|
| ||
| Need review of HJT log This HJT log is from my son's computer. He has "About:Blank" issues. Can not run windows updates, and his system is very slow even when not running anything. I run the Norton Live Update but it doesnt show it installed. Not sure if the virus scan is actually scanning. Home built PIII-500, Ram:256, Win2k SP4, but needs updates. Please tell me what to delete: Logfile of HijackThis v1.97.7 Scan saved at 8:14:10 PM, on 5/31/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\CTHELPER.EXE C:\WINNT\system32\atiptaxx.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\QuickTime\qttask.exe D:\Saved from Reload\Downloads C\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINNT\mslagent\4b_1,0,1,0_mslagent.dll (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {B4972E7A-89FE-415D-91AA-ABE626BC01CD} - C:\WINNT\system32\kipeea.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE O9 - Extra button: AIM (HKLM) O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binarie...rvice_3_EN.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_41.cab O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/c...b?ver=1,1,0,32 O16 - DPF: {48F22476-0F08-43D8-BAA3-83AD77BD2582} (LLInstall Class) - http://142.31.52.223/learnlinc/download/LL7Inst.dll O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webresponse.one.microsof.../TLIEFlash.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...955.8841319444 O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab O16 - DPF: {E4961D20-6367-4C75-BCF3-5213C29A827B} (llamapro) - https://www.pimpwar.com/crew/llamapro/llamapro.cab O16 - DPF: {E4961D20-6367-4C75-BCF3-5213C29A827C} (llamapro) - https://www.pimpwar.com/crew/llamapro/llamapro.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/...x/HMAtchmt.ocx O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab |
| ||
| Re: Need review of HJT log Download dllfix from the following link. http://tools.zerosrealm.com/dllfix.exe Create a folder on your desktop, doubleclick on the dllfix and install it into the folder you just created. 1.Run start.bat and press option 1. 'output.txt' will be created in the folder Post that log back here. |
| ||
| Re: Need review of HJT log Okay here it is.... --==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==-- --==***@@@ ORIGINAL BY FREEATLAST @@@***==-- Tue 06/01/2004 12:40p System Info: Microsoft Windows 2000 [Version 5.00.2195] C: "KAMRON" (0C58:18E6) - FS:FAT clusters:8k Total: 13 558 415 360 [13G] - Free: 8 634 073 088 [8.0G] *IE version and Service packs: 6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe *Notepad version : 5.0.2140.1 C:\WINNT\system32\notepad.exe 5.0.2140.1 C:\WINNT\notepad.exe ! REG.EXE VERSION 2.0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings MinorVersion REG_SZ ;SP1;Q824145;Q330994; Locked or 'Suspect' file(s) found... \\?\C:\WINNT\System32\INETRES.DLL +++ File read error \\?\C:\WINNT\System32\INETRES.DLL +++ File read error REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{021BB032-80A8-4FB6-B3D5-CF27B1553B95}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}] @="NAV Helper" REGEDIT4 [HKEY_CLASSES_ROOT\PROTOCOLS\Filter] [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream] "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus] "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload] "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler] @="AP Class Install Handler filter" "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate] @="AP Deflate Encoding/Decoding Filter " "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip] @="AP GZIP Encoding/Decoding Filter " "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml] @="AP lzdhtml encoding/decoding Filter" "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml] @="WebView MIME Filter" "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}" ! REG.EXE VERSION 2.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_Dlls REG_SZ *Security settings for 'Windows' key: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: (NI) ALLOW Read BUILTIN\Users (IO) ALLOW Read BUILTIN\Users (NI) ALLOW Read BUILTIN\Power Users (IO) ALLOW Read BUILTIN\Power Users (NI) ALLOW Full access BUILTIN\Administrators (IO) ALLOW Full access BUILTIN\Administrators (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (NI) ALLOW Full access BUILTIN\Administrators (IO) ALLOW Full access CREATOR OWNER Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: Read BUILTIN\Users Read BUILTIN\Power Users Full access BUILTIN\Administrators Full access NT AUTHORITY\SYSTEM Thank you!! |
| ||
| Re: Need review of HJT log Run start.bat again and choose option '2'. You must reboot after doing so. Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it. Post a new hijackthis log after plz. |
| ||
| Re: Need review of HJT log After I ran HJT, I check the ABOUT:BLANK line and fixed it. Here is the the latest HJT showing that line: Logfile of HijackThis v1.97.7 Scan saved at 11:27:01 AM, on 6/2/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\CTHELPER.EXE C:\WINNT\system32\atiptaxx.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\window.exe C:\Program Files\Internet Explorer\iexplore.exe D:\Saved from Reload\Downloads C\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINNT\mslagent\4b_1,0,1,0_mslagent.dll (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {221E8D90-C439-4297-B84A-EA3291D7CB1A} - C:\WINNT\system32\ebnel.dll (file missing) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [mslagent] C:\WINNT\mslagent\mslagent.exe O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM (HKLM) O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binarie...rvice_3_EN.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_41.cab O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/c...b?ver=1,1,0,32 O16 - DPF: {48F22476-0F08-43D8-BAA3-83AD77BD2582} (LLInstall Class) - http://142.31.52.223/learnlinc/download/LL7Inst.dll O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webresponse.one.microsof.../TLIEFlash.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...955.8841319444 O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab O16 - DPF: {E4961D20-6367-4C75-BCF3-5213C29A827B} (llamapro) - https://www.pimpwar.com/crew/llamapro/llamapro.cab O16 - DPF: {E4961D20-6367-4C75-BCF3-5213C29A827C} (llamapro) - https://www.pimpwar.com/crew/llamapro/llamapro.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/...x/HMAtchmt.ocx O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab :?: What next? |
