: C:\WINNT\winstyle.css

    Restart PC after doing so and remove (if still present) :

    C:\WINNT\system\sysdll32.exe <- this file
    C:\WINNT\system32\bridge.dll <- this file
    C:\WINNT\winstyle.css <- this file

    Clean temp internet files

    Hope this helps

    Cheers,
     
  3. rrrel

    rrrel Registered Member

    Joined:
    Mar 7, 2004
    Posts:
    10
    Unzy,

    OK, I did what you said. The only file that was left after the reboot was the winsyle.css which I got rid of. Now its time to give it a go.

    Thanks for your help, your the best

    rrrel :D
     
Thread Status:
Not open for further replies.