0

Logfile of HijackThis v1.99.0
Scan saved at 7:29:03 PM, on 12/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Jonathan\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {EF3FF2F2-B518-455D-BAB4-B19BD55EE9C4} - C:\WINDOWS\System32\lmcch.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [vF3O33P] cis2cenu.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\System32\shellexp.exe en
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eosERTjEh] iucpvcno.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)

4
Contributors
15
Replies
16
Views
12 Years
Discussion Span
Last Post by dlh6213
0

well you might wanna update to service pack 2 it offers more security and at a quick glance do you really want weather bug i find it quite trouble some

0

I wouldn't recommend getting SP2 until after you've got your system clean. You can find more info on SP2 here:
http://www.daniweb.com/techtalkforums/thread10031.html

Before you fix anything with HJT, you should put it in it's own folder. Right-click on your desktop, select New Folder, name it (something like HJT), and then drag the HijackThis.exe on your desktop into that folder.

Your log looks rather skimpy, was it done while in Safe Mode? If so, post your next one from Normal Mode (after you've put HJT in it's own folder).

0

I wouldn't recommend getting SP2 until after you've got your system clean. You can find more info on SP2 here:
http://www.daniweb.com/techtalkforums/thread10031.html

Before you fix anything with HJT, you should put it in it's own folder. Right-click on your desktop, select New Folder, name it (something like HJT), and then drag the HijackThis.exe on your desktop into that folder.

Your log looks rather skimpy, was it done while in Safe Mode? If so, post your next one from Normal Mode (after you've put HJT in it's own folder).

OK thanks, and yes it was in safe mode, and I also had some things disabled from startup items and services... Should all of those be checked when I run it as well?

0

OK thanks, and yes it was in safe mode, and I also had some things disabled from startup items and services... Should all of those be checked when I run it as well?

It would be best if everything were enabled until we get your system clean.

0

Ok here's the log with all services and startup items not in safe mode. Thanks alot for your help dlh.


Logfile of HijackThis v1.99.0
Scan saved at 2:10:37 AM, on 12/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\documents and settings\jonathan\local settings\temp\neOKky3u.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\shellexp.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\DIGNIT~1\SPAMAL~1\spmalarm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
c:\windows\2Hj.exe
C:\Documents and Settings\Jonathan\Desktop\Hijack\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jonathan\Local Settings\Temp\0YI.dll
O2 - BHO: (no name) - {EF3FF2F2-B518-455D-BAB4-B19BD55EE9C4} - C:\WINDOWS\System32\lmcch.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [vF3O33P] mmupapi.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [qXkWw] C:\documents and settings\jonathan\local settings\temp\qXkWw.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [neOKky3u] C:\documents and settings\jonathan\local settings\temp\neOKky3u.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [2Hj] c:\windows\2Hj.exe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\System32\shellexp.exe en
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eosERTjEh] vgaw400.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [wccapp] c:\windows\winhelp.exe
O4 - HKCU\..\Run: [Spam Alarm Proxy] C:\PROGRA~1\DIGNIT~1\SPAMAL~1\spmalarm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Kobxor] C:\WINDOWS\System32\nhzqncj.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)

0

To answer your question, "Hijack this log anything look dangerous?" The answer is "YES!"

Delete the contents of all Temp and Temporary Internet folders for all users on the computer.

Go to Add/Remove Programs in your Control Panel and remove these if (if found):
WeatherBug
WinTools
WildTangent
VBouncer or VirtualBouncer

