Seeking review of HiJack Log Please

Discussion in 'adware, spyware & hijack cleaning' started by otak, Apr 15, 2004.

Thread Status:
Not open for further replies.
  1. otak

    otak Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    2
    Am a newbie and would value your review of my Hijack log. I haven't seen any problems and merely want the log reviewed with anything that should NOT be in it pointed out to me and whether in such case/s it would be Ok to delete the item/s. I am also including copy of my Virus protection information in case it may be of use. Thanks in advance. :D

    Logfile of HijackThis v1.96.0
    Scan saved at 1:06:59 AM, on 4/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\ffpsrv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\ISS\BlackICE\rapapp.exe
    E:\CD Slides\ProShowGold\ScsiAccess.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Ensuredmail\emOFServer.exe
    C:\PROGRA~1\Ensuredmail\Ensuredmail.exe
    F:\WinPatrol\WinPatrol.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\ISS\BlackICE\blackice.exe
    E:\WordWeb\wweb32.exe
    C:\Program Files\ISS\BlackICE\blackd.exe
    F:\HiJack\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Graphics\SnagIt 7\SnagItBHO.dll
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: emIEEngine Utility - {45C768F0-9B73-4AA7-8817-D3B063F4335F} - C:\Program Files\Ensuredmail\emIEEngine.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Graphics\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [CloneCDTray] "F:\CloneCD 4.3.2.2\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [Ensuredmail] C:\PROGRA~1\Ensuredmail\emOFServer.exe
    O4 - HKLM\..\Run: [Ensuredmail1] C:\PROGRA~1\Ensuredmail\Ensuredmail.exe
    O4 - HKLM\..\Run: [WinPatrol PLUS] F:\WinPatrol\WinPatrol.exe
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O4 - Global Startup: WordWeb.lnk = E:\WordWeb\wweb32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1.25\NTXcontext.htm
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Count &Keywords - E:\IE Count Keywords\ieck.html
    O8 - Extra context menu item: E&nsuredmail(tm) - C:\PROGRA~1\Ensuredmail\ensuredmail.html
    O8 - Extra context menu item: FlashToolset - res://E:\Flash\FlashToolset Pro 2.0\Swafer.dll/300
    O8 - Extra context menu item: Get File Size - res://C:\Program Files\UnH Solutions\GFS\GetFileSize.exe/130
    O8 - Extra context menu item: Sothink SWF Catcher - E:\Graphics\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra button: Protect Your Email (HKLM)
    O9 - Extra 'Tools' menuitem: Protect Your Email with Ensuredmail (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: SafeInput (HKLM)
    O9 - Extra 'Tools' menuitem: Bookmark Manager Pro (HKLM)
    O9 - Extra button: PowerWord (HKLM)
    O9 - Extra button: Bmp (HKLM)
    O9 - Extra 'Tools' menuitem: IE Privacy Keeper (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: SmartWhois (HKLM)
    O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
    O9 - Extra button: FlashToolset (HKCU)
    O9 - Extra 'Tools' menuitem: FlashToolset (HKCU)
    O9 - Extra button: NeoTrace It! (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.9796759259
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9CF0718D-8B9C-415B-9045-550E2333A59B}: NameServer = 202.27.184.3 202.27.184.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{9CF0718D-8B9C-415B-9045-550E2333A59B}: NameServer = 202.27.184.3 202.27.184.5
    ===========================================
    NOD32 Antivirus System information
    Virus signature database version: 1.718 (20040414)
    Dated: Wednesday, April 14, 2004
    Virus signature database build: 4444
    Information on other scanner support parts
    Advanced heuristics module version: 1.007 (20040309)
    Advanced heuristics module build: 1053
    Internet filter version: 1.001 (20031104)
    Internet filter build: 1012
    Archive support module version: 1.014 (2004040:cool:
    Archive support module build version: 1088
    Information on installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.000.9
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.000.8
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.000.9
    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 1
    Version of common control components: 5.82.2800
    RAM: 512 MB
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz (2405 MHz)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi otak,

    You are using a old version of HijackThis (v1.96.0)
    You can find a newer one here
    Replace the old one and you are done.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 203.161.127.141 www.dcsresearch.com

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB

    Then reboot.

    Regards,

    Pieter
     
  3. otak

    otak Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    2
    ===================================
    WOW! That was REAL fast assistance - thankyou so much :D

    I did as you suggested and now my HiJack log shows the following and I am curious about the O10 item - have I lost a file or something? I connected okay with no problems so do not understand. THANKS again Pieter - this was just brilliant! - Otak.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:15:52 AM, on 4/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ISS\BlackICE\blackd.exe
    C:\WINDOWS\System32\ffpsrv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\ISS\BlackICE\rapapp.exe
    E:\CD Slides\ProShowGold\ScsiAccess.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Ensuredmail\emOFServer.exe
    C:\PROGRA~1\Ensuredmail\Ensuredmail.exe
    F:\WinPatrol\WinPatrol.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\ISS\BlackICE\blackice.exe
    E:\WordWeb\wweb32.exe
    F:\HiJack\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Graphics\SnagIt 7\SnagItBHO.dll
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll
    O2 - BHO: emIEEngine Utility - {45C768F0-9B73-4AA7-8817-D3B063F4335F} - C:\Program Files\Ensuredmail\emIEEngine.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Graphics\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [CloneCDTray] "F:\CloneCD 4.3.2.2\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [Ensuredmail] C:\PROGRA~1\Ensuredmail\emOFServer.exe
    O4 - HKLM\..\Run: [Ensuredmail1] C:\PROGRA~1\Ensuredmail\Ensuredmail.exe
    O4 - HKLM\..\Run: [WinPatrol PLUS] F:\WinPatrol\WinPatrol.exe
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
    O4 - Global Startup: WordWeb.lnk = E:\WordWeb\wweb32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1.25\NTXcontext.htm
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Count &Keywords - E:\IE Count Keywords\ieck.html
    O8 - Extra context menu item: E&nsuredmail(tm) - C:\PROGRA~1\Ensuredmail\ensuredmail.html
    O8 - Extra context menu item: FlashToolset - res://E:\Flash\FlashToolset Pro 2.0\Swafer.dll/300
    O8 - Extra context menu item: Get File Size - res://C:\Program Files\UnH Solutions\GFS\GetFileSize.exe/130
    O8 - Extra context menu item: Sothink SWF Catcher - E:\Graphics\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra button: Protect Your Email (HKLM)
    O9 - Extra 'Tools' menuitem: Protect Your Email with Ensuredmail (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: SafeInput (HKLM)
    O9 - Extra 'Tools' menuitem: Bookmark Manager Pro (HKLM)
    O9 - Extra button: PowerWord (HKLM)
    O9 - Extra button: Bmp (HKLM)
    O9 - Extra 'Tools' menuitem: IE Privacy Keeper (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: SmartWhois (HKLM)
    O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
    O9 - Extra button: FlashToolset (HKCU)
    O9 - Extra 'Tools' menuitem: FlashToolset (HKCU)
    O9 - Extra button: NeoTrace It! (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.9796759259
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9CF0718D-8B9C-415B-9045-550E2333A59B}: NameServer = 202.27.184.3 202.27.184.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{9CF0718D-8B9C-415B-9045-550E2333A59B}: NameServer = 202.27.184.3 202.27.184.5
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi otak,

    The O10 is a known misunderstanding between HijackThis and NOD32
    The file is there (you can check that), but HijackThis can't find it.

    You log looks good.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.