Hijackthis LOG

Logfile of HijackThis v1.99.1
Scan saved at 4:31:33 PM, on 7/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Paltalk Messenger\paltalk8.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kashif\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daniweb.com/techtalkforums/threadedpost137669.html#post137669
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120493055453
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14731893-7A21-4660-8D67-3DCFD1412569}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{14731893-7A21-4660-8D67-3DCFD1412569}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{14731893-7A21-4660-8D67-3DCFD1412569}: NameServer = 69.50.176.196,195.225.176.110
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)

I'm new to these forums and am very stupid, I hope I didn't post this in the wrong spot... I was just following instructions from another post. Anyway, I got this error randomly that looks like this:

Windows Security Center
-----------------------

WARNING: Windows Firewall detected suspicious network
activity on your computer. Malicious software codes try
to steal your privacy information, such as credit card
numbers, electronic mail accounts, financial data or
passwords.

Do you want to learn how to protect your computer?

[YES] [NO]

Can anyone help me?

kobit

Newbie Poster

1 post since Jul 2005

Reputation Points: 10

Solved Threads: 0

6 Years Ago

1. Are you sure that is a full and complete log from a scan done while Windows was booted normally (not booted into Safe Mode)? It looks pretty "short on content" for a normal XP system running in normal mode.

If you did do the HijackThis scan in Safe Mode for some reason, please scan while booted normally and post that log; a Safe Mode scan doesn't reveal everything.

2. The following entries in your log indicate a DNS hijack.

O17 - HKLM\System\CCS\Services\Tcpip\..\{14731893-7A21-4660-8D67-3DCFD1412569}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{14731893-7A21-4660-8D67-3DCFD1412569}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{14731893-7A21-4660-8D67-3DCFD1412569}: NameServer = 69.50.176.196,195.225.176.110

What that basically means is that a virus/trojan has forced your computer to look up website locations by using malicious/bogus DNS servers instead of using your ISP's real DNS servers. The damage done there is that when try to visit www.microsoft.com or any other legit URL, you could instead end up at www.reallysickporn.com . Fun, eh?

3. The "Security Center" warning is almost certainly bogus. If you click on the "Yes" button in the warning, you'll probably be sent to some site advertising bogus "anti-spyware" software, a porn site, or maybe both.

Please do the following to get some (and hopefully all) of the nasties cleaned up:

A) Run at least two or three of the following free online anti-virus/anti-spyware scans and let them fix what they can (on some of the sites you may need to select the "auto clean" or similar option):

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

B) Download the trial version of Ewido Security Suite from here:
http://www.ewido.net/en/download/

- Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

- From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you do run Ewido for the first time, you will get a warning Database could not be found!, click OK when you do; the message is non-critical.

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and run a full scan with ewido.
Save the log it generates; you'll need to post it in your next response here.

C) Reboot Windows normally and run HijackThis again. Post the new HJT log, as well as the scan log that ewido gave you.

DMR

Wombat At Large

Team Colleague

7,229 posts since Dec 2003

Reputation Points: 221

Solved Threads: 370

This article has been dead for over three months

You