Close all browser windows, scan with HJT, and have it fix the following entries:
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jonathan\Local Settings\Temp\0YI.dll
(This one shouldn't be there anymore if you emptied your Temp folder)
O2 - BHO: (no name) - {EF3FF2F2-B518-455D-BAB4-B19BD55EE9C4} - C:\WINDOWS\System32\lmcch.dll (file missing)
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/WToolsA/)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/wcmdmgrl/)
O4 - HKLM\..\Run: [qXkWw] C:\documents and settings\jonathan\local settings\temp\qXkWw.exe
(This should also be gone if the Temp folders were emptied)
O4 - HKLM\..\Run: [neOKky3u] C:\documents and settings\jonathan\local settings\temp\neOKky3u.exe
(This should also be gone if the Temp folders were emptied)
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/IEHost/)
O4 - HKLM\..\Run: [2Hj] c:\windows\2Hj.exe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\System32\shellexp.exe en
(More info on this here: http://startup.iamnotageek.com/srch-shellexp.exe.html)
O4 - HKCU\..\Run: [eosERTjEh] vgaw400.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/tsm2/)
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Kobxor] C:\WINDOWS\System32\nhzqncj.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/virtualbouncer/)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O15 - Trusted Zone: *.windupdates.com

Reboot into Safe Mode

Go to
c:\windows and delete 2Hj.exe
C:\WINDOWS and delete wt
C:\WINDOWS\System32 and delete IEHost.exe
C:\WINDOWS\System32 and delete shellexp.exe
C:\WINDOWS\System32 and delete nhzqncj.exe
C:\Program Files and delete WildTangent
C:\Program Files and delete VBouncer
C:\Program Files\Common Files and delete WinTools
C:\Program Files\AWS and delete WeatherBug

Do a search for 'tsa' and delete the folder

This may be a problem, do you have any idea what it is? C:\PROGRA~1\DIGNIT~1\SPAMAL~1\spmalarm.exe
I couldn't find any info on this one either -- O4 - HKLM\..\Run: [vF3O33P] mmupapi.exe If you don't know what it is, do a search for 'mmupapi.exe' and see where it's located.
Is 'SnagIt' a program you installed?
Is this a service you use? O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)

Reboot normally, close all browser windows, scan with HJT, and post a new log along with whatever answers you have to the questions asked.

**Merry Christmas!**

0

To answer your question, "Hijack this log anything look dangerous?" The answer is "YES!"

Delete the contents of all Temp and Temporary Internet folders for all users on the computer.

Go to Add/Remove Programs in your Control Panel and remove these if (if found):
WeatherBug
WinTools
WildTangent
VBouncer or VirtualBouncer

Close all browser windows, scan with HJT, and have it fix the following entries:
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jonathan\Local Settings\Temp\0YI.dll
(This one shouldn't be there anymore if you emptied your Temp folder)
O2 - BHO: (no name) - {EF3FF2F2-B518-455D-BAB4-B19BD55EE9C4} - C:\WINDOWS\System32\lmcch.dll (file missing)
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/WToolsA/)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/wcmdmgrl/)
O4 - HKLM\..\Run: [qXkWw] C:\documents and settings\jonathan\local settings\temp\qXkWw.exe
(This should also be gone if the Temp folders were emptied)
O4 - HKLM\..\Run: [neOKky3u] C:\documents and settings\jonathan\local settings\temp\neOKky3u.exe
(This should also be gone if the Temp folders were emptied)
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/IEHost/)
O4 - HKLM\..\Run: [2Hj] c:\windows\2Hj.exe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\System32\shellexp.exe en
(More info on this here: http://startup.iamnotageek.com/srch-shellexp.exe.html)
O4 - HKCU\..\Run: [eosERTjEh] vgaw400.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/tsm2/)
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Kobxor] C:\WINDOWS\System32\nhzqncj.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/virtualbouncer/)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O15 - Trusted Zone: *.windupdates.com

Reboot into Safe Mode

Go to
c:\windows and delete 2Hj.exe
C:\WINDOWS and delete wt
C:\WINDOWS\System32 and delete IEHost.exe
C:\WINDOWS\System32 and delete shellexp.exe
C:\WINDOWS\System32 and delete nhzqncj.exe
C:\Program Files and delete WildTangent
C:\Program Files and delete VBouncer
C:\Program Files\Common Files and delete WinTools
C:\Program Files\AWS and delete WeatherBug

Do a search for 'tsa' and delete the folder

This may be a problem, do you have any idea what it is? C:\PROGRA~1\DIGNIT~1\SPAMAL~1\spmalarm.exe
I couldn't find any info on this one either -- O4 - HKLM\..\Run: [vF3O33P] mmupapi.exe If you don't know what it is, do a search for 'mmupapi.exe' and see where it's located.
Is 'SnagIt' a program you installed?
Is this a service you use? O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)

Reboot normally, close all browser windows, scan with HJT, and post a new log along with whatever answers you have to the questions asked.

