Custom Search
Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
Results 1 to 8 of 8

Thread: Hijack this Log

  1. 07-20-2004, 12:19 AM #1
    LunarElemental
    LunarElemental is offline Novitiate Geek
    Join Date
    May 2004
    Posts
    4

    Hijack this Log

    could someone help me check this hijack this log file for problems?

    Logfile of HijackThis v1.97.7
    Scan saved at 9:16:16 PM, on 7/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\rlwuvh.exe
    C:\Program Files\Bargain Buddy\bin2\bargains.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\jhklyozo.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Avant Browser\iexplore.exe
    C:\Program Files\Soulseek\slsk.exe
    C:\hjt\hjt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    N3 - Netscape 7: # Mozilla User Preferences

    /* Do not edit this file.
    *
    * If you make changes to this file while the browser is running,
    * the changes will be overwritten when the browser exits.
    *
    * To make a manual change to preferences, you can visit the URL about:config
    * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
    */

    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src");
    user_pref("browser.startup.homepage_override.mston e", "rv:1.4");
    user_pref("dom.disable_open_during_load", true);
    user_pref("intl.charsetmenu.browser.cache", "windows-1252, UTF-8, ISO-8859-1");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("privacy.popups.first_popup", false);
    user_pref("privacy.popups.prefill_whitelist", false);
    user_pref("privacy.popups.remove_blacklist", false);
    user_pref("privacy.popups.
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch13218.dll (file missing)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {31FD3129-C437-0CE7-8751-60550DA32718} - C:\WINDOWS\System32\yruvuvs.dll
    O2 - BHO: (no name) - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WIACA5~1\WinSB.DLL
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin2\apuc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
    O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [fezsj] C:\WINDOWS\fezsj.exe
    O4 - HKLM\..\Run: [osleakvg] C:\WINDOWS\System32\rlwuvh.exe
    O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Toia] C:\Documents and Settings\David Andersson\Application Data\ostp.exe
    O4 - HKCU\..\Run: [Naabdn] C:\WINDOWS\System32\jhklyozo.exe
    O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
    O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
    O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...9c76a5c4d2b1ea
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/1...ll/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...877.1277430556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab


    any problems?

    thanks.
    Reply With Quote Reply With Quote
  2. 07-20-2004, 06:03 AM #2
    Whyzman's Avatar
    Whyzman
    Whyzman is offline Petitor Sapientia
    Moderator
    Join Date
    Aug 2001
    Location
    Land of 10,000 Lakes and Minnesota nice!!
    Posts
    11,058
    Have you also run AdAware and Spybot Search & Destroy? Links are in my Signature...elect to fix anything that they find...
    Lighten up! --- A merry heart does good like a medicine. (Proverbs 17:22)
    Reply With Quote Reply With Quote
  3. 07-20-2004, 06:51 AM #3
    classicsoftware's Avatar
    classicsoftware
    classicsoftware is offline Exalted Grand Master Geek
    Moderator
    Join Date
    Jul 2001
    Location
    Wyncote, PA, USA
    Posts
    10,055
    If you run Adaware, please update it first. Running an old version can prevent you from being able to login to windows XP.

    Go to Add/Remove programs and uninstall Bargain Buddy.

    Close all browser and program windows and have HJT fix:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
    O2 - BHO: (no name) - {31FD3129-C437-0CE7-8751-60550DA32718} - C:\WINDOWS\System32\yruvuvs.dll
    O2 - BHO: (no name) - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WIACA5~1\WinSB.DLL
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin2\apuc.dll
    O4 - HKLM\..\Run: [osleakvg] C:\WINDOWS\System32\rlwuvh.exe
    O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKCU\..\Run: [Toia] C:\Documents and Settings\David Andersson\Application Data\ostp.exe
    O4 - HKCU\..\Run: [Naabdn] C:\WINDOWS\System32\jhklyozo.exe
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...59c76a5c4d2b1ea

