Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

here is my HighJackThis log, please help

2K views 9 replies 3 participants last post by  BlueSpruce 
#1 ·
Logfile of HijackThis v1.97.7
Scan saved at 8:30:43 PM, on 3/26/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSBasic.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\dump\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50016
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50016
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Owner\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperBasic] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSBasic.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.409881591796875&file=stamps.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36574D50-7A46-4879-BAA9-061616615D5D}: NameServer = 66.194.5.2 66.194.5.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{36574D50-7A46-4879-BAA9-061616615D5D}: NameServer = 66.194.5.2 66.194.5.3

Thank you
Stu
 
See less See more
#2 ·
Welcome to TSG stustanton , Create a new Folder in C:\Program Files named -> Hijack This , Place Hijack This.exe in the new Hijack This Folder , Right mouse click Hijack This.exe -> Create Shortcut , and place the new shortcut to Hijack This on your Desktop.

Next log offline , Close all open Folders and browser windows , Scan Hijack This , Put checks in the following entries and hit ''Fix Checked'' ,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50016

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50016

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50016

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Owner\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab

Restart your computer , Navigate to and Delete the following ,

C:\DOCUME~1\Owner\LOCALS~1\Temp\TB_ANI~1.EXE <- File
C:\Program Files\Toolbar <- Folder

On the IE Toolbar , Click Tools , Windows Update , and install all available critical updates applicable to your computer.

... A few more recommendations , On the IE Toolbar , Click Tools , Internet Options , Security , ''Internet'' , Click ''Default Level'' You want the slider set to Medium. Select ''Restricted Sites'', Click ''Default Level''You want the slider set to High.

Create a New Folder in C:\ and name it -> ie-spyads . Download IE-SPYAD.ZIP Extract the IE-spyad files to the new C:\IE-spyad Folder , Click Install.bat , Select option #2 (#4 is optional) then exit.

Install SpywareBlaster Click ''Check for Updates''. Database Info at the moment should list 1222 Items.

Download , Update , Configure , and run Ad-Aware 6 Build 181 following the instructions in the Ad-Aware 6: Reference guide by Winchester73

Good luck
 
#3 ·
BlueSpruce,

Thanks for your help. I have a few issues still going on.

I could not find this and delete it:
C:\DOCUME~1\Owner\LOCALS~1\Temp\TB_ANI~1.EXE <- File

(Could this be a hidden file, I didn't think of that until now?)

>> Install SpywareBlaster Click ''Check for Updates''. Database Info at the moment should list 1222 Items.

I installed SpywareBlaster and it displayed 1222 item. The instructions in SpywareBlaster were to check all, was that correct.

I get a messge KDB.EXE is missing a dll upon startup.

The IE is still strange. The background is white (no colors) some of the text is white (no Color). Some of the letters come up large, regardless of what IE font setting I use. If I save a html page and bring it up in word, the colors are correct. I have played with the color settings in IE, but no help. Any ideas or where should I post this problem.

If you need a current HighJackThis log, I may not be able to get to it unitl tomorrow evening.

Thank you,
Stu
 
#6 ·
Originally posted by stustanton:
I could not find this and delete it:
C:\DOCUME~1\Owner\LOCALS~1\Temp\TB_ANI~1.EXE <- File
(Could this be a hidden file, I didn't think of that until now?)
How to show hidden files and protected operating system files in windows

Originally posted by stustanton:
>> Install SpywareBlaster Click ''Check for Updates''. Database Info at the moment should list 1222 Items.

I installed SpywareBlaster and it displayed 1222 item. The instructions in SpywareBlaster were to check all, was that correct.
Yes indeed!... for Version 2.6.1
Javacool Software has just released SpywareBlaster Version 3.0 which offers much more comprehensive Spyware protection , Including Restricted Sites Protection , and works well in conjunction with IE-SPYAD. The recommendation is to Uninstall v2.6.1 and Install v3.0

Originally posted by stustanton:
I get a messge KDB.EXE is missing a dll upon startup.

The IE is still strange. The background is white (no colors) some of the text is white (no Color). Some of the letters come up large, regardless of what IE font setting I use. If I save a html page and bring it up in word, the colors are correct. I have played with the color settings in IE, but no help. Any ideas or where should I post this problem.

If you need a current HighJackThis log, I may not be able to get to it unitl tomorrow evening.
Please show us a new Hijack This1.97.7 scanlog for a follow-up review.

Good luck
 
#7 ·
Here is the new Highjack This log. Still unable to locate file.

Logfile of HijackThis v1.97.7
Scan saved at 6:26:58 PM, on 3/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSBasic.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperBasic] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSBasic.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.409881591796875&file=stamps.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thank you
Stu
 
#8 ·
Originally posted by stustanton:
Still unable to locate file.
I don't see any further evidence of the HuntBar parasite in your Hijack This scanlog , and I see you Deleted the Toolbar Folder in C:\Program Files. The Hijack This ''Fix'' and Restarting your computer likely removed the TB_ANI~1.EXE File.

Having Hijack This ''Fix'' following scanlog entry is considered ''Users choice'' ,
HPGamesActiveMenu
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe

Originally posted by stustanton:
The IE is still strange. The background is white (no colors) some of the text is white (no Color). Some of the letters come up large, regardless of what IE font setting I use. If I save a html page and bring it up in word, the colors are correct. I have played with the color settings in IE, but no help. Any ideas or where should I post this problem.
On your IE Toolbar , Click Tools > Internet Options > Colors... , and check ''Use Windows Colors''. Press OK.

Next , Click > Fonts... , Select Language Script: ''Latin Based''
Web Page Font: ''Times New Roman''
Plain Text Font: ''Courier New''. Press OK.

Good luck
 
#10 ·
Originally posted by stustanton:
The IE still does not have background colors. Is there a file, like an INI file, that needs to be tweaked? Would reinstalling IE help?
On the IE Toolbar , Click Tools > Internet Options > Accessibility... , and verify the 3 options under ''Formatting'' are unchecked. ''User Stylesheet'' should be unchecked as well.

If no luck , Repairing IE6 may solve the issue.
On your Taskbar , Start > Settings > Control Panel > Add/Remove Programs , Select Microsoft Internet Explorer 6 SP1 & internet Tools , Press Add/Remove , Tick ''Repair Internet Explorer''.

Good luck
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top