**Merry Christmas!**

Thank you so much for your help!!, and yes Snag it and Spam Alarm I am aware of and did put on the computer. I am going to follow all your instructions now...

0

Ok followed all of the instructions, and I am just wondering why alot of the things are still in my startup item's folder and I do not know how to get rid of em. Oh btw Partypoker is something I use everyday so I did not delete any of that.

Logfile of HijackThis v1.99.0
Scan saved at 10:20:23 AM, on 12/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jonathan\Desktop\Hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

0

I suggest the following to clean up your computer .

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First use Spybot S&D. (Version 1.3)
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware

Then post a new HJT log as a reply to this topic.

0

If you log still has the following after spybot and ad-aware do the following ,

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"


Now reboot into safe mode and delete the following files and folders if found .

C:\Program Files\AutoUpdate.........delete folder


to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

0

Wow! That log sure looks a lot better now!

Sorry about the PartyPoker thing... Guess I should have asked first.

The first thing I would try to get the stuff out of your Startup list is to go to Start, Programs, Startup. Then go to each one that shows up, right-click on it and select Delete. If that doesn't work, let us know.

*I don't know how I missed the AutoUpdater thing, I remember looking it up and finding out it was bad. Good thing someone's following up :).*

0

Wow! That log sure looks a lot better now!

Sorry about the PartyPoker thing... Guess I should have asked first.

The first thing I would try to get the stuff out of your Startup list is to go to Start, Programs, Startup. Then go to each one that shows up, right-click on it and select Delete. If that doesn't work, let us know.

*I don't know how I missed the AutoUpdater thing, I remember looking it up and finding out it was bad. Good thing someone's following up :).*

Guys thanks for all the help so far, but after updating to SP2 and doing all the critical sec updates I seem to have noticed I can no longer open Outlook express... I am not sure if it was the updates or something I screwed up with Hijackthis as I do not open Outlook too often. The error message I get is this "outlook express could not be started. The application was unable to open the OE message store. Your computer may be out of memory or the disk is full. Contact MS support for further assistance" follow by this "Outlook express could not be started because MSOE.DLL could not be initialized Outlook express may not be installed correctly." I know that my HD is not full etc. because I have several GB avail.

Thanks again for all the help, Jon

0

I am now thinking more along the lines of it having to be a registry key I deleted with Hijack this.... If anyone thinks I can solve this without reinstalling the OS please let me know.

Btw I found this doing a google search which is exactly the message's I get...

I'm unable to start Outlook Express. I'm using Windows 2000 and IE 6.0. I don't know what version of OE I have but assume it's 6.0, too.

When I go to start OE I get the error message:

"Outlook Express could not be started. The application was unable to open the Outlook Express message store. Your computer may be out of memory or your disk is full. Contact Microsoft support for further assistance. (0x80040154,2)."

Then I get the message:

"Outlook Express could not be started because MSOE.dll could not be initialized. Outlook Express may not be installed correctly."

After reading some previous email on this website, I believe I caused the problem by accidently deleting a Registry key. I found this key {2CF0B992-5EEB-4143-99C0-5297EF71F444} but don't know where it came from or how to replace it.

0

After reading some previous email on this website, I believe I caused the problem by accidently deleting a Registry key. I found this key {2CF0B992-5EEB-4143-99C0-5297EF71F444} but don't know where it came from or how to replace it.

Where did you find it and why do you think you deleted it? I don't see it listed in any of your HJT logs. :confused:

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.