Logfile of HijackThis v1.99.1
Scan saved at 7:41:35 PM, on 11/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Here is the latest one I've just done.
And I have some question, why is IE being worse? Like, can't get into Yahoo.com When I push the back arrow button to fill in words in middle, it doesn't work. For example, I type "Geograqphy world", and I want to correct it, I use back arrow button, "Geography of the world". I mean I can't use the back/forward arrow button. Also, when I click on link, it does nothing instead of opening a new link/window. I hope you understand what I'm trying to say.
i'm just gonna start things off (kinda "prep" your log a bit), and then arrange for someone else to analyze it, and answer all your questions (like what's going on with IE)...
When you do so, either HJT will not create its log files and backup files; or if it does, you risk losing them when the TEMP's cache is cleared. It's important that you save these backup files, in case you have to "undo" [restore] some of the things you "FIX" incorrectly.
So you need to move HJT into a separate, non-temporary, non-Desktop, directory of its own. We recommend using the directory C:\HJT , so that it will then appear in your log, under running processes, as C:\HJT\HiJackThis.exe
****************************
Next, some minor touch-ups:
Run HiJackThis. Place a check-mark in the box in front of each of the lines:
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
Click on FIX CHECKED. Close HiJackThis. Reboot. And then generate/post another log.
At that point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when (or even if) the next helper will arrive.
just wondering if you're still following this thread... it's been about 2 days since your last posting.... unless you
REPLY here
with your updated/revised HJT log, showing the "prep" work I've already suggested to you, it's likely that the other helpers will assume you've "dropped-out"....
Uh oh... first of all, I don't get your first step. That's the point. Because I never use HJT before. I just heard someone in this forum show me how to post by HJT, so I tried. And I am not sure what you mean use it in separate. For real, I downloaded it, and it's already in Zip. When I opened it, it just automatically open. I don't even need to install it into C:\ drive. By the way, what is it TEMP directory? I know I am stupid about this. And I admit it. Please explain clearer. I appreciate it.
always wise to ask questions when you're not sure about something.
TEMP is an abbreviation for TEMPORARY. TEMP locations are often automatically "cleaned out" by Windows, and if so, you'll lose the information there. we don't want to happen. the backups made by HJT are important, in case you accidentally make a mistake when you try FIXing things [or if someone here inadvertently gives you some bad "help"].
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
Click on FIX CHECKED. Close HiJackThis. Reboot.
then we're gonna run HiJackThis again. only this time, you should click on
DO A SYSTEM SCAN AND SAVE A LOGFILE
this will automatically open up NotePad, with a copy of your log. (Hopefully, this is the way you originally generated your log file. but just to be complete: EDIT/Select ALL, EDIT/COPY, REPLY to this thread, PASTE the log here)
Yes, it is really much clearer right now. Keeping on this way. I just did what you recommended. Now is the latest HJT (below). By the way, yesterday I was surfing web using by Netscape 7.2, and I didn't know what I did, it would not open Google, and Netscape.com anymore (even open them in other browsers, it wouldn't work with those two links). Everything else except those two can be running fine. What is wrong with it?
Logfile of HijackThis v1.99.1 Scan saved at 11:05:57 AM, on 11/20/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
um... does it change if I use another account to HJT. The one with Trojans is my bro's account. And what I just scan above is my account. Are they changing anything? if it is. I will do the same thing with my bro's account so you can see. I think this virus infected every account of this comp, so...
Logfile of HijackThis v1.99.1
Scan saved at 11:27:02 AM, on 11/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Well, I think it's the same. Anyway, just to be sure. This is my bro's account, the main account that infected by virus first. Don't worry, the previous HJT posts were from my bro's account. The only mine is just the first one on 2nd page.
R3 - Default URLSearchHook is missing <==== removed from first log on this page, but still appears in the 2nd log
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
***************
however, the half-dozen R0/R1- lines each ending in " = about:blank " are still there... did you check the box in front of these, and FIX CHECKED ?
if you did "remove" them, something else may have brought them back;
if you didn't "remove" them the first time, please try again now --- and post another, UPDATED log.
