|
| ||
| New HJT log, pls help me to clean up Logfile of HijackThis v1.99.1 Scan saved at 9:10:18 a.m., on 24/03/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\DAP\DAP.EXE C:\Program Files\AVPersonal\AVGNT.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\BitComet\BitComet.exe C:\Program Files\MSN Messenger\msnmsgr.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Real\RealOne Player\RealPlay.exe C:\Download\Spyware & Anti-virus Programmes\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Ad Annihilator Kernel - {D880FC15-AF5D-4929-9FB5-F06D01CDF70C} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: &Ad Annihilator - {B2A8E0D7-5764-433D-A89B-2332B9D9BE00} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Ball Peak] C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1\ACTIVE TEST POKE.exe O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: [Add to organizer] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250 O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245 O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256 O8 - Extra context menu item: [Find blocking filter] Ctrl+Alt+F - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3254 O8 - Extra context menu item: [Find this resource in resource list] Ctrl+Alt+L - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3253 O8 - Extra context menu item: [Locate target document] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3255 O8 - Extra context menu item: [Open all links] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3247 O8 - Extra context menu item: [Resume resource loading] Ctrl+Alt+R - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3251 O8 - Extra context menu item: [Show/hide menu and toolbars] Ctrl+Alt+M - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3252 O8 - Extra context menu item: [Unblock this banner] Ctrl+Alt+U - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3246 O8 - Extra context menu item: [Unblock this popup] Ctrl+Alt+A - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3257 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: (no name) - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/re...s/MsnPUpld.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
| ||
| Re: New HJT log, pls help me to clean up Hi, I have seen couple of hjt requests. Actually it is fairly simple to analyse your HJT log using www.castlecops.com/HijackThis.html . Simply go to the site and for each entry in your HJT log identify to which category it belongs. e.g. if O2 then follow the next step on the site --- TonyK's BHO & Toolbar List -- Using this you can yourself analyze your HJT log. cheers, aj.wh.ca |
| ||
| Re: New HJT log, pls help me to clean up Go to C:\Program Files\BitComet and right-click on BitComet.exe and choose 'Scan for viruses' Do you know what this is for? O4 - HKCU\..\Run: [Ball Peak] C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1\ACTIVE TEST POKE.exe If not, see if you can find what folder it is in, then right-click on the .exe file, go to Properties, and post whatever info you can find on it If you didn't put these in your 'Trusted Zone,' have HJT fix them: O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) Reboot, close all browser windows, scan with HJT, post a new log, and describe what problem(s) you are having. |
| ||
| Re: New HJT log, pls help me to clean up Thanks dlh6213, There is no virus in BitComet.exe Properties of ACTIVE TEST POKE.exe: File Type: Application ACTIVE TEST POKE Size: 236 KB Created: 15 January 2005 Modified 24 March 2005 O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) Already fixed with HJT Are these enough infor for you? New HJT log: Logfile of HijackThis v1.99.1 Scan saved at 5:18:23 p.m., on 25/03/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\DAP\DAP.EXE C:\Program Files\AVPersonal\AVGNT.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Download\Spyware & Anti-virus Programmes\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Ad Annihilator Kernel - {D880FC15-AF5D-4929-9FB5-F06D01CDF70C} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O3 - Toolbar: &Ad Annihilator - {B2A8E0D7-5764-433D-A89B-2332B9D9BE00} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Bin Two Mode Upload] C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo\DEBUG PHONE.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Ball Peak] C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1\ACTIVE TEST POKE.exe O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: [Add to organizer] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250 O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245 O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256 O8 - Extra context menu item: [Find blocking filter] Ctrl+Alt+F - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3254 O8 - Extra context menu item: [Find this resource in resource list] Ctrl+Alt+L - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3253 O8 - Extra context menu item: [Locate target document] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3255 O8 - Extra context menu item: [Open all links] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3247 O8 - Extra context menu item: [Resume resource loading] Ctrl+Alt+R - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3251 O8 - Extra context menu item: [Show/hide menu and toolbars] Ctrl+Alt+M - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3252 O8 - Extra context menu item: [Unblock this banner] Ctrl+Alt+U - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3246 O8 - Extra context menu item: [Unblock this popup] Ctrl+Alt+A - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3257 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: (no name) - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra button: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/re...s/MsnPUpld.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
| ||
