Hijack log plz look

Krztoff · #1 (**permalink**) 12-11-2004, 09:57 PM

i have some problems with spyware lately! i have been using Giant antispyware, Spysweeper and SpybotSD, but still i have some pops and some strange programms that spysweper detects and after removal they return.. well this is my hijack log, i haven't tried this prog so maybe thre is something wrong here, can anyone take a look please?

Logfile of HijackThis v1.98.2
Scan saved at 22:53:16, on 2004.11.12.
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
E:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
E:\WINDOWS\Mixer.exe
E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\PROGRA~1\TILDES~1\MDICTION.EXE
E:\PROGRA~1\TILDES~1\Pianists.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
E:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Documents and Settings\Atis\Application Data\aaca.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Valdis\Spy protection and stuff\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.lv
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.lv
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.lv
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.lv
O4 - HKLM\..\Run: [SCANINICIO] "E:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "E:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [DeviceDiscovery] E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mdiction] E:\PROGRA~1\TILDES~1\MDICTION.EXE
O4 - HKLM\..\Run: [CheckCU] E:\PROGRA~1\TILDES~1\CheckCU.exe
O4 - HKLM\..\Run: [Pianists] E:\PROGRA~1\TILDES~1\Pianists.exe
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sotp] E:\Documents and Settings\Atis\Application Data\aaca.exe
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Tulkot ar Tildes Datorvārdnīcu - res://E:\Program Files\Tildes Birojs 2002\TDVLauncher.DLL /201
O9 - Extra button: Tildes Meklētājs - {11FD30F4-F186-4ebe-A384-E22965FDEC7A} - E:\Program Files\Tildes Birojs 2002\TLFindAddIn.dll
O9 - Extra 'Tools' menuitem: Tildes &Meklētājs - {11FD30F4-F186-4ebe-A384-E22965FDEC7A} - E:\Program Files\Tildes Birojs 2002\TLFindAddIn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Add in LinkBook - {4D9BEE60-F894-11D4-9B21-AD4030B75053} - C:\Teetis\SAT\TV programma\linkbook1\lb.htm (HKCU)
O9 - Extra button: (no name) - {4D9BEE60-F894-11D4-9B21-AD4030B75054} - C:\Teetis\SAT\TV programma\linkbook1\LinkBook.exe (HKCU)
O9 - Extra 'Tools' menuitem: Open LinkBook - {4D9BEE60-F894-11D4-9B21-AD4030B75054} - C:\Teetis\SAT\TV programma\linkbook1\LinkBook.exe (HKCU)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab

owen · #2 (**permalink**) 14-11-2004, 12:40 AM

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

O4 - HKLM\..\Run: [mdiction] E:\PROGRA~1\TILDES~1\MDICTION.EXE
O4 - HKLM\..\Run: [CheckCU] E:\PROGRA~1\TILDES~1\CheckCU.exe
O4 - HKLM\..\Run: [Pianists] E:\PROGRA~1\TILDES~1\Pianists.exe
O4 - HKCU\..\Run: [Sotp] E:\Documents and Settings\Atis\Application Data\aaca.exe
I can find no reference to any of these entries and I therefore recommend you fix them and delete them as instructed below. Unless you know what they are of course.
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following files and folders:
E:\PROGRA~1\TILDES~1
E:\Documents and Settings\Atis\Application Data\aaca.exe

Reboot and post a fresh log

Krztoff · #3 (**permalink**) 15-11-2004, 09:47 AM

Ok thnx, i did all you said except rebooting in safe mode (i don't know how to do it on win xp). And Tldes entries are ok, thy are from my dictionary, it seems that the pops have gone away and now the hijack log looks like this:

Logfile of HijackThis v1.98.2
Scan saved at 10:41:47, on 2004.11.15.
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
E:\WINDOWS\Mixer.exe
E:\WINDOWS\System32\RUNDLL32.EXE
E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\PROGRA~1\TILDES~1\MDICTION.EXE
E:\PROGRA~1\TILDES~1\Pianists.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
E:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
E:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
E:\WINDOWS\System32\wuauclt.exe
E:\WINDOWS\explorer.exe
C:\Valdis\Spy protection and stuff\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.lv
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.lv
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.lv
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.lv
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - E:\WINDOWS\System32\msbe.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - E:\Program Files\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [SCANINICIO] "E:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "E:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [DeviceDiscovery] E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mdiction] E:\PROGRA~1\TILDES~1\MDICTION.EXE
O4 - HKLM\..\Run: [CheckCU] E:\PROGRA~1\TILDES~1\CheckCU.exe
O4 - HKLM\..\Run: [Pianists] E:\PROGRA~1\TILDES~1\Pianists.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "E:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Tulkot ar Tildes Datorvārdnīcu - res://E:\Program Files\Tildes Birojs 2002\TDVLauncher.DLL /201
O9 - Extra button: Tildes Meklētājs - {11FD30F4-F186-4ebe-A384-E22965FDEC7A} - E:\Program Files\Tildes Birojs 2002\TLFindAddIn.dll
O9 - Extra 'Tools' menuitem: Tildes &Meklētājs - {11FD30F4-F186-4ebe-A384-E22965FDEC7A} - E:\Program Files\Tildes Birojs 2002\TLFindAddIn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Add in LinkBook - {4D9BEE60-F894-11D4-9B21-AD4030B75053} - C:\Teetis\SAT\TV programma\linkbook1\lb.htm (HKCU)
O9 - Extra button: (no name) - {4D9BEE60-F894-11D4-9B21-AD4030B75054} - C:\Teetis\SAT\TV programma\linkbook1\LinkBook.exe (HKCU)
O9 - Extra 'Tools' menuitem: Open LinkBook - {4D9BEE60-F894-11D4-9B21-AD4030B75054} - C:\Teetis\SAT\TV programma\linkbook1\LinkBook.exe (HKCU)
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

owen · #4 (**permalink**) 16-11-2004, 11:27 PM

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - E:\WINDOWS\System32\msbe.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - E:\Program Files\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "E:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following files and folders:
E:\Program Files\IEMenuExtension

Reboot and post a fresh log