DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)

- Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)

- - My HiJackThis Log (http://www.daniweb.com/forums/thread12271.html)

My HiJackThis Log

Ok, so i've ran both the most current version of adaware - and trendmicro's housecall - both in safe mode - and despite these efforts, as well as checking the registry for any odd entrys in /run - i am still having pop-up issues...

can someone please examine my log?

Logfile of HijackThis v1.98.2
Scan saved at 4:05:29 PM, on 10/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\SYSTEM32\m?iexec.exe
C:\WINNT\system32\taskmgr.exe
E:\- Programs -\Administrative\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\gotiu.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gotiu.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\gotiu.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Assent
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6BF86F2B-EE35-7CC4-D05A-62550CF6293F} - C:\WINNT\system32\ixyuhla.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...a29296baabe1d6
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/fu...tup1.0.0.8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.slotchbar.com/ist/softwar...ist_remove.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = [private].com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = [private].com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = [private].com

looking at the log file again, i notice a few questionable lines - but would like to double check. thank you very much

Re: My HiJackThis Log

this file looks a little strange
C:\WINNT\SYSTEM32\m?iexec.exe
mainly the question mark i would do a virus scan in that folder and see if that picks up this file.

O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com

did you run hijack this in safe mode too because this looks amazingly short for a comp with pop up problems.

Re: My HiJackThis Log

nope - it was ran in normal mode ... i may of unchecked some things from msconfig - which i now see is unrecommended - but if they aren't loaded, i dont see how they could be the cause of the problem.

Re: My HiJackThis Log

Can you please download this file from here:

Getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad into this post.

Re: My HiJackThis Log

I rechecked every box within msconfig, and reset the PC. Here is the logfile afterwards:

Logfile of HijackThis v1.98.2
Scan saved at 9:05:13 AM, on 10/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\internat.exe
E:\- Programs -\Administrative\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jmvys.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jmvys.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jmvys.dll/sp.html#12802
O2 - BHO: (no name) - {6BF86F2B-EE35-7CC4-D05A-62550CF6293F} - C:\WINNT\system32\ixyuhla.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...a29296baabe1d6
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/fu...tup1.0.0.8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.slotchbar.com/ist/softwar...ist_remove.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = [private].com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = [private].com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = [private].com

I did a backup, then removed:
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

webrebates had already been removed, yet problems continued.
after I removed the above entries, the pop up problem still showed up - with nothing more then www.briefing.com being open (a very secure site, so I highly doubt it's the culprit)

A few entries that I question:
O2 - BHO: (no name) - {6BF86F2B-EE35-7CC4-D05A-62550CF6293F} - C:\WINNT\system32\ixyuhla.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

crunchie - I see your post now and when the user is less busy on their PC, I will run this other utility on it and update this thread ASAP.

Re: My HiJackThis Log

Also, Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Re: My HiJackThis Log

alrighty - well, first things first.

navigating the program files folder - i found a folder that screams Spyware

c:\programfiles\MyWebSearch

now - the most recent, updated version of AdAware did not find this - so i find that interesting...

but in case this isn't the only culprit, here is the result of the advice above:

a) Reglite showed the value: "AppInit_DLLs" in the value field.

b) the getservice log is quite large... rather then paste it into this thread, here is a direct link to the log file getservice

Re: My HiJackThis Log

Go to the Control Panel and in the Add/Remove Programs, uninstall MyWebSearch. You can then delete the folder in c:\Program Files if you like. Next time you scan with HJT, have it fix any entries that have mywebsearch in them (if any).

AppInit_DLLs should be on the side panel, when you double-click it you should get some other information in the Value Field (like ixalhua.dll or some gibberish like that). Try it again.

It's okay to post a getservice log here, but crunchie should be along soon to review your link.

Re: My HiJackThis Log

Please do as dlh6213 said. Getservice showed nothing.

Re: My HiJackThis Log *Updated*

(the below was written when I assumed all was fixed - but just a minute ago, the problem showed up again! the message has been edited to reflect what seemed to be the fix, but now shows it was not)

alrighty - so here's the current situation:

the problem SEEMED to be fixed. In fact, everything was running fine for about 20 minutes, a new record that I thought indicated everything was ok! JUST a second ago, it started with the exact same problem again!

At first, it seems no matter how much I trusted Lavasoft's AdAware - it would not detect what I thought was the cause of this problem. I ran Spybot - and it found:

WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)
WebTrends live: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)

Alexa Related: Link (Replace file, nothing done)
C:\WINNT\Web\RELATED.HTM

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-18636371-1523486670-2959832362-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

FunWeb: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts

FunWebProducts: Installer (File, nothing done)
C:\WINNT\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf

FunWebProducts: Program directory (Directory, nothing done)
C:\Program Files\MyWebSearch\

FunWebProducts: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}

ICOO Loader: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\icoo

Travelocity: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)
Travelocity: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)
Travelocity: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)

I'm a bit disappointed that AdAware did not find these problems - being I’ve always thought of them as the pioneers of spyware removal and prevention.

dlh6213 - I did go to the add/remove panel - but it did not list MyWebSearch as a program that could be removed. After running spybot - it seems that the C:\programfiles\MyWebSearch directory has been removed.

crunchie - Believe it or not, I followed your directions exactly - and in the 'Value' field - it did indeed list "AppInit_DLLs" as the value. Seems odd - but I just triple checked it.

have I discovered spyware that manages to elude even our best efforts? I’m kind of fresh out of ideas here...

I will list the popups that I see - I unfortunately forgot the name of the first few, but the most recent ones were:

Jimmy Surf Popunder
Freeze Screensavers