Seeking review of HiJack Log Please

Discussion in 'adware, spyware & hijack cleaning' started by otak, Apr 15, 2004.

Thread Status:
Not open for further replies.
  1. otak

    otak Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    2
    Am a newbie and would value your review of my Hijack log. I haven't seen any problems and merely want the log reviewed with anything that should NOT be in it pointed out to me and whether in such case/s it would be Ok to delete the item/s. I am also including copy of my Virus protection information in case it may be of use. Thanks in advance. :D

    Logfile of HijackThis v1.96.0
    Scan saved at 1:06:59 AM, on 4/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\ffpsrv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\ISS\BlackICE\rapapp.exe
    E:\CD Slides\ProShowGold\ScsiAccess.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Ensuredmail\emOFServer.exe
    C:\PROGRA~1\Ensuredmail\Ensuredmail.exe
    F:\WinPatrol\WinPatrol.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\ISS\BlackICE\blackice.exe
    E:\WordWeb\wweb32.exe
    C:\Program Files\ISS\BlackICE\blackd.exe
    F:\HiJack\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Graphics\SnagIt 7\SnagItBHO.dll
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: emIEEngine Utility - {45C768F0-9B73-4AA7-8817-D3B063F4335F} - C:\Program Files\Ensuredmail\emIEEngine.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Graphics\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [CloneCDTray] "F:\CloneCD 4.3.2.2\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [Ensuredmail] C:\PROGRA~1\Ensuredmail\emOFServer.exe
    O4 - HKLM\..\Run: [Ensuredmail1] C:\PROGRA~1\Ensuredmail\Ensuredmail.exe
    O4 - HKLM\..\Run: [WinPatrol PLUS] F:\WinPatrol\WinPatrol.exe
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O4 - Global Startup: WordWeb.lnk = E:\WordWeb\wweb32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1.25\NTXcontext.htm
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Count &Keywords - E:\IE Count Keywords\ieck.html
    O8 - Extra context menu item: E&nsuredmail(tm) - C:\PROGRA~1\Ensuredmail\ensuredmail.html
    O8 - Extra context menu item: FlashToolset - res://E:\Flash\FlashToolset Pro 2.0\Swafer.dll/300
    O8 - Extra context menu item: Get File Size - res://C:\Program Files\UnH Solutions\GFS\GetFileSize.exe/130
    O8 - Extra context menu item: Sothink SWF Catcher - E:\Graphics\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra button: Protect Your Email (HKLM)
    O9 - Extra 'Tools' menuitem: Protect Your Email with Ensuredmail (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: SafeInput (HKLM)
    O9 - Extra 'Tools' menuitem: Bookmark Manager Pro (HKLM)
    O9 - Extra button: PowerWord (HKLM)
    O9 - Extra button: Bmp (HKLM)
    O9 - Extra 'Tools' menuitem: IE Privacy Keeper (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: SmartWhois (HKLM)
    O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
    O9 - Extra button: FlashToolset (HKCU)
    O9 - Extra 'Tools' menuitem: FlashToolset (HKCU)
    O9 - Extra button: NeoTrace It! (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.9796759259
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9CF0718D-8B9C-415B-9045-550E2333A59B}: NameServer = 202.27.184.3 202.27.184.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{9CF0718D-8B9C-415B-9045-550E2333A59B}: NameServer = 202.27.184.3 202.27.184.5
    ===========================================
    NOD32 Antivirus System information
    Virus signature database version: 1.718 (20040414)
    Dated: Wednesday, April 14, 2004
    Virus signature database build: 4444
    Information on other scanner support parts
    Advanced heuristics module version: 1.007 (20040309)
    Advanced heuristics module build: 1053
    Internet filter version: 1.001 (20031104)
    Internet filter build: 1012
    Archive support module version: 1.014 (2004040:cool:
    Archive support module build version: 1088
    Information on installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.000.9
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.000.8
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.000.9
    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 1
    Version of common control components: 5.82.2800
    RAM: 512 MB
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz (2405 MHz)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi otak,

    You are using a old version of HijackThis (v1.96.0)
    You can find a newer one here
    Replace the old one and you are done.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 203.161.127.141 www.dcsresearch.com

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB

    Then reboot.

    Regards,

    Pieter
     
  3. otak

    otak Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    2
    ===================================
    WOW! That was REAL fast assistance - thankyou so much :D

    I did as you suggested and now my HiJack log shows the following and I am curious about the O10 item - have I lost a file or something? I connected okay with no problems so do not understand. THANKS again Pieter - this was just brilliant! - Otak.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:15:52 AM, on 4/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ISS\BlackICE\blackd.exe
    C:\WINDOWS\System32\ffpsrv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\ISS\BlackICE\rapapp.exe
    E:\CD Slides\ProShowGold\ScsiAccess.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Ensuredmail\emOFServer.exe
    C:\PROGRA~1\Ensuredmail\Ensuredmail.exe
    F:\WinPatrol\WinPatrol.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\ISS\BlackICE\blackice.exe
    E:\WordWeb\wweb32.exe
    F:\HiJack\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Graphics\SnagIt 7\SnagItBHO.dll
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: emIEEngine Utility - {45C768F0-9B73-4AA7-8817-D3B063F4335F} - C:\Program Files\Ensuredmail\emIEEngine.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Graphics\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [CloneCDTray] "F:\CloneCD 4.3.2.2\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [Ensuredmail] C:\PROGRA~1\Ensuredmail\emOFServer.exe
    O4 - HKLM\..\Run: [Ensuredmail1] C:\PROGRA~1\Ensuredmail\Ensuredmail.exe
    O4 - HKLM\..\Run: [WinPatrol PLUS] F:\WinPatrol\WinPatrol.exe
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O4 - Global Startup: WordWeb.lnk = E:\WordWeb\wweb32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1.25\NTXcontext.htm
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Count &Keywords - E:\IE Count Keywords\ieck.html
    O8 - Extra context menu item: E&nsuredmail(tm) - C:\PROGRA~1\Ensuredmail\ensuredmail.html
    O8 - Extra context menu item: FlashToolset - res://E:\Flash\FlashToolset Pro 2.0\Swafer.dll/300
    O8 - Extra context menu item: Get File Size - res://C:\Program Files\UnH Solutions\GFS\GetFileSize.exe/130
    O8 - Extra context menu item: Sothink SWF Catcher - E:\Graphics\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra button: Protect Your Email (HKLM)
    O9 - Extra 'Tools' menuitem: Protect Your Email with Ensuredmail (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: SafeInput (HKLM)
    O9 - Extra 'Tools' menuitem: Bookmark Manager Pro (HKLM)
    O9 - Extra button: PowerWord (HKLM)
    O9 - Extra button: Bmp (HKLM)
    O9 - Extra 'Tools' menuitem: IE Privacy Keeper (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: SmartWhois (HKLM)
    O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
    O9 - Extra button: FlashToolset (HKCU)
    O9 - Extra 'Tools' menuitem: FlashToolset (HKCU)
    O9 - Extra button: NeoTrace It! (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.9796759259
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9CF0718D-8B9C-415B-9045-550E2333A59B}: NameServer = 202.27.184.3 202.27.184.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{9CF0718D-8B9C-415B-9045-550E2333A59B}: NameServer = 202.27.184.3 202.27.184.5
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi otak,

    The O10 is a known misunderstanding between HijackThis and NOD32
    The file is there (you can check that), but HijackThis can't find it.

    You log looks good.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.