0

My system is acting like it is under the control of spyware. It stops the execution of Avast! I have Ad-Aware and Spybot up to date. AVG7 is also up to date.

I am pasting my HJT log.

Thanks for your assistance.

Frank

====
Logfile of HijackThis v1.99.1
Scan saved at 3:39:12 PM, on 3/15/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN98\SYSTEM\KERNEL32.DLL
C:\WIN98\SYSTEM\MSGSRV32.EXE
C:\WIN98\SYSTEM\SPOOL32.EXE
C:\WIN98\SYSTEM\MPREXE.EXE
C:\WIN98\SYSTEM\mmtask.tsk
C:\WIN98\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE
C:\WIN98\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPER\DKSERVICE.EXE
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WIN98\SYSTEM\RPCSS.EXE
C:\WIN98\EXPLORER.EXE
C:\WIN98\TASKMON.EXE
C:\WIN98\SYSTEM\SYSTRAY.EXE
C:\WIN98\MIXER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WIN98\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
D:\PROGRAM FILES\PALM\HOTSYNC.EXE
D:\PROGRAM FILES\REDSTRIKE\ULTRAWIPE\LAUNCHER.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
D:\PROGRAM FILES\CRIMSON EDITOR\CEDT.EXE
C:\WIN98\SYSTEM\RNAAPP.EXE
C:\WIN98\SYSTEM\TAPISRV.EXE
D:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WIN98\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N1 - Netscape 4: user_pref("browser.startup.homepage", "about:blank"); (C:\Program Files\Netscape\Users\frank1\prefs.js)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\PROGRA~1\FRESHD~1\FRESHD~2\FDCATCH.DLL
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WIN98\SYSTEM\NZDD0.DLL
O2 - BHO: (no name) - {AB77A7BF-8C5B-486A-B547-F9AD2B41A904} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN98\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WIN98\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WIN98\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WIN98\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ashMaiSv] D:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [avast! Web Scanner] D:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PersFw] C:\Program Files\Tiny Personal Firewall\persfw.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WIN98\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\Diskeeper\DkService.exe
O4 - HKLM\..\RunServices: [avast!] D:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [FUIClearHis] D:\PROGRAM FILES\FRESHDEVICES\FRESHUI\FRESHUI.EXE 0 1 2 3 4 6 7 8 9 10 11 12 13 14 16 17
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: HotSync Manager.lnk = ?
O4 - Startup: Ultra Wipe Launcher.lnk = D:\PROGRA~1\REDSTR~1\ULTRAW~1\LAUNCHER.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WIN98\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WIN98\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WIN98\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WIN98\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WIN98\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WIN98\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WIN98\Web\imglist.htm
O8 - Extra context menu item: Download with &FD - D:\PROGRAM FILES\FRESHDEVICES\FRESHDOWNLOAD\fdiectx.htm
O8 - Extra context menu item: Download &All by FD - D:\PROGRAM FILES\FRESHDEVICES\FRESHDOWNLOAD\fdiectx2.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WIN98\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify148.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.nevadadot.com/ACGM/Acgm.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.73.236.3,64.122.22.130

2
Contributors
3
Replies
4
Views
12 Years
Discussion Span
Last Post by dlh6213
0

You have some things to fix there, but before you do you should put HijackThis into it's own folder. To do this, right-click on your desktop, select New, Folder; give the new folder a name (like HJT or Hijackthis); after you've named it, drag the hijackthis.exe icon on your desktop into this new folder.

Then, close all browser windows, scan with HJT, and post a new log.

0

Here is the new log you requested. Thanks for your help.

====

Logfile of HijackThis v1.99.1
Scan saved at 8:44:39 PM, on 3/16/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN98\SYSTEM\KERNEL32.DLL
C:\WIN98\SYSTEM\MSGSRV32.EXE
C:\WIN98\SYSTEM\MPREXE.EXE
C:\WIN98\SYSTEM\mmtask.tsk
C:\WIN98\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE
C:\WIN98\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPER\DKSERVICE.EXE
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WIN98\SYSTEM\RPCSS.EXE
C:\WIN98\EXPLORER.EXE
C:\WIN98\TASKMON.EXE
C:\WIN98\SYSTEM\SYSTRAY.EXE
C:\WIN98\MIXER.EXE
C:\WIN98\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
D:\PROGRAM FILES\PALM\HOTSYNC.EXE
D:\PROGRAM FILES\REDSTRIKE\ULTRAWIPE\LAUNCHER.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WIN98\SYSTEM\RNAAPP.EXE
C:\WIN98\SYSTEM\TAPISRV.EXE
C:\WIN98\DESKTOP\HJT 1.99\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N1 - Netscape 4: user_pref("browser.startup.homepage", "about:blank"); (C:\Program Files\Netscape\Users\frank1\prefs.js)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\PROGRA~1\FRESHD~1\FRESHD~2\FDCATCH.DLL
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WIN98\SYSTEM\NZDD0.DLL
O2 - BHO: (no name) - {AB77A7BF-8C5B-486A-B547-F9AD2B41A904} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN98\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WIN98\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WIN98\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WIN98\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ashMaiSv] D:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [avast! Web Scanner] D:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [KeyStone Version Control] d:\Program Files\Keystone Learning\MeasureUp\cdtpUpdater.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PersFw] C:\Program Files\Tiny Personal Firewall\persfw.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WIN98\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\Diskeeper\DkService.exe
O4 - HKLM\..\RunServices: [avast!] D:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [FUIClearHis] D:\PROGRAM FILES\FRESHDEVICES\FRESHUI\FRESHUI.EXE 0 1 2 3 4 6 7 8 9 10 11 12 13 14 16 17
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: HotSync Manager.lnk = ?
O4 - Startup: Ultra Wipe Launcher.lnk = D:\PROGRA~1\REDSTR~1\ULTRAW~1\LAUNCHER.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WIN98\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WIN98\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WIN98\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WIN98\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WIN98\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WIN98\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WIN98\Web\imglist.htm
O8 - Extra context menu item: Download with &FD - D:\PROGRAM FILES\FRESHDEVICES\FRESHDOWNLOAD\fdiectx.htm
O8 - Extra context menu item: Download &All by FD - D:\PROGRAM FILES\FRESHDEVICES\FRESHDOWNLOAD\fdiectx2.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WIN98\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify148.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.nevadadot.com/ACGM/Acgm.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.73.236.3,64.122.22.130

0

Sorry for the delay in responding to this.

Avast and AVG are two seperate antivirus programs (as far as I know); having both on your system may cause the problem you described. You should choose the one you prefer and uninstall the other.

Fresh Devices information:

Low threat - Low risk threats pose a very low risk or no immediate danger to your computer or your privacy, however these types of applications may profile user online habits, but only according to specific privacy policies stated in the applications End-User License. These types of threats generally borderline on being a threat to being a standard application that has a complex license agreement that you knowingly installed. You should examine their EULA, terms of service agreement, or privacy policy; if you like the program... keep it.

You can find some info on Netzip (this entry in your HJT log: O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WIN98\SYSTEM\NZDD0.DLL) at this site:

http://www.grc.com/downloaders.htm

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: (no name) - {AB77A7BF-8C5B-486A-B547-F9AD2B41A904} - (no file)
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)

Be sure to close all windows other than HJT before hitting the Fix button.

Of the O8 entries, did you set up any of these yourself? Also the O16 entries, are these sites you visit?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.