HijackThis log

Question

moose 0 Newbie Poster

19 Years Ago

My Windows XP computer has some errors with delays in opening certain windows e.g. IE, Control Panel .. System, Task Manager. Norton Antivirus gives a clean scan so I suspect spyware. I have run Ad-aware Personal and Spy Sweeper and quarantined all identified potential nasties. Things have got a little better, but still something seems up. I've run HijackThis and would appreciate a review of this and some pointers as to possible culprits and remedial actions from someone more in the know.
Here's the log, can someone please tell me which files need to be deleted.
Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 20:32:26, on 25/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\DATACA~1\FLashKsk.exe
F:\WINDOWS\System32\CTHELPER.EXE
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Messenger\MSMSGS.EXE
F:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
F:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
F:\WINDOWS\System32\CTsvcCDA.EXE
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Documents and Settings\Richard\My Documents\My Applications\WinZip90\WZQKPICK.EXE
F:\WINDOWS\System32\MsPMSPSv.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Documents and Settings\Richard\My Documents\My Applications\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F8D71D4-02FD-C2F6-5003-4618BBB78685} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataCaching] F:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] F:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] F:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Service Manager.lnk = F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Documents and Settings\Richard\My Documents\My Applications\WinZip90\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mpa: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {ADC3EA10-8A28-41A9-96B4-534ADFC3CA0A} (Configuratore Auto Control) - http://www.showroomatfiat.co.uk/components/ocx/autopricer/configuratoreauto.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab

windows-virus

4 Contributors
11 Replies
162 Views
1 Week Discussion Span
Latest Post 19 Years Ago Latest Post by DMR

All 11 Replies

crunchie 990 Most Valuable Poster

19 Years Ago

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html

O2 - BHO: (no name) - {0F8D71D4-02FD-C2F6-5003-4618BBB78685} - (no file)

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab
-UDConnect

Disable CTHELPER in Msconfig. It is known to use 100% CPU time.

DMR 152 Wombat At Large

19 Years Ago

Also-

Your version of HijackThis is old; you should update to the current (1.98.2) version.

crunchie 990 Most Valuable Poster

19 Years Ago

Thanks DMR. Spotted that first up, but forgot to include it :o

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

DMR 152 Wombat At Large Team Colleague · Answer 1 · 2004-09-26T08:08:53+00:00

I noticed that you've been on a bit of a posting frenzy tonight, so given the ground that you've covered, nobody can fault you for that one... :)

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 2 · 2004-09-26T08:12:55+00:00

Sunday morning here :). Trying to catch up on other forums too, then I'm going to get some fresh air :). Woohoo!

DMR 152 Wombat At Large Team Colleague · Answer 3 · 2004-09-26T08:30:45+00:00

Hey- just go wireless and you can have the best of both worlds.

It's about 7:30 on a comfortable Saturday evening over here, and I'm sitting out in my courtyard getting plenty of nice fresh air while I' m covering 2 forums, finishing up some invoices for clients, and well- I guess the only thing I'm missing is a nice pint of stout...

:mrgreen:

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 4 · 2004-09-26T08:46:33+00:00

Ahh. It's ok for some :). I've only just got broadband, so one step at a time :).

moose 0 Newbie Poster · Answer 5 · 2004-10-02T02:00:53+00:00

Thanks for the fast responses and help, I haven't been around to action your recommendations until now, but I've just done as suggested and initial signs are good, big improvement. I've upgraded HijackThis and re-run a log after the fixes. I've attached it below for completeness.
Thanks again for your excellent assistance. If I can do anything to add to your reputation rating, then I'd be more than glad to, if you can point me to how.
Cheers

Logfile of HijackThis v1.98.2
Scan saved at 20:55:18, on 01/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\DATACA~1\FLashKsk.exe
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Messenger\MSMSGS.EXE
F:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
F:\Documents and Settings\Richard\My Documents\My Applications\WinZip90\WZQKPICK.EXE
F:\WINDOWS\System32\CTsvcCDA.EXE
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Documents and Settings\Richard\My Documents\My Applications\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.altavista.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataCaching] F:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] F:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] F:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Service Manager.lnk = F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Documents and Settings\Richard\My Documents\My Applications\WinZip90\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpa: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {ADC3EA10-8A28-41A9-96B4-534ADFC3CA0A} (Configuratore Auto Control) - http://www.showroomatfiat.co.uk/components/ocx/autopricer/configuratoreauto.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab

TallCool1 81 Practically a Posting Shark Team Colleague · Answer 6 · 2004-10-02T06:02:57+00:00

I've upgraded HijackThis and re-run a log after the fixes. I've attached it below for completeness.

I think that you still have a problem--I'm not sure if I can pinpoint it exactly, but the symptom is the line F:\WINDOWS\System32\RUNDLL32.EXE under Running Processes. This indicates a problem, because under the Windows NT family RUNDLL32 is run-and-release, so it should never show up as a running process--that's what Svchost is for.

Copy these instructions to Notepad or another text editor, then print them out. You should not have any browser windows open when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Reboot into Safe Mode by pressing the [F8] key repeatedly until the boot menu shows up.

Make sure to close any open browser windows. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn’t be – but double check them):

F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\System32\RUNDLL32.EXE
F:\Documents and Settings\Richard\My Documents\My Applications\WinZip90\WZQKPICK.EXE
F:\WINDOWS\System32\CTsvcCDA.EXE

I'll list what, in my opinion, should be dumped. Realize that none of these are malicious--they are merely superfluous, "excess baggage" or potential security risks. Some companies (Real and Apple among them) seem to think their software should run all the time... bleah!

O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Documents and Settings\Richard\My Documents\My Applications\WinZip90\WZQKPICK.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab

Note that WinZip continues to have known security problems, so unless you are a paying customer, you should use the free 7-Zip instead. After installation, run 7-Zip, go to Tools->Options and check all the boxes to associate the program with the filetypes.

You should also clear out the Temporary Internet Files and the Temp directory, some stealth malware hides there.

moose 0 Newbie Poster · Answer 7 · 2004-10-03T00:34:28+00:00

Thanks for the additional scrutiny. I've again carried out all of the latest recommendations including switching to 7-Zip.
The post clean-up HijackThis log is listed below, could someone please give this another checkover to see whether I'm as untainted as I can be.
Regards

Logfile of HijackThis v1.98.2
Scan saved at 19:25:07, on 02/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\DATACA~1\FLashKsk.exe
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Messenger\MSMSGS.EXE
F:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
F:\WINDOWS\System32\CTsvcCDA.EXE
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Documents and Settings\Richard\My Documents\My Applications\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.altavista.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DataCaching] F:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [CTStartup] F:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] F:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Service Manager.lnk = F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpa: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {ADC3EA10-8A28-41A9-96B4-534ADFC3CA0A} (Configuratore Auto Control) - http://www.showroomatfiat.co.uk/components/ocx/autopricer/configuratoreauto.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab

DMR 152 Wombat At Large Team Colleague · Answer 8 · 2004-10-03T01:49:52+00:00

DMR 152 Wombat At Large

19 Years Ago

Log looks clean now :)

HijackThis log

Recommended Answers Collapse Answers

All 11 Replies

Recommended Answers