Hijackthis analysis please!

hi

close all windows except hijackthi, tick the boxes next to these lines and click FIX( it's a long list, might help to print it):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=304CB2EA-A468-49CC-9C91-562DF4B0EB30&version_id=18

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\bsx5.dll (file missing)

O2 - BHO: (no name) - {40E13BDE-361A-436F-86E9-CE10DC4263B9} - C:\WINDOWS\System32\avikcap32.dll (file missing)

O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O2 - BHO: (no name) - {69EB272B-AFC1-2FB2-586F-2AE51DAA139B} - C:\PROGRA~1\MULTIC~1\DeadHold.dll

O2 - BHO: (no name) - {8D91ECD1-2A29-41B8-9988-FD892F07F859} - C:\WINDOWS\ip.dll

O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} - C:\PROGRA~1\INTELL~1\ISengine.dll (file missing)

O3 - Toolbar: Roamsoftcopy - {CA5D97F0-1C73-3AE3-61D9-562222687792} - C:\PROGRA~1\MULTIC~1\DeadHold.dll

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB


for the next part you need to download lspfix from http://www.cexx.org/lspfix.htm
direct download http://www.cexx.org/LSPFix.exe

run it, chekmark the box i know... and fix all instances of inetapt.dll

post a fresh hjt log when done

Thanks for your help! This is the latest hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 9:08:05 AM, on 6/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Piolet\Piolet.exe
C:\EPOAgent\naimas32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\USBStorage\USBDetector.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MAGSSO~1\KindAudioPop.exe
C:\WINDOWS\wanmpsvc.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Documents\AntiSpyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://search200.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://search200.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search200.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://search200.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69EB272B-AFC1-2FB2-586F-2AE51DAA139B} -
C:\PROGRA~1\MULTIC~1\media knob.dll
O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} -
C:\PROGRA~1\INTELL~1\ISengine.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82
Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common
Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [BibRdr] C:\PROGRA~1\MAGSSO~1\KindAudioPop.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America
Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL
Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: updater.lnk = C:\Program Files\Common
Files\updater\wupdater.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX
Control) - http://auinst.duc.auburn.edu/auinst/cabfiles/iftwv2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) -
file://D:\Content\include\msSecUcd.cab
O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.5570601852
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 
 

 

While the previous poster had you remove entries and correct the Winsock hijacking there were a few things left undone.  Well-done illukka for a first effort (would you be interested in joining our Classroom to become an expert responder?) .

Fixing things in Hijackthis fixes registry entries and cuts the head off the snake...to fully clean we need to delete the bad files also in Windows Explorer or they may mutate and return. After looking at the latest log and the previous one I see this one did: C:\Program Files\MULTIC~1  

Run Hijackthis, scan and check the box left of these numbered line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://search200.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://search200.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search200.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://search200.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {69EB272B-AFC1-2FB2-586F-2AE51DAA139B} -
C:\PROGRA~1\MULTIC~1\media knob.dll
O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} -
C:\PROGRA~1\INTELL~1\ISengine.dll (file missing)
Comments: looks like your Intellistopper program is whacked...uninstall in Control Panel/ Add/Remove Programs
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
Comments: Don't check, but I would never let a peer-to-peer autoload on any of my machines.
O4 - HKLM\..\Run: [BibRdr] C:\PROGRA~1\MAGSSO~1\KindAudioPop.exe
Comments: Looks like random Trojan to me..if you know it is legit do not check.
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: updater.lnk = C:\Program Files\Common
Files\updater\wupdater.exe
Comments: malware... http://www.winpatrol.com/db/freesample/wupdater.html
O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} -

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Reboot to SAFE MODE and Show HIDDEN FILES and folders  (VERY IMPORTANT!)

FAQ 8 and 9 on this page: http://www.russelltexas.com/malware/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders: if you checked yes above (some may not be present)

Folders and folder contents:

C:\Program Files\MULTIC~1                            will be longer foldername
C:\Program Files\MAGSSO~1                          will be longer foldername
C:\Program Files\Common Files\updater

From previous log:
C:\Program Files\Incredifind

Files:  (From previous log)

C:\WINDOWS\ieasst.dll
C:\WINDOWS\ip.dll    
Comments: http://sarc.com/avcenter/venc/data/pf/adware.ipend.html


Reboot and run Disk Cleaner. Type cleanmgr at Start/Run and check all category boxes at end of scan and click OK.

If you have any problems with Disk Cleaner completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

Next...Download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.

http://www.cjwd.demon.co.uk/spybot-adaware.html

One note about the new Spybot 1.3...it has a slight flaw where it detects DSO exploits again and again...these are false alerts...ignore.

When you finish cleaning with Spybot and Adaware...Browse a bit and post a new Hijackthis log.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Thanks Texruss! Is it safe to assume that if BHO has "(no name)" then it can be deleted? I could not find up-to-date BHO list. Also illukka had me to delete the XXPatchInstaller.CAB-- some logs I saw had this and were considered clean. What was the key to knowing this was bad? Was it the CLSID? I would love to join your classroom!  

This is the latest hijack log. Hope this one is clean. Thanks for your help.

Susan

*****************************************************************************

Logfile of HijackThis v1.97.7
Scan saved at 7:27:05 AM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Piolet\Piolet.exe
C:\EPOAgent\naimas32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\USBStorage\USBDetector.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\All Users\Documents\AntiSpyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://auinst.duc.auburn.edu/auinst/cabfiles/iftwv2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.5570601852
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

>Is it safe to assume that if BHO has "(no name)" then it can be deleted?

If it says No name and no file then it can go. Also if the CLSID is hostile from checking databases.

