When you do so, either HJT will not create its log files and backup files; or if it does, you risk losing them when the TEMP's cache is cleared. It's important that you save these backup files, in case you have to "undo" [restore] some of the things you "FIX" incorrectly.
So you need to move HJT into a separate, non-temporary, non-Desktop, directory of its own. We recommend using the directory C:\HJT , so that it will then appear in your log, under running processes, as C:\HJT\HiJackThis.exe
*******************
close your internet browser
Run HJT. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of each of the lines:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
good work so far. Have you noticed
any difference so far?... are you still having problems?
there are a few items in your log that i'm not familiar with, so at this point, I'm gonna try to ask someone else to step-in, to continue the analysis of additional problems (
if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when the next helper will arrive.
Im sorry I thought i had made the correct file. I went back and changed it. I went into the c drive in explore went to program files selected it then created a new folder named it HJT. Is that what I suppose to have done?
i figured it out. I had to unzip the file before i could find it usinf c:\program files\hjt\hijackthis.exe
so this is the new hjt log.
Logfile of HijackThis v1.99.1 Scan saved at 2:34:19 PM, on 2/14/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
if i go to run type in c:\program files\hjt it will come up but if I put in C:\program files\hjt\hijackthis.exe its says windows can not find. did i do something wrong again?
if i'm reading you correctly, you've created a new
folder
C:\Program Files\HJT
Did you then move the HJT program (.exe file) from your TEMP directory, into this new folder? ... so that it will then appear under running processes as
www.fastwincasino.com is also popping up. When we are checking stuff off to be deleted can we also get rid of the partypoker.com I do beleive this is how all this was started.
ky331
3 Apprentice
•
15.6K Posts
0
February 14th, 2006 13:00
Message Edited by ky331 on 02-14-2006 12:35 PM
Chik
453 Posts
0
February 14th, 2006 13:00
Message Edited by Chik on