****************************
At this point, I have done all the "preparation" work on your log that i can. I have sent out a request for someone else to continue the "main" part of your technical analysis.
well, if you ask me about the "about blank" things. I am sure that I removed them as you told me. I don't know what brings it back, but it annoys me too. I think the Trojans did that because that is my unwanted recent homepage in IE. I couldn't change it. It stubbornately stick there and nothing could change it. I know, you try your best. I am at school, so I will try to re-do it again and post you an udated logs, ok?
as long as you say you tried to remove them... i do believe they're being brought back by some spyware. so there's no need for you to generate another log (yet).
just to clarify something: at present, i'm "specializing" only in certain types of infections, such as WinFixer and NAIL [which are NOT showing up in your log]. as such, having gotten you to the point of having posted your log, i've sent out requests for the experts to come here [as soon as they possibly can] to help you fully solve your problems.
be advised that all of the people here [with the possible exception of the forum moderator] are volunteers, with absolutely no affiliation to DELL. and we're overwhelmed by the number of logs/request we're asked to analyze. I realize it's frustrating for you, but we're doing the best we can. please try to be patient.
So, you mean right now I don't have to do anything right? We just sit and wait huh? Oh, about the Winfixer and NAIL, I don't even know or use it before. So... I understand, and no need to hurry for me about this. I'm grateful that you are helping me with your best. Oh... can I ask you something? Do you know how to format/reboot the computer? I think it's the best way. If you can, just show me how. And I will see if I decide to do it or wait for someone's help. And if I format the comp, will there any effect to the comp lately?
ky331
3 Apprentice
•
15.6K Posts
0
November 13th, 2005 12:00
unless the forum moderator moves this over for you [in which case
i am *NOT* taking ownership of this log ]
you need to [re-post] it in the HiJackThis forum:
http://forums.us.dell.com/supportforums/board?board.id=si_hijack
ky331
3 Apprentice
•
15.6K Posts
0
November 16th, 2005 15:00
ntdvo
32 Posts
0
November 17th, 2005 12:00
ntdvo
32 Posts
0
November 17th, 2005 12:00
ntdvo
32 Posts
0
November 17th, 2005 22:00
Scan saved at 7:41:35 PM, on 11/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\sysvcs.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DAT\LOCALS~1\Temp\Rar$EX00.883\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DAT\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DAT\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - Default URLSearchHook is missing
N4 - Mozilla: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DAT\Application Data\Mozilla\Profiles\default\ctjg7fta.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAT\Application Data\Mozilla\Profiles\default\ctjg7fta.slt\prefs.js)
O2 - BHO: (no name) - {30B9F3DC-2808-4236-BF62-46DB59F48E65} - C:\WINDOWS\System32\clnb.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\DAT\Local Settings\Application Data\ssstbar\sssTbar.dll
O2 - BHO: AKHelper.HelperBHO - {911C4A8E-0F75-4B83-BEB9-02BDDF29D11E} - C:\Program Files\3B Software\3B Ad Blocker Pro\AKHelper.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Documents and Settings\DAT\Local Settings\Temp\ASearchAssist.dll
O3 - Toolbar: Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\DAT\Local Settings\Application Data\ssstbar\sssTbar.dll
O3 - Toolbar: Ad Blocker Pro Toolbar - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - C:\Program Files\3B Software\3B Ad Blocker Pro\AKToolbar.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdBlocker] C:\Program Files\3B Software\3B Ad Blocker Pro\AdBlocker.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\DON\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Filter: text/html - {CE417B1F-F201-4EF0-85B9-EFAB061D0EF1} - C:\WINDOWS\System32\clnb.dll
O18 - Filter: text/plain - {CE417B1F-F201-4EF0-85B9-EFAB061D0EF1} - C:\WINDOWS\System32\clnb.dll
O21 - SSODL: tZqalRGwzzyMh - {54BBB928-FE11-1382-DEE0-32D073F3DF66} - C:\WINDOWS\System32\wc.dll
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Here is the latest one I've just done.
And I have some question, why is IE being worse? Like, can't get into Yahoo.com When I push the back arrow button to fill in words in middle, it doesn't work. For example, I type "Geograqphy world", and I want to correct it, I use back arrow button, "Geography of the world". I mean I can't use the back/forward arrow button. Also, when I click on link, it does nothing instead of opening a new link/window. I hope you understand what I'm trying to say.
Message Edited by ntdvo on 11-17-2005 07:02 PM
ky331
3 Apprentice
•
15.6K Posts
0
November 18th, 2005 10:00
First: You're running HJT from a TEMP directory:
C:\DOCUME~1\DAT\LOCALS~1\Temp\Rar$EX00.883\HijackThis.exe
When you do so, either HJT will not create its log files and backup files; or if it does, you risk losing them when the TEMP's cache is cleared. It's important that you save these backup files, in case you have to "undo" [restore] some of the things you "FIX" incorrectly.
So you need to move HJT into a separate, non-temporary, non-Desktop, directory of its own. We recommend using the directory C:\HJT , so that it will then appear in your log, under running processes, as C:\HJT\HiJackThis.exe
****************************
Next, some minor touch-ups:
Run HiJackThis. Place a check-mark in the box in front of each of the lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
Click on FIX CHECKED. Close HiJackThis. Reboot. And then generate/post another log.
At that point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when (or even if) the next helper will arrive.
Good luck.
ky331
3 Apprentice
•
15.6K Posts
0
November 19th, 2005 10:00
ntdvo
32 Posts
0
November 19th, 2005 21:00
ky331
3 Apprentice
•
15.6K Posts
0
November 20th, 2005 01:00
always wise to ask questions when you're not sure about something.
TEMP is an abbreviation for TEMPORARY. TEMP locations are often automatically "cleaned out" by Windows, and if so, you'll lose the information there. we don't want to happen. the backups made by HJT are important, in case you accidentally make a mistake when you try FIXing things [or if someone here inadvertently gives you some bad "help"].
let's do the following to correct things:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
Click on FIX CHECKED. Close HiJackThis. Reboot.
then we're gonna run HiJackThis again. only this time, you should click on
DO A SYSTEM SCAN AND SAVE A LOGFILE
this will automatically open up NotePad, with a copy of your log. (Hopefully, this is the way you originally generated your log file. but just to be complete: EDIT/Select ALL, EDIT/COPY, REPLY to this thread, PASTE the log here)
Hope that's clearer now.
Message Edited by ky331 on 11-19-2005 10:40 PM
ntdvo
32 Posts
0
November 20th, 2005 14:00
Yes, it is really much clearer right now. Keeping on this way. I just did what you recommended. Now is the latest HJT (below). By the way, yesterday I was surfing web using by Netscape 7.2, and I didn't know what I did, it would not open Google, and Netscape.com anymore (even open them in other browsers, it wouldn't work with those two links). Everything else except those two can be running fine. What is wrong with it?
