Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

Somehelp with a HiJackThis log

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Somehelp with a HiJackThis log

Old 04-20-06, 03:25 AM
  #1  
DVD Talk Limited Edition
Thread Starter
 
Join Date: Jul 2000
Location: Land of the Micro-Brew...Portland
Posts: 5,845
Likes: 0
Received 0 Likes on 0 Posts
Somehelp with a HiJackThis log

Hello all...i've been taken over by some damn malware and I think i've gotten rid of that with ewido and now I have a little box on the bottom right which flashes saying my "MY COMPUTER IS INFECTED" it flashes a picture of a red no sign and a green handicapped sign. I can't seem to get rid of that pop up. Reading other places I think it's called "spyware Quake". Here is what Hijackthis says





Logfile of HijackThis v1.99.1
Scan saved at 12:18:27 AM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\PROGRA~1\Navnt\navapsvc.exe
F:\PROGRA~1\Navnt\npssvc.exe
F:\Program Files\Norton Utilities\NPROTECT.EXE
F:\WINDOWS\Explorer.EXE
F:\Program Files\Speed Disk\nopdb.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
F:\Program Files\support.com\bin\tgcmd.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
F:\Program Files\Southwest Airlines\Ding\Ding.exe
F:\Program Files\Norton Utilities\SYSDOC32.EXE
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\PROGRA~1\Navnt\alertsvc.exe
F:\Program Files\ewido anti-malware\ewidoguard.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\Program Files\ewido anti-malware\securitysuite.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Paul\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comics.com/comics/getfuzzy
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - F:\WINDOWS\system32\hpD3C6.tmp (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NPS Event Checker] F:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "F:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [tgcmd] "F:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Weather] F:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] F:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Utmc] "F:\PROGRA~1\COMMON~1\SSEMBL~1\csrss.exe" -vt mt
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DING!.lnk = F:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Norton System Doctor.lnk = F:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - F:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/17bbc2bd...p/RdxIE601.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex...oadcontrol.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - f:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - Winlogon Notify: winupx32 - F:\WINDOWS\SYSTEM32\winupx32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NAV Alert - Symantec Corporation - F:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - F:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - F:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - F:\Program Files\Speed Disk\nopdb.exe




Thanks in advance
Old 04-20-06, 07:47 AM
  #2  
DVD Talk Limited Edition
 
Join Date: Feb 2002
Location: On the penis chair
Posts: 5,169
Likes: 0
Received 0 Likes on 0 Posts
Under safe mode, check and fix these:

R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - F:\WINDOWS\system32\hpD3C6.tmp (file missing)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/17bbc2b...ip/RdxIE601.cab

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - f:\WINDOWS\Downloaded Program Files\mimectl.dll

These key is probably all right but since the file is missing, you might want to check and fix them anyway:

R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - F:\WINDOWS\system32\hpD3C6.tmp (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - f:\WINDOWS\Downloaded Program Files\mimectl.dll

Let me know if the problem still exist - preferrably with a new HijackThis log in case I miss something.
Old 04-20-06, 08:05 AM
  #3  
DVD Talk Limited Edition
 
Join Date: Feb 2002
Location: On the penis chair
Posts: 5,169
Likes: 0
Received 0 Likes on 0 Posts
OK, upon further research it seems that this key looks bad too:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/17bbc2b...ip/RdxIE601.cab
Old 04-20-06, 01:08 PM
  #4  
HN
DVD Talk Hall of Fame
 
Join Date: Oct 1999
Location: Los Angeles, CA
Posts: 8,359
Likes: 0
Received 0 Likes on 0 Posts
from a quick glance, i see weatherbug. with the multiple security measures you have in place, i believe you are defeating them by having weatherbug.
Old 04-20-06, 11:55 PM
  #5  
Senior Member
 
Join Date: Sep 2005
Posts: 674
Likes: 0
Received 0 Likes on 0 Posts
Why would you have him remove Party Poker? I haven't looked thoroughly through the log, but unless it is some unlicensed copy or something wrong with it, there is no spyware/adware/etc of any type associated with that program.
Old 04-21-06, 12:47 AM
  #6  
HN
DVD Talk Hall of Fame
 
Join Date: Oct 1999
Location: Los Angeles, CA
Posts: 8,359
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by hiccup
Why would you have him remove Party Poker? I haven't looked thoroughly through the log, but unless it is some unlicensed copy or something wrong with it, there is no spyware/adware/etc of any type associated with that program.
it looks like partypoker may have already been removed and there are some calls to the file that are still in the system.
Old 04-21-06, 06:29 PM
  #7  
DVD Talk Limited Edition
Thread Starter
 
Join Date: Jul 2000
Location: Land of the Micro-Brew...Portland
Posts: 5,845
Likes: 0
Received 0 Likes on 0 Posts
Thanks Eedoon for the help. I think with your help and some from other site pretty much have a handle on it.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.