| Re: New HJT log, pls help me to clean up I can't find any info on Ball Peak or ACTIVE TEST POKE, which leads me to believe it's not a legit program. If you don't think you installed anything related to this, I would suggest removing it, but you may wish to do more research yourself or wait for confirmation from someone else here one way or the other. What folder is this in, by the way? I also see you are using DAP which is not technically malware, but it may allow it into your system. I would strongly recommend uninstalling it. Scan with HJT and have it fix the following entries: O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O4 - HKLM\..\Run: [Bin Two Mode Upload] C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo\DEBUG PHONE.exe O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) Be sure all windows are closed, other the HJT, before hitting the Fix button Go to the following and remove the highlighted folder (if found): C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo (That All Users.WINDOWS is an unusual folder, you may want to have a look to see what else is in there; it could be that whole folder should be deleted) For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves): Local Settings\Temp Cookies History Local Settings\Temporary Internet Files\Content.IE5 Delete the entire contents of your C:\Windows\Temp folder. Delete the entire contents of your C:\Temp folder (if you have one). Do a search for *.tmp and delete all entries found. (Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode. Empty your Recycle Bin. Reboot, close any open browser windows, scan with HJT and post a new log please. |
| ||
| Re: New HJT log, pls help me to clean up Thanks dlh6213. I have run HJT and fixed : O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O4 - HKLM\..\Run: [Bin Two Mode Upload] C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo\DEBUG PHONE.exe O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) But the last two still appear when I run HJT again. Should they be there? I checked and found under the folder All Users.WINDOWS: Application: +Adobe Acrobat 7.0 +Ahead NeroDigital +CyberLink +Hypebar +locksbowsstupidextra +Microsoft +Microsoft Help +MSN Messenger7.0.0429 +QuickTime +Spybot - Search&Destroy +Trymedia +WebFunkBinTwo Destop: Favorites: Shared Documents: Start Menu: Templates: Can I delete all contents and not affecting my operations of the computer? There is also a Default User.WINDOWS folder in Documents & Settings folder, together with other folders which I believe I didn't create. Is is safe to delete all those folders? I open the User Accounts in Control Panel but can only see three accounts namely Games, JK and Guest. I see more in Documents & Settings. Can you explain? Pls comment and I will do the rest and report back with new HJT log. Fox |
| ||
| Re: New HJT log, pls help me to clean up just a note ,bitcomet is a torrent download tool !Safe |
| ||
| Re: New HJT log, pls help me to clean up Quote:
1. Delete the following two folders entirely; they were created as part of the infection: C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1 C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo 2. You'll probably have to edit your Registry to get rid of the "crazywinnings" entries; they'll just keep reappearing if you don't. - First, remove the site from your Trusted Zone: Start Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab. Click Trusted Sites, and then click Sites. Click the "crazywinnings" site, and then click Remove - Click on the "Run..." option under your Start menu, type "regedit" (omit the quotes) in the resulting "Open:" window, and hit OK. This will open the Registry Editor program. - In the editor, press F3 to bring up the Find window, type crazywinnings in the find box, and hit enter. There may be more than one "crazywinnings" entry, so you need to keep repeating the find until you get the message "finished searching through the registry". Delete all instances of "crazywinnings" entries you find. Do not deleteor modify anything else in the registry!!! |
| ||
| Re: New HJT log, pls help me to clean up I can't delete C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo, it says it is being used by another person or program. But I can't see what program is using this DEBUG.PHONE |
| ||
| Re: New HJT log, pls help me to clean up This is my new HJT log. Is there anything I need to fix? Logfile of HijackThis v1.99.1 Scan saved at 10:09:44 a.m., on 4/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\DAP\DAP.EXE C:\Program Files\AVPersonal\AVGNT.EXE C:\WINDOWS\system32\ctfmon.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\wuauclt.exe C:\Spyware & Anti-virus Programmes\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Ad Annihilator Kernel - {D880FC15-AF5D-4929-9FB5-F06D01CDF70C} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O3 - Toolbar: &Ad Annihilator - {B2A8E0D7-5764-433D-A89B-2332B9D9BE00} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Ball Peak] C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1\ACTIVE TEST POKE.exe O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: [Add to organizer] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250 O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245 O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256 O8 - Extra context menu item: [Find blocking filter] Ctrl+Alt+F - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3254 O8 - Extra context menu item: [Find this resource in resource list] Ctrl+Alt+L - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3253 O8 - Extra context menu item: [Locate target document] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3255 O8 - Extra context menu item: [Open all links] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3247 O8 - Extra context menu item: [Resume resource loading] Ctrl+Alt+R - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3251 O8 - Extra context menu item: [Show/hide menu and toolbars] Ctrl+Alt+M - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3252 O8 - Extra context menu item: [Unblock this banner] Ctrl+Alt+U - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3246 O8 - Extra context menu item: [Unblock this popup] Ctrl+Alt+A - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3257 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: (no name) - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra button: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/re...s/MsnPUpld.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
| All times are GMT -4. The time now is 8:08 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC