here is my friends hijack this log im trying to fix his comp without doing a total reinstall.

Logfile of HijackThis v1.98.2
Scan saved at 8:46:26 PM, on 9/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\av.exe
C:\WINDOWS\mlmcvchk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\WINDOWS\System32\chtjmpic.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\windows\winstart32.exe
C:\windows\system\aconti32.com
C:\WINDOWS\System32\realupd.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msapsspc.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\system32\s3ovrlay.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kpgrmsmeftuiwtyrasgpuq.us/I1MLjrLTCJ_oxvCTPJtWZTUnr7stkbEUCkLmdvaa7nY.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dbmmhuuxqjpspsrefvt.com/I1MLjrLTCJ8i4f/MeDiPEjaJXBx7Q5XwHabTbq2SetxaPB/lUtQzev5XrdIxKpUa.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=?ÃA????
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O2 - BHO: IEFriendly Class - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
O2 - BHO: (no name) - {B2003905-52EA-5B0B-4BE1-72828178488D} - C:\PROGRA~1\ITCHPI~1\enc bolt.exe
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [qrnjnumk] C:\WINDOWS\mlmcvchk.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [junkwindow] C:\PROGRA~1\FILEUP~1\ping trust.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\Run: [web4modemp3] C:\Documents and Settings\All Users\Application Data\softsectweb4\CashFlaw.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\RunOnce: [WildTangent CDA Uninstall0] C:\WINDOWS\System32\cmd.exe /c rd /q /s C:\PROGRA~1\WILDTA~1\Apps\CDA
O4 - HKCU\..\Run: [Winstart] C:\windows\winstart32.exe
O4 - HKCU\..\Run: [aconti32] C:\windows\system\aconti32.com
O4 - HKCU\..\Run: [RealUpdater] C:\WINDOWS\System32\realupd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msapsspc] C:\WINDOWS\System32\msapsspc.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [s3ovrlay] C:\WINDOWS\system32\s3ovrlay.exe
O4 - HKCU\..\RunServices: [Winstart] C:\windows\winstart32.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: restart_vs.lnk = D:\Viewsonic.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/bridge.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/cd/1,0,3,8/us/AccesMembre.cab
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}

Recommended Answers

All 11 Replies

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

ones i saw off top of my head.

There's enough virii, worms, and spyware in that to sink a...umm...anyway...

Yup, tons. You need one of the hero's....err...experts. Google some of those filenames, you'll be surprised at the worms on that thing. (Actually, you hang out here, you probably won't be surprised at all lol!) ;)

I wont be surprised i know how much this kid has messed up his computer i got rid of some spyware (ran ad-aware 700 detected), then i fixed some registry files (registry mechanich close to 400), got spyware blaster, switched his browser from IE to mozilla firefox, cleaned out some old registry files and got rid of some programs that he had that dont work. So i pretty much gave his system half of an overhaul in 20 minutes to an hour. See someone had gone on his computer while he was away all summer and these people who were watching his house left it on for who knows how long. And i know because a automatic update finished where if he was there he would of cancelled it 9i got like 80 for all except sp2, i didnt need more hassle right now).

Also he is the only user on his computer but somehow it says that the admin has turned off access to taskmanager.

And how do you increase the signal strength on a wireless router.

I know this a lot of questions and i thank you for anyhelp its just this kid really needs to learn how to take care of his pc wich cant take much more.

Run Spybot and Adaware first. In addition to what Killer suggested, all the red.clientapps should be deleted. Scan again and post a new log for one of the guru's to review. Your friend might also want to install SpyWare Blaster to help prevent further infections.

Run Spybot and Adaware first. In addition to what Killer suggested, all the red.clientapps should be deleted. Scan again and post a new log for one of the guru's to review. Your friend might also want to install SpyWare Blaster to help prevent further infections.

I did some of those things i still have to do a spybot scan but i dont know if you just posted this at the exact same time as my post but if not please read the posts before offering a suggestion it sort of hard to get answers when you have to repeat yourself.

No disrespect.

try www.sysinfo.org thats where most check their HJT logs against, its got a fairly complete list of BHO's and startup items, and for anything you cant find. just google it.

commented: Very helpful post +1

I'm adding that one to my favorites, Thanks, KT.

switched his browser from IE to mozilla firefox

i would suggest leaving his broswer the same. really i use IE and i havnt got an infection on my computer for months. just some cookies here or there. but i have a pretty good setup on my machine also

adaware
spybot search and destroy
spywareblaster
spywareguard
Norton systemworks

with that setup ive been clean for months, and i havnt had to worry much if at all about any infections. for popups, i like google toolbar. stops em, and i can search when im at a site, which i happen to use alot more than i thought i ever would

:!:

I did some of those things i still have to do a spybot scan but i dont know if you just posted this at the exact same time as my post but if not please read the posts before offering a suggestion it sort of hard to get answers when you have to repeat yourself.

No disrespect.

Yeah, we were both posting at the same time (two minutes apart); that wasn't there when I was typing my reply.

700 detected by Ad-Aware!!!? :!:

Killer_typo thanks for the link and i know IE can be used if you know how to maintain your system but this kid isnt on the cutting edge of computer protection.

also you should check the run section of his computer, chances are that things riddled with viruses also.

Start>Run>type "regedit" without the quotes

then navigate to the key

HKEY_LOCAL_MACHINE>Software>Microsoft>Wdindows>Current Version>Run. and look in there, on my machine, i only have about 3 or 4 tthings, and most all of them are related to Norton tools. infact all of them are norton startup items except one item, and its server.exe with the name Registry. so it should be fairly little on the number of things in the run section. 5 or 6 at the most.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.