Help!!

sheaheck · 10-29-2004, 04:16 PM

here is my hijack this log, but I am not sure what to delete. Can anyone help me?

Logfile of HijackThis v1.98.2
Scan saved at 2:21:53 PM, on 10/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\crfn32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
C:\WINDOWS\System32\??oolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\nkkwfq.dat
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Ad-aware 6\Ad-aware.exe
C:\DOCUME~1\shea\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ldbza.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {38F6EAD3-A605-4E22-E382-1F90ADD04248} - C:\WINDOWS\msfa.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0. dll
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [apifg.exe] C:\WINDOWS\system32\apifg.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [crfn32.exe] C:\WINDOWS\system32\crfn32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
O4 - HKCU\..\Run: [Rnas] C:\Documents and Settings\shea\Application Data\esld.exe
O4 - HKCU\..\Run: [Ppj] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKCU\..\Run: [Epnu] C:\Documents and Settings\shea\Application Data\sccm.exe
O4 - HKCU\..\Run: [Xvggvhd] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCxdm235XXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.wildtangent.com/install/j...avx86_3805.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095354832460

Dave · 10-29-2004, 08:37 PM

R0 through R3 are start and search pages. If you don't recognize the name or the url, you can have HJT fix it.

For example:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ldbza.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

I suggest updating and running your AV. There are a couple of free online scans that are good. Then run Ad-Aware and SpyBot S&D.

Reboot and post a new HJT log.

Dave

sheaheck · 10-31-2004, 12:18 PM

Thanks!

I ran Norton2005, Spybot S&D, and Ad-Aware. Here is new HJT log

Logfile of HijackThis v1.98.2
Scan saved at 1:17:24 PM, on 10/31/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
C:\WINDOWS\System32\??oolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\shea\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\frzuq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D0CEC06E-821E-9959-CABB-8F52B1005BA8} - C:\WINDOWS\system32\addrf.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0. dll
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
O4 - HKCU\..\Run: [Rnas] C:\Documents and Settings\shea\Application Data\esld.exe
O4 - HKCU\..\Run: [Ppj] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKCU\..\Run: [Epnu] C:\Documents and Settings\shea\Application Data\sccm.exe
O4 - HKCU\..\Run: [Xvggvhd] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCxdm235XXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.wildtangent.com/install/j...avx86_3805.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095354832460

wead · 11-05-2004, 09:14 AM

C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
C:\WINDOWS\System32\??oolsv.exe
= shady entries.
Chances are norton won't find running trojans or whatever.
I suggest : Stop using IE, Use mozilla firefox, get a firewall, and reboot in safe mode then run spysweeper/adaware SE/Norton. Also I suggest downloading a program called BODETECT. It will find active trojans and remove them. I would definatly get rid of that ??olsrv or whatever. I am sure its a virus.

southernlady · 01-24-2005, 02:32 PM

Closing thread due to lack of activity. Liz

10-29-2004, 04:16 PM	#1 (permalink)
sheaheck Newb Techie Join Date: Oct 2004 Posts: 4	Help!! here is my hijack this log, but I am not sure what to delete. Can anyone help me? Logfile of HijackThis v1.98.2 Scan saved at 2:21:53 PM, on 10/29/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\RUNDLL32.exe C:\WINDOWS\system32\crfn32.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe C:\WINDOWS\System32\??oolsv.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE C:\Program Files\AIM\aim.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\nkkwfq.dat C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Ad-aware 6\Ad-aware.exe C:\DOCUME~1\shea\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ldbza.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {38F6EAD3-A605-4E22-E382-1F90ADD04248} - C:\WINDOWS\msfa.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0. dll O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain O4 - HKLM\..\Run: [apifg.exe] C:\WINDOWS\system32\apifg.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [crfn32.exe] C:\WINDOWS\system32\crfn32.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe O4 - HKCU\..\Run: [Rnas] C:\Documents and Settings\shea\Application Data\esld.exe O4 - HKCU\..\Run: [Ppj] C:\WINDOWS\System32\?hkntfs.exe O4 - HKCU\..\Run: [Epnu] C:\Documents and Settings\shea\Application Data\sccm.exe O4 - HKCU\..\Run: [Xvggvhd] C:\WINDOWS\System32\??oolsv.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCxdm235XXUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.wildtangent.com/install/j...avx86_3805.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095354832460

10-29-2004, 08:37 PM	#2 (permalink)
Dave Admin Join Date: Mar 2002 Location: "Almost Heaven" USA Posts: 4,855	R0 through R3 are start and search pages. If you don't recognize the name or the url, you can have HJT fix it. For example: R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ldbza.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing I suggest updating and running your AV. There are a couple of free online scans that are good. Then run Ad-Aware and SpyBot S&D. Reboot and post a new HJT log. Dave __________________ Tech Forums Moderating Policies \| Forum Rules \| ***PROFANITY*** Note that I do not accept support requests via IM, email, or PMs. Please ask it on the forums. Trying this out: My Dollar Store :: Naturally Good

11-05-2004, 09:14 AM	#4 (permalink)
wead Junior Techie Join Date: Sep 2004 Posts: 97	C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe C:\WINDOWS\System32\??oolsv.exe = shady entries. Chances are norton won't find running trojans or whatever. I suggest : Stop using IE, Use mozilla firefox, get a firewall, and reboot in safe mode then run spysweeper/adaware SE/Norton. Also I suggest downloading a program called BODETECT. It will find active trojans and remove them. I would definatly get rid of that ??olsrv or whatever. I am sure its a virus. __________________ -Download wead antivirus today using your brain!-

01-24-2005, 02:32 PM	#5 (permalink)
southernlady Monster Techie Join Date: Nov 2004 Posts: 1,346	Closing thread due to lack of activity. Liz __________________ Priority Computers \| AdAware SE \| SpyBot-Search & Destroy \| SpywareBlaster \| SpywareGuard \| HijackThis \| Stealing is illegal Powered by Emily!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

10-31-2004, 12:18 PM	#3 (permalink)
sheaheck Newb Techie Join Date: Oct 2004 Posts: 4	Thanks! I ran Norton2005, Spybot S&D, and Ad-Aware. Here is new HJT log Logfile of HijackThis v1.98.2 Scan saved at 1:17:24 PM, on 10/31/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe C:\WINDOWS\System32\??oolsv.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\AIM\aim.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\shea\My Documents\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\frzuq.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {D0CEC06E-821E-9959-CABB-8F52B1005BA8} - C:\WINDOWS\system32\addrf.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0. dll O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe O4 - HKCU\..\Run: [Rnas] C:\Documents and Settings\shea\Application Data\esld.exe O4 - HKCU\..\Run: [Ppj] C:\WINDOWS\System32\?hkntfs.exe O4 - HKCU\..\Run: [Epnu] C:\Documents and Settings\shea\Application Data\sccm.exe O4 - HKCU\..\Run: [Xvggvhd] C:\WINDOWS\System32\??oolsv.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCxdm235XXUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.wildtangent.com/install/j...avx86_3805.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095354832460