Logfile of HijackThis v1.99.1
Scan saved at 11:05:57 AM, on 11/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\3B Software\3B Ad Blocker Pro\AdBlocker.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DON\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DON\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.windowsmedia.com/search/mgsearch.aspx?srch=us5%2f+maria&WMPFriendly=true
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DON\Application Data\Mozilla\Profiles\default\46bu3f53.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DON\Application Data\Mozilla\Profiles\default\46bu3f53.slt\prefs.js)
O2 - BHO: (no name) - {30B9F3DC-2808-4236-BF62-46DB59F48E65} - C:\WINDOWS\System32\clnb.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\DAT\Local Settings\Application Data\ssstbar\sssTbar.dll
O2 - BHO: AKHelper.HelperBHO - {911C4A8E-0F75-4B83-BEB9-02BDDF29D11E} - C:\Program Files\3B Software\3B Ad Blocker Pro\AKHelper.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Documents and Settings\DAT\Local Settings\Temp\ASearchAssist.dll
O3 - Toolbar: Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\DAT\Local Settings\Application Data\ssstbar\sssTbar.dll
O3 - Toolbar: Ad Blocker Pro Toolbar - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - C:\Program Files\3B Software\3B Ad Blocker Pro\AKToolbar.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdBlocker] C:\Program Files\3B Software\3B Ad Blocker Pro\AdBlocker.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\CAROLYN\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Filter: text/html - {CE417B1F-F201-4EF0-85B9-EFAB061D0EF1} - C:\WINDOWS\System32\clnb.dll
O18 - Filter: text/plain - {CE417B1F-F201-4EF0-85B9-EFAB061D0EF1} - C:\WINDOWS\System32\clnb.dll
O21 - SSODL: tZqalRGwzzyMh - {54BBB928-FE11-1382-DEE0-32D073F3DF66} - C:\WINDOWS\System32\wc.dll
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Message Edited by ntdvo on 11-20-2005 10:16 AM
ntdvo
32 Posts
0
November 20th, 2005 14:00
Scan saved at 11:27:02 AM, on 11/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\3B Software\3B Ad Blocker Pro\AdBlocker.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\sysvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DAT\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - Default URLSearchHook is missing
N4 - Mozilla: user_pref("browser.startup.homepage", " http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DAT\Application Data\Mozilla\Profiles\default\ctjg7fta.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAT\Application Data\Mozilla\Profiles\default\ctjg7fta.slt\prefs.js)
O2 - BHO: (no name) - {30B9F3DC-2808-4236-BF62-46DB59F48E65} - C:\WINDOWS\System32\clnb.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\DAT\Local Settings\Application Data\ssstbar\sssTbar.dll
O2 - BHO: AKHelper.HelperBHO - {911C4A8E-0F75-4B83-BEB9-02BDDF29D11E} - C:\Program Files\3B Software\3B Ad Blocker Pro\AKHelper.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Documents and Settings\DAT\Local Settings\Temp\ASearchAssist.dll
O3 - Toolbar: Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\DAT\Local Settings\Application Data\ssstbar\sssTbar.dll
O3 - Toolbar: Ad Blocker Pro Toolbar - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - C:\Program Files\3B Software\3B Ad Blocker Pro\AKToolbar.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdBlocker] C:\Program Files\3B Software\3B Ad Blocker Pro\AdBlocker.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\CAROLYN\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Filter: text/html - {CE417B1F-F201-4EF0-85B9-EFAB061D0EF1} - C:\WINDOWS\System32\clnb.dll
O18 - Filter: text/plain - {CE417B1F-F201-4EF0-85B9-EFAB061D0EF1} - C:\WINDOWS\System32\clnb.dll
O21 - SSODL: tZqalRGwzzyMh - {54BBB928-FE11-1382-DEE0-32D073F3DF66} - C:\WINDOWS\System32\wc.dll
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Message Edited by ntdvo on 11-20-2005 10:36 AM
ky331
3 Apprentice
•
15.6K Posts
0
November 20th, 2005 15:00
there are some differences between the different user logs. as for how significant that is, i will have to leave that verdict for the next helper.
********************
i see that you successfully moved HJT from
C:\DOCUME~1\DAT\LOCALS~1\Temp\Rar$EX00.883\HijackThis.exe
to
C:\Program Files\HijackThis\HijackThis.exe
************
I also see that you successfully removed
R3 - Default URLSearchHook is missing <==== removed from first log on this page, but still appears in the 2nd log
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
***************
however, the half-dozen R0/R1- lines each ending in " = about:blank " are still there... did you check the box in front of these, and FIX CHECKED ?
if you did "remove" them, something else may have brought them back;
if you didn't "remove" them the first time, please try again now --- and post another, UPDATED log.
****************************
At this point, I have done all the "preparation" work on your log that i can. I have sent out a request for someone else to continue the "main" part of your technical analysis.
Message Edited by ky331 on 11-20-2005 01:00 PM
Message Edited by ky331 on 11-20-2005 01:01 PM
ntdvo
32 Posts
0
November 21st, 2005 16:00
ky331
3 Apprentice
•
15.6K Posts
0
November 21st, 2005 16:00
ntdvo
32 Posts
0
November 21st, 2005 22:00
Thanks again.