[Hijack This Log - want rid of a couple of things] -
Hijack This Log - want rid of a couple of things
Discuss Hijack This Log - want rid of a couple of things
Posted by: Humbucker
There are a couple of things that load on startup that I really want rid of but they seem to be determined to stay. I figured I'd post a HJ log and hopefully one of you in-the-know peeps will help me to get rid of them. One is a 'windows' reactivation scam thingy that has been loading on startup since November asking for my credit card number to 'reactivate' windows. I'ts without doubt a scam/spyware as we only got the computer(brand new) with Windows XP a couple of weeks before the message started coming up. The other thing I want rid of is 'Health Check' that was loaded into the computer by the place we bought it but it doesn't work nor serve any purpose. It also loads at EVERY startup. I'm pretty sure that is it near the end of the log - 'Health Notifier' but wanted to ask here first. Also my system has been crashing 2 or 3 times a day, for the last 2 days, if doing this would improve that then it would be a good bonus too. Firstly, I will post a list of the Spyware/AntiVirus programs I use, I use all these reguarly(at least weekly):-
Spysweeper
Spyware Blaster
Spybot S + D
Adaware
Microsoft Anti Spyware Beta
Avg Anti Virus free
Trend Micro(Housecall) online virus scan
Panda online virus scan
Bitdefender online virus scan
I did checks with ALL of these yesterday.
Here is my log:-
Logfile of HijackThis v1.99.1
Scan saved at 11:06:54, on 08/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\windows\system32\HealthNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\DeltTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MicroStar\WLANUtility\WLAN_Service.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Liam\Desktop\Installers\hijackthis\Hijack
This.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.btyahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.tiny.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.web--search.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/[/url]
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunServices: [Windows Media Player Update] cipedhb.exe
O4 - HKLM\..\RunOnce: [Windows DOS] C:\WINDOWS\system32\dos05.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Media Player Update] cipedhb.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Windows Media Player Update] cipedhb.exe
O4 - Global Startup: WlanUtility.lnk = C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\BROWSER\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\BROWSER\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall-beta.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - [url]http://www.windowsecurity.com/trojanscan/TDECntrl.CAB[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - [url]http://64.156.31.79/100039/uk/ringtone/ringtone.exe[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099747786531[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - [url]http://downloads.broadbandassist.com/BTYahoo[/url]!Help/PreQual/files/MotivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A982BA31-A4ED-4023-85E5-560238E5FEFA}: NameServer = 194.72.9.55 194.74.65.86
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HealthNotifier - Unknown owner - c:\windows\system32\HealthNotifier.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
All help much appreciated! :)
Posted by: Humbucker
*bump* would really appreciate some help with this. :)
Posted by: Ropponmatsu
I only had a few minutes to skim over it but so far the main (only?) problem I see is:
C:\WINDOWS\system32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
It's a trojan and could very well be whats causing your problem. Try and uninstall with a virus scanner and then post back here.
Posted by: Humbucker
[QUOTE][i]Originally posted by Ropponmatsu [/i]
[B]I only had a few minutes to skim over it but so far the main (only?) problem I see is:
C:\WINDOWS\system32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
It's a trojan and could very well be whats causing your problem. Try and uninstall with a virus scanner and then post back here. [/B][/QUOTE]
Somebody on another forum helped me out with the log and got rid of the annoying startup items but they didn't mention that file - none of the virus scans I use have mentioned it. Do you know of a scanner I could use to get rid of it?
Posted by: Humbucker
Actually just did a search on DeltTray and it's the driver for my M-Audio delta soundcard.
Posted by: Ropponmatsu
Hah. Double checked and your right. Sorry about that, don't know how I messed up on that one.
Posted by: rmm55
If msconfig - startup - uncheck- health notifier and reactivate windows - doesn't do it then go into start - run - regedit and clean all your "run" keys of these above listed items.Go to HKLM - software - Microsoft - Windows - Current Version - Run also HKCU - software - Microsoft - Windows -Current Version - Run .
Posted by: Humbucker
[QUOTE][i]Originally posted by rmm55 [/i]
[B]If msconfig - startup - uncheck- health notifier and reactivate windows - doesn't do it then go into start - run - regedit and clean all your "run" keys of these above listed items.Go to HKLM - software - Microsoft - Windows - Current Version - Run also HKCU - software - Microsoft - Windows -Current Version - Run . [/B][/QUOTE]
I've got rid of all the annoying stuff now - thanks though :)
Posted by: Warez Monster
Remove entries at your own risk
This.exe This is a unknown process.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.web--search.com[/url] This entry should be fixed by HijackThis!
O4 - HKLM\..\RunOnce: [Windows DOS] C:\WINDOWS\system32\dos05.exe Unknown application.
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'. This entry should be fixed if 'http://www.tiny.com' is not your PC-manufacturer or your 'Internet-Service-Provider (ISP
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) This entry is possibly nasty. Should be fixed.
O17 - HKLM\System\CCS\Services\Tcpip\..\{A982BA31-A4ED-4023-85E5-560238E5FEFA}: NameServer = 194.72.9.55 194.74.65.86 If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain '194.72.9.55 194.74.65.86'? If not, fix this entry