Highjackthis log

TheMSsForum.com: The Microsoft Software Forum

Please help me with this. What should I remove and what should I keep?


Logfile of HijackThis v1.99.1
Scan saved at 7:00:30 PM, on 11/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\iisver.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
c:\progra~1\window~2\wmplayer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ARADRA~1\LOCALS~1\Temp\Rar$EX00.031\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://search.qsrch.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no
file)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program
Files\NewDotNet\newdotnet6_98.dll
O2 - BHO: Quick! - {4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C} -
C:\PROGRA~1\quickbar\quickbar.dll
O2 - BHO: RichMediaCollector Class -
{EFFD215B-773F-4F3A-8B4A-BF15CCA78A05} - C:\Program Files\Common
Files\MediaMaster\WMMRMC20.dll
O3 - Toolbar: MediaMaster Bar - {E7F10FF7-005E-45D7-86A1-59FA022860B0}
- C:\Program Files\Common Files\MediaMaster\WMMRMC20.dll
O3 - Toolbar: Quick! - {4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C} -
C:\PROGRA~1\quickbar\quickbar.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [2wSysTray] C:\Program
Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program
Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program
Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [iisver] C:\WINDOWS\iisver.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Rzvdnu] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program
Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Window Washer] C:\Program
Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program
Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login -
{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login -
{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com
O15 - Trusted Zone: http://*.searchsquire.com
O16 - DPF: Yahoo! Checkers -
http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Graffiti -
http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Poker -
http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 -
http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {12345678-1234-1234-1234-123456789123} -
http://www.allyoursearch.com/Allyoursearch.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) -
http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download
Control Class) -
http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8}
(Driver_Detective_v43_Members.DD_v43) -
http://www.drivershq.com/cab/prod/Driver_Detective_v43_Members.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control)
- http://tank.wizards.com/chat/data/html/user/msie/msichat.ocx
O16 - DPF: {4C2D6C46-6602-11D4-A5E3-444553540000} (Alice Control) -
http://www.skotos.net/MarrachGame/Alice44.cab
O16 - DPF: {5DDF3BA5-7DCD-45A9-B4A1-601E67700271} (DDv4_Member.DDv4) -
http://www.drivershq.com/cab/prod/DDv4_Member.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B663A561-7424-4958-AF76-853E80B4E1C6} (UDConnect Class) -
http://19.sharedsource.org/html/PagomaxUD_1.0.0.3ie.cab?
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD}
(MaxisSimCity4PatcherX Control) -
http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
http://download.abacast.com/download/files/abasetup150.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} -
http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Iomega Corporation -
C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. -
C:\WINDOWS\system32\pctspk.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner
- C:\WINDOWS\system32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony
DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: ZipToA - Iomega Corporation -
C:\WINDOWS\System32\ZipToA.exe
Top

Re: Highjackthis log by PA

PA
Tue Nov 01 22:31:11 CST 2005

By Gentleman's Agreement, we do not interpret HijackThis logs in the public
newsgroups.

Are you having problems? Did you run any preliminary scans (e.g.,
Ad-aware)?

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/archive/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), AH-VSOP

Dropface wrote:
> Please help me with this. What should I remove and what should I keep?
>
>
> Logfile of HijackThis v1.99.1
> Scan saved at 7:00:30 PM, on 11/01/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
<snip>

Top