| ||
| Re: Need review of HJT log :rolleyes: Ooh yes, I forgot to mention, I did run DLLFIX opt 2, then reinstalled Adware6 (again dont know why it was gone), updated it, then scaned. It found some nasties... The following is the DLLFIX output log: CWSDLL/Searchx Appinit Fix By Shadowwar Version 2.01 053104 Please Do not mirror Without Permission! I can be contacted at spywaresubmit at aol.com Wed 06/02/2004 10:55a Backing up Registry Hive The operation completed successfully Deleting Windows Key The operation completed successfully Adding Test Windows Key The operation completed successfully Restoring temp Values Key The operation completed successfully Deleting Bad Appinit Value The operation completed successfully Backup of Modified Hiv The operation completed successfully Deleting test Windows key The operation completed successfully Deleting Filter text Running from C:\Documents and Settings\Kam\Desktop\Desktop\DLL Fix\dllfix Scanning For main hijacker. Found Main Hijacker Dll:C:\WINNT\System32\EBNEL.DLL Md5 tested As 0758CF635DF08AC381962F74832B6484 MD5 Matched known Baddie Deleting Hijacker Dll: C:\WINNT\System32\EBNEL.DLL Succesfully Deleted Scanning For main hijacker. Scanning for Hidden Dll in system32 1st pass File was not found on first Pass. Scanning for Hidden Dll in system32 2nd pass File found was: C:\WINNT\System32\RES.DLL Md5 Check of C:\WINNT\System32\RES.DLL Md5 tested As C185B36F9969D3A6D2122BA7CBC02249 Md5 matched known baddies. Processing and Deleting File. File was successfully Deleted. Adding Back Windows Key The operation completed successfully Restoring Registry Hive The operation completed successfully Restoring Cleaned Appinit Value The operation completed successfully |
| ||
| Re: Need review of HJT log Now you can do this & keep your fingers crossed. This is THE most difficult to remove hijacker at the moment & has a lot of experts working on it. Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINNT\mslagent\4b_1,0,1,0_mslagent.dll (file missing) O2 - BHO: (no name) - {221E8D90-C439-4297-B84A-EA3291D7CB1A} - C:\WINNT\system32\ebnel.dll (file missing) O4 - HKCU\..\Run: [mslagent] C:\WINNT\mslagent\mslagent.exe O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab Reboot into safe mode following the instructions here & navigate to & delete the following if found: C:\WINNT\mslagent< folder C:\WINNT\system32\window.exe< file This one if found: C:\WINNT\system32\ebnel.dll< file Reboot normally after doing the above then post a fresh log plz. |
| ||
| Re: Need review of HJT log Crunchie: :lol: I very much appreciate the help you have given me and to others. I have learned a lot by reading the threads at the daniweb site, and working this problem through. I hope this works; here is the latest HJT log after completing your instructions. Let me know if there is more. TY, TY, TY! Logfile of HijackThis v1.97.7 Scan saved at 3:13:15 PM, on 6/3/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\CTHELPER.EXE C:\WINNT\system32\atiptaxx.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Messenger\msnmsgr.exe D:\Saved from Reload\Downloads C\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AIM (HKLM) O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binarie...rvice_3_EN.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_41.cab O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/c...b?ver=1,1,0,32 O16 - DPF: {48F22476-0F08-43D8-BAA3-83AD77BD2582} (LLInstall Class) - http://142.31.52.223/learnlinc/download/LL7Inst.dll O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webresponse.one.microsof.../TLIEFlash.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...955.8841319444 O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab O16 - DPF: {E4961D20-6367-4C75-BCF3-5213C29A827B} (llamapro) - https://www.pimpwar.com/crew/llamapro/llamapro.cab O16 - DPF: {E4961D20-6367-4C75-BCF3-5213C29A827C} (llamapro) - https://www.pimpwar.com/crew/llamapro/llamapro.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/...x/HMAtchmt.ocx O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab |
| ||
| Re: Need review of HJT log UPDATE: Being proactive I read ahead and ran CWShreader which found The Coolweb Trojan lurking in my Windows Media player's exe file. --Can we say"ELIMINATED"! After that, I went to Microsoft.com and was finally able to run all the updates we couldn’t update before!! Yeah! :mrgreen: Then, feeling like riding on a wave of success, I was able to get the Norton virus definitions to finally update!!!! I am now running Stinger 2.2.7 and Norton at the same time. I have to say it feels good to be this far into solution when its been a long hard road to fixing these issues. I cant be more grateful :D |
| ||
| Re: Need review of HJT log You have done a good job there. It appears you have nuked them all!! |
| All times are GMT -4. The time now is 2:10 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC