[Hijacklog, I think I have a virus] -
Hijacklog, I think I have a virus
Discuss Hijacklog, I think I have a virus
Posted by: Jester73440
Here is my hijacklog I hope someone can find what is causing this white pop up screen to keep appering when on the internet and running rundll32.exe. Thanks for the help
-Steve
Logfile of HijackThis v1.97.7
Scan saved at 8:35:43 PM, on 10/17/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator\Desktop\downloads\HijackThi
s.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic 4 Professional\SysMech4.exe /COMPLETECACHE
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Bridge by pogo - [url]http://bridge.pogo.com/applet-5.9.1.28/bridge/bridge-ob-assets.cab[/url]
O16 - DPF: Canasta by pogo - [url]http://canasta.pogo.com/applet-6.0.0.25/canasta/canasta-ob-assets.cab[/url]
O16 - DPF: Command and Conquer Comanche by pogo - [url]http://ccstrike.pogo.com/applet-5.9.2.31/ccstrike/ccstrike-ob-assets.cab[/url]
O16 - DPF: Dice Derby by pogo - [url]http://checkeredflag.pogo.com/applet-5.9.0.25/checkeredflag/checkeredflag-ob-assets.cab[/url]
O16 - DPF: Dominoes by pogo - [url]http://domino.pogo.com/applet-6.0.0.25/domino/domino-ob-assets.cab[/url]
O16 - DPF: Double Deuce Poker by pogo - [url]http://doublebonus.pogo.com/applet-5.9.1.28/videopoker2/doubledeuce-ob-assets.cab[/url]
O16 - DPF: Euchre by pogo - [url]http://euchre.pogo.com/applet-5.9.2.21/euchre/euchre-ob-assets.cab[/url]
O16 - DPF: EZ Win Bingo by pogo - [url]http://bingoe.pogo.com/applet-5.9.1.28/bingo/bingoe-ob-assets.cab[/url]
O16 - DPF: First Class Solitaire by pogo - [url]http://game3.pogo.com/applet-5.9.5.37/solitaire2/solitaire2-ob-assets.cab[/url]
O16 - DPF: Fortune Bingo by pogo - [url]http://superbingo.pogo.com/applet-5.9.5.37/superbingo/superbingo-ob-assets.cab[/url]
O16 - DPF: Greenback Bayou by pogo - [url]http://greenback.pogo.com/applet-5.9.1.28/greenback/greenback-ob-assets.cab[/url]
O16 - DPF: Hearts by pogo - [url]http://hearts.pogo.com/applet-5.9.5.30/hearts/hearts-ob-assets.cab[/url]
O16 - DPF: High Stakes Pool by pogo - [url]http://pool2.pogo.com/applet-5.9.2.21/pool2/pool-ob-assets.cab[/url]
O16 - DPF: Jungle Gin by pogo - [url]http://gin.pogo.com/applet-5.9.5.37/gin/gin-ob-assets.cab[/url]
O16 - DPF: Mah Jong Garden by pogo - [url]http://mahjong2.pogo.com/applet-5.9.0.25/mahjong/mahjong-ob-assets.cab[/url]
O16 - DPF: Phlinx by pogo - [url]http://game4.pogo.com/applet-5.9.5.30/flinger/flinger-ob-assets.cab[/url]
O16 - DPF: Pop Fu by pogo - [url]http://popfu.pogo.com/applet-5.9.1.28/popfu/popfu-ob-assets.cab[/url]
O16 - DPF: Spades by pogo - [url]http://spades.pogo.com/applet-5.9.5.30/spades/spades-ob-assets.cab[/url]
O16 - DPF: Squelchies by pogo - [url]http://squelchies.pogo.com/applet-5.9.5.30/squelchies/squelchies-ob-assets.cab[/url]
O16 - DPF: Sweet Tooth TM by pogo - [url]http://sweettooth.pogo.com/applet-5.9.1.28/sweettooth/sweettooth-ob-assets.cab[/url]
O16 - DPF: Texas Hold'em Poker by pogo - [url]http://holdem2.pogo.com/applet-5.9.2.21/holdem/holdem-ob-assets.cab[/url]
O16 - DPF: Tri-Peaks by pogo - [url]http://game4.pogo.com/applet-5.9.5.30/peaks/peaks-ob-assets.cab[/url]
O16 - DPF: Turbo 21 TM by pogo - [url]http://game5.pogo.com/applet-5.9.5.37/turbo21/turbo21-ob-assets.cab[/url]
O16 - DPF: Word Whomp Whackdown by pogo - [url]http://whackdown.pogo.com/applet-5.9.1.18/whackdown/whackdown-ob-assets.cab[/url]
O16 - DPF: WordJong by pogo - [url]http://wordjong.pogo.com/applet-6.0.0.25/wordjong/wordjong-ob-assets.cab[/url]
O16 - DPF: World Class Solitaire by pogo - [url]http://game4.pogo.com/applet-5.9.5.37/worldclass/worldclass-ob-assets.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://active.macromedia.com/director/cabs/sw.cab[/url]
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - [url]http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?[/url]
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - [url]http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB[/url]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [url]http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab[/url]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [url]http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
Posted by: DMo224
If you don't recognize the urls in the R0 thru R4s, you can have HJT fix it.
[b]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = [/b]
Fix:
[b]R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)[/b]
[color=red]010 are Winsock hijackers. It is best to fix them using SpyBot S&D or [url=http://www.cexx.org/lspfix.htm]LSP-Fix[/url].[/color]
016 are ActiveX downloads. If you don't recognize the name, then have HJT fix it, but I didn't see any that looked bad.
[size=1][i]IMO, you should get rid of any P2P programs since this is an easy way for "intruders" to get into your PC.[/i][/size]
Dave :D
Posted by: wead
Shady shiet you should get rid of Bro :
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
Im not gonna reply to the IE spyware you have all im going to say is this : Sounds like you got the Netsky worm, I noticed people that use Pogo.com are more suceptible to that type of virri. Here are my suggestions :
1. Stop playing on pogo.com
2. Get a firewall. (a lot of them are free)
3. Stop using IE. Use mozilla firefox.
4. Download Adaware SE
5. Restart in Safe mode.
6. Scan with Anti Virus, Adaware, disable sys restore.
If that doesn't work try doing a remote scan from trend.com or other AV company sites.
Mozilla Firefox is so much better than IE, securitywise and happynesswise.
Posted by: southernlady
Jester73440, Your log is an outdated one. You need to download and run a new updated HiJack Log. You can find it here: [url]http://www.merijn.org/downloads.html[/url] make sure it reads version 1.98.2. if that link is out of order, go to this one:
[url]http://www.majorgeeks.com/download3155.html[/url] Liz
Posted by: southernlady
Closing thread due to lack of activity. Liz