    Boot into safe mode and delete the following:


    C:\WINDOWS\System32\jhklyozo.exe
    C:\Documents and Settings\David Andersson\Application Data\ostp.exe
    C:\Program Files\Bargain Buddy\bin2\bargains.exe
    C:\WINDOWS\System32\rlwuvh.exe
    C:\Program Files\Bargain Buddy\bin2\apuc.dll
    C:\PROGRA~1\WIACA5~1\WinSB.DLL
    C:\WINDOWS\System32\yruvuvs.dll
    C:\WINDOWS\twaintec.dll
    C:\Windows\System32\wsaupdater.exe

    Boot Back into Regular mode:

    Download the latest version of HJT from Here and repost your log.
    Reply With Quote Reply With Quote
  4. 07-20-2004, 02:39 PM #4
    david eaton's Avatar
    david eaton
    david eaton is offline Historical geek
    Join Date
    Feb 2002
    Location
    Somerset, England
    Posts
    2,762
    In addition to those mentioned by classicsoftware, also fix these.

    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [fezsj] C:\WINDOWS\fezsj.exe

    After rebooting, delete the file C:\WINDOWS\fezsj.exe, and the folders

    C:\Program Files\WindowsSA
    C:\Program Files\VVSN
    be wary of strong drink - it may make you shoot at tax collectors, and miss!
    Reply With Quote Reply With Quote
  5. 07-20-2004, 11:01 PM #5
    classicsoftware's Avatar
    classicsoftware
    classicsoftware is offline Exalted Grand Master Geek
    Moderator
    Join Date
    Jul 2001
    Location
    Wyncote, PA, USA
    Posts
    10,055
    Thanks David,

    I don't know how I missed them..... getting tired sooner than I think...
    Reply With Quote Reply With Quote
  6. 07-22-2004, 06:48 PM #6
    LunarElemental
    LunarElemental is offline Novitiate Geek
    Join Date
    May 2004
    Posts
    4
    thanks to everyone who responded!
    here is the new hjt log, latest hjt version. (as far as I know)

    Logfile of HijackThis v1.98.0
    Scan saved at 3:51:08 PM, on 7/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    N3 - Netscape 7: # Mozilla User Preferences

    /* Do not edit this file.
    *
    * If you make changes to this file while the browser is running,
    * the changes will be overwritten when the browser exits.
    *
    * To make a manual change to preferences, you can visit the URL about:config
    * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
    */

    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src");
    user_pref("browser.startup.homepage_override.mston e", "rv:1.4");
    user_pref("dom.disable_open_during_load", true);
    user_pref("intl.charsetmenu.browser.cache", "windows-1252, UTF-8, ISO-8859-1");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("privacy.popups.first_popup", false);
    user_pref("privacy.popups.prefill_whitelist", false);
    user_pref("privacy.popups.remove_blacklist", false);
    user_pref("privacy.popups.
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
    O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
    O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
    O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/1...ll/xscan53.cab


    anything else need fixing? thanks again for all your help.
    Reply With Quote Reply With Quote
  7. 07-22-2004, 10:55 PM #7
    classicsoftware's Avatar
    classicsoftware
    classicsoftware is offline Exalted Grand Master Geek
    Moderator
    Join Date
    Jul 2001
    Location
    Wyncote, PA, USA
    Posts
    10,055
    Wait fro David to agree but I would fix the following:

    O2 - BHO: (no name) - SOFTWARE - (no file)
    Reply With Quote Reply With Quote
  8. 07-23-2004, 07:49 PM #8
    david eaton's Avatar
    david eaton
    david eaton is offline Historical geek
    Join Date
    Feb 2002
    Location
    Somerset, England
    Posts
    2,762
    Yes, fix that as well. Orphaned registry entry, but better out than in!
    be wary of strong drink - it may make you shoot at tax collectors, and miss!
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules