HighjackThis log, could someone help me with it please?

  • Wendy_au
  • Newbie
  • Newbie
  • User avatar
  • Posts: 7
  • Loc: Australia

Post 3+ Months Ago

Hi,

I found your forum while I was doing a search for the HighjackThis download, the problem I am having is with 'cool search' hijacking my IE browser I found a couple of things that were obviously evil, i.e. xxxtoolbar :twisted: but what do I do with them now and is it them that could be causing this stupid and very annoying 'cool search' to keep coming back. :? I have spysweeper which keeps restoring my original home page but I really need to get rid of 'cool search' it has some very worrying links considering that this computer is mainly used by my kids.


Thanks in advance for your help.


Logfile of HijackThis v1.97.7
Scan saved at 12:52:10 PM, on 26/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\services\wmplayer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
F1 - win.ini: run=C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares ... egular.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2599273a9cf ... xIE601.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C ... .165787037
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca06.rightnowtech.com/6010-b ... a/RntX.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

cool search, theres a program called CWShreeder, that removes those.


available here
http://www.spywareinfo.com/~merijn/files/cwshredder.zip

run this, but have all windows closed! its also written by the writter of hijack :p
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Hello Wendy, Welcome to Ozzu. :)

Use CWShredder as Foxy recommended.

Before you post a new Hijack-This log, have a look at this:
http://www.ozzu.com/sutra133028.html#133028

Some general guidlines and steps you should do before posting a log. Don't worry about using spybot S&D and adaware. I don't think that will do much for you in this case.

In the meantime, I'll look at your current log and formulate a plan of attack.
  • Wendy_au
  • Newbie
  • Newbie
  • User avatar
  • Posts: 7
  • Loc: Australia

Post 3+ Months Ago

Hi Foxy and Jim,

Thank you both for your help, I have just run the House Calls anti virus and it found 6 viruses that my AVG anti virus didn't find. I also got the cwshredder and 'cool search' is finally gone, yippee, woohoo, yah. People who make that kind of thing shoud be shot or at very least slapped around a bit.

As for all the other stuff in my hijackThis log I have no idea about it or what to do with it so I thank you for looking at it for me Jim, the xxxtoolbar thing is a dead giveaway that hubby has been looking at boobies :lol: I think he should stick to magazines, much less trouble with viruses that way.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Go ahead and post a new log with the latest version of hijack this. There are links for it in that other thread I referred you to. There are still some issues that need to be addressed.

btw, you're welcome. :)

Wendy_au wrote:
the xxxtoolbar thing is a dead giveaway that hubby has been looking at boobies :lol: I think he should stick to magazines, much less trouble with viruses that way.


Lol, porn sites are by far the worst sites you can visit. They will invariably infect your system with tonnes of garbage.
  • Wendy_au
  • Newbie
  • Newbie
  • User avatar
  • Posts: 7
  • Loc: Australia

Post 3+ Months Ago

Ok all done,

I haven't gotten rid of the xxx thing yet, do I tick it and click on fix? Did I mention the technology kinda left me behind and I'm just starting to work out how things work, so I apologize if some of the things I say sound dumb :)

Thanks again.



Logfile of HijackThis v1.98.2
Scan saved at 3:11:51 PM, on 26/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
F3 - REG:win.ini: run=C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares ... egular.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2599273a9cf ... xIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca06.rightnowtech.com/6010-b ... a/RntX.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
  • WoRd Of WiSdOm
  • Proficient
  • Proficient
  • User avatar
  • Posts: 284
  • Loc: Riverside,California

Post 3+ Months Ago

Wendy_au wrote:
Hi,
Logfile of HijackThis v1.97.7
Scan saved at 12:52:10 PM, on 26/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)


I know its off the subject of the hijack this log but wendy you really should install sp1 or sp2 as it contains security updates that keeps windows xp running virus Free (i.e blast,sasser) and also patches up other holes that windows xp has.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

This shouldn't take long :) There are no dumb questions when it comes to things like this. Hijack this is a powerful tool and can really screw things up if used improperly.

You should print the following instructions or save them to a text file so you will have them handy after rebooting.

Run Hijack This, scan, check the following items. (don't fix them yet):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126

F3 - REG:win.ini: run=C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares ... egular.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2599273a9cf ... xIE601.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca06.rightnowtech.com/6010-b ... a/RntX.cab

Optional fixes: These aren't harmful but they are not necessary. Fixing these will not remove the programs but prevent them from launching at startup. Save you a little on system resources.

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Close all browsers and windows except Hijack-This, click 'Fix Checked'.

Don't worry if all the entries aren't present. Some of them were fixed with Housecall...

Reboot into Safe Mode

Disable System Restore
Right Click on "My Computer"
Select Properties
Go to the System Restore Tab
Check 'Turn off System Restore on all drives'.
Click OK

Display hidden files and folders
Go to Start > Run
Enter: control folders
Go to the View tab.
Check "Show hidden files and folders"
Uncheck "Hide protected Operating System files"
Click OK

Delete the following file:
C:\WINDOWS\SYSTEM32\services\wmplayer.exe << That's not really Windows Media player. It's the w32/agobot-bm worm.
See this for a description: http://www.sophos.com/virusinfo/analyse ... botbm.html

Clear Temporary Folders\Files and Internet Files
Go to start > run
Enter: cleanmgr

Make sure only the following are checked:
Temporary Internet files
Recycle Bin
Temporary Files

Click OK

Log in for each user on your system and repeat the steps for Clearing Temporary Folders\Files and Internet Files.

Reboot into normal mode, run hijack this, scan, save and post your new log.

After you get everything sorted, you should really consider paying a visit to Windows Update. There has been numerous security patches for Windows/Internet Explorer since XP originally came out. Currently you are vulnerable to many nasty things that are floating around.
  • Wendy_au
  • Newbie
  • Newbie
  • User avatar
  • Posts: 7
  • Loc: Australia

Post 3+ Months Ago

ok dumb question number 1. (and please don't laugh) how do I reboot in safe mode? :lol:
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

sorry, I should have made it more clear. There's a link in my last post, Safe Mode. It takes you to a page with instructions.

http://www.jayloden.com/SafeMode.htm
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2854

Post 3+ Months Ago

Wendy_au wrote:
so I apologize if some of the things I say sound dumb

I don't think you could sound dumber than me sometimes Wendy :lol: especially in the morning without my morning cu of coffee... btw, I think I need some right now *sweep out to get some coffee

BTW: Before I leave for my coffee, listen to WoRd Of WiSdOm too and as soon as Jim get your machine fixed got to http://www.windowsupdate.com and install the latest updates for windows :wink:
  • Wendy_au
  • Newbie
  • Newbie
  • User avatar
  • Posts: 7
  • Loc: Australia

Post 3+ Months Ago

Thank you for making me feel better larz, it's late sunday afternoon here and I'm still waiting for coffee :cry:

Thanks you also WoRd Of WiSdOm, getting the updates is my next stop after 'Jim the legend' has helped me sort this mess out.

Jim, I have followed all your steps there are just a couple of things that I couldn't do,

1. I don't seem to have a system restore tab, when I right clicked on my computer.

2. I couldn't find that file with a worm in it any more, maybe it got scared and ran off.

This is the log now, how am I doing?


Logfile of HijackThis v1.98.2
Scan saved at 4:19:53 PM, on 26/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v5.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Your log looks clean. Great job :)

Houscall probably got rid of the worm. I just wanted to make sure it was really gone.

As far as system restore goes, I'm not really sure. This could be of help:
http://www.jsiinc.com/SUBQ/tip8100/rh8136.htm

I'll look for other solutions if the above doesn't pan out.

Now, the obligatory prevention speech :D

For the Future Prevention of Spyware/Malware and other Security Issues
-----------------------------------------------------------------------
Microsoft issues security updates on a regular basis. These updates patch vulnerabilities that hackers can exploit. Please visit Windows Update and install all Critical updates for Windows and Internet Explorer.
http://v4.windowsupdate.microsoft.com/c ... efault.asp

Keep your Anti-Virus program up-to-date. This is very important. New viruses are released at an alarming rate. By keeping your AV program updated, you greatly reduce the risk of being infected.

Spyware cleaning programs such as Spybot Search and Destroy and Adaware are a must have for any internet user. Seemingly benign websites can cause great harm to the unwary user.
  • AdAware
  • Spybot Search and Destroy
I recommend installing both of these and updating them on a regular basis. A good article to read:
So how did I get infected in the first place?

The above article mentions a favorite program of mine: Spywareblaster; This is an excellent program which:
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially dangerous sites in Internet Explorer.

A firewall is also an important tool for system security. I recommend reading this article:
Understanding and Using Firewalls

Again, it is essential to keep all of these programs up-to-date. The longer you go without updating them, the less effective they become.
  • Wendy_au
  • Newbie
  • Newbie
  • User avatar
  • Posts: 7
  • Loc: Australia

Post 3+ Months Ago

Thanks Jim,

You have no idea how much help you have been. How do you know all this stuff? How do you remember where it all is? It all looks like it's written is swahili to me.

I will down load the spyware programs later tonight and the updates from microsoft. I thought that AVG was doing a good job, how wrong was I.

Thanks again, you have saved a lot of frustration and/or a trip to the computer doctor (he costs alot more than a people doctor).

Next time your in australia I'll buy you dinner and a few beers. :beerchug:
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

You're so very welcome. I've been learning a lot about spyware and other malicious entities lately. We've really just started diagnosing Hijack This logs here at Ozzu. As far as remembering things, I have a lot of the speeches and methods saved in text files. I just copy and paste a lot of it and edit it to suit individual needs. I use Google quite a bit to sort the good from the bad.

If you have any more troubles or questions about anything, please come back anytime.

You're the second person from down under who has offered me beer/drinks. I would love to visit Australia.

Cheers :)
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2854

Post 3+ Months Ago

Wendy wrote:
Next time your in australia I'll buy you dinner and a few beers

Hey! what about me! I don't drink coffee all the time :wink: j/k

It is great to see you solved you problems Wendy and as Jim said Welcome to Ozzu!
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

I had to change the link for windows Update in the prevention speech. I had The page for ME in there by mistake. Sorry about that.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

WoRd Of WiSdOm wrote:
I know its off the subject of the hijack this log but wendy you really should install sp1 or sp2 as it contains security updates that keeps windows xp running virus Free (i.e blast,sasser) and also patches up other holes that windows xp has.


Actually, that was right on. Good catch. I already had that in notepad ready to post. :)
  • WoRd Of WiSdOm
  • Proficient
  • Proficient
  • User avatar
  • Posts: 284
  • Loc: Riverside,California

Post 3+ Months Ago

Now that we are on the subject of windows update. did u all know there is a new windows update. i like this because it puts a stop to piracy. it looks at your product key and then if its not valid you cant update. Finally lol i can say this. score one for microsoft...bout time microsoft did something right
Here is the new windows update
http://v5.windowsupdate.microsoft.com/v ... aspx?ln=en

Post Information

  • Total Posts in this topic: 19 posts
  • Users browsing this forum: No registered users and 97 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.