> I could not find up-to-date BHO list.

http://www.spywareinfo.com/~merijn/files/bholist.zip

>Also illukka had me to delete the XXPatchInstaller.CAB-- some logs I saw had this and were considered clean. What was the key to knowing this was bad? Was it the CLSID? 

   As far as I know the CLSID is clean and that is an entry for the XP SP1 patch upgrade from the MS Security CD (I see another entry in your 016's below). It does look evil though and I see a lot of people fix it, but probably for non-hostile reasons. Probably it's good to remove it to slim down the non-essential ActiveX scripts loading. 

>I would love to join your classroom!  

I appreciate the interest, but you misread my original quote: "Well-done illukka for a first effort (would you be interested in joining our Classroom to become an expert responder?). However, there is always time to advance your skills and attract my interest in the future.  

Still a little to do on your log:

Fix check this:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://about:blank

O4 - Global Startup: Digital Line Detect.lnk = ?

Reboot and post a fresh log.

I'm also not even a tiny fan of Stopzilla, despite all the gleaming reviews it gets from CNET. If you want to remove it, kill the 016 line and uninstall it in Control Panel/Add Remove Programs.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Thank you Texruss! This is the latest hijackthis log.

Logfile of HijackThis v1.97.7
Scan saved at 10:47:33 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\EPOAgent\naimas32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Piolet\Piolet.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\USBStorage\USBDetector.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\All Users\Documents\AntiSpyware\HijackThis.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://auinst.duc.auburn.edu/auinst/cabfiles/iftwv2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.5570601852
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A4FC66B-1D04-486E-982C-2D5703A14047}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A4FC66B-1D04-486E-982C-2D5703A14047}: NameServer = 205.188.146.146

I appreciate your time.

Susan

pastel artist 

volunteer webmaster www.easternshoreartcenter.com,  www.bragart.org

                                                                                                                  

 

I'll buy that! Good job!

You look clean and hearty congratulations! Now to stay that way:

Cleanup Programs and Procedures

(the four free programs in Items 2, 3, and 4 bolded below are a MUST in my opinion)

1. Spybot Search&Destroy, Ad-aware Run weekly - or after a heavy internet session. Download at the following link.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...g o slow on the directions for the custom setup of Adaware and print it out as a hard copy. It will take five minutes to set up the custom scanning options for Adaware, but it's worth it as these settings will be retained and you won't have to re-enter them again.

http://www.cjwd.demon.co.uk/spybot-adaware.html

Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.

I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).

Reboot and click on Start/Run/ type: cleanmgr

If you have problems with Disk Cleanup hanging and not completing see this page for XP users:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

From MS Help: " Disk Cleanup helps free up space on your hard drive. Disk Cleanup searches your drive, and then shows you temporary files, Internet cache files, and unnecessary program files that you can safely delete. You can direct Disk Cleanup to delete some or all of those files."

I check all the selected categories and click OK at the end of Disk Cleanup.

If you have any problems with Disk Cleaner completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

2. Proactive programs: Spywareblaster & Spywareguard, first sets kill bits to stop known bad MSIE ActiveX scripts from installing, second acts like your AV to stop browser hijacks and installing of known baddies.

3. IE-Spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentally getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

Links for these at: http://www.cjwd.demon.co.uk/compsafetyonline.html

4. MVPS Hosts file at: http://mvps.org/winhelp2002/hosts.htm

The MVPS Hosts file replaces your current HOSTS file with one that prevents your computer from connecting to hostile sites by redirecting them to 127.0.0.1 which is your local computer. This is an easy way to prevent one of the most common hijackings computer users will face on the Internet! Do it now.

5. Don't forget keeping Windows updated. The automatic updates frequently fail so run it manually once a week or when new updates are publicized.

Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Free Windows Security CD (for those who qualify):
www.microsoft.com/security/protect/cd/order.asp

You can also start Windows Update by running Internet Explorer, pulling down Tools on top Menu bar and selecting Windows Update. Install ALL critical updates! Always!

If LiveUpdate fails (and it is prone to on MANY machines) download each patch manually from the MS advisory pages and install manually. Works for me!

6. Keep your antivirus updated.
Free AVG Antivirus for home users: http://www.grisoft.com

7. Beg, borrow, or buy a Software Firewall if at all possible. I use Norton Internet Security 2004 and it has saved my bacon more times than I can count. For a free software firewall turn on the fairly lame firewall in Windows XP (I say it is lame because it does not monitor or block outgoing traffic...only incoming...a serious omission if the threat occurs inside your network). Hopefully with the upcoming Service Pack 2 this flaw will be addressed.

http://www.microsoft.com/technet/community/columns/5min/5min-101.mspx#XSLTsection125121120120

A better choice for now for a free software firewall is Zone Alarm.
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

8. Practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will. Sometimes it won't when a new virus hits the Net and definitions take hours to create by the AV vendors. There is only one defense that works 100% for the safe protection of your machine's personal data and that is timely and accurate backups of your files. Hard drives die, viruses ruin your files, and other bad things can happen (fire, theft, etc..). Offsite backups are the best.

9. Don't forget our great analysis tool Hijackthis. We have a lot of gratitude we need to show towards the author Merijn. I hope he does great things in his future endeavors and is richly rewarded for his time and expertise in providing this super program.

Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt

(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). (don't put in a Local Settings Temp folder, or the Windows desktop, etc...as it needs a safe folder to keep backup logs). Also when XP and W2K users post here and place it in the Local Settings, the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)

See this link for graphical instruction: http://russelltexas.com/malware/faqhijackthis.htm

Forums for help and analysis of your Hijackthis logfile:

http://forums.us.dell.com/supportforums
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.wilderssecurity.com
http://www.computercops.us/forums.html
http://forums.net-integration.net
http://boards.cexx.org
http://www.bleepingcomputer.com

Good luck and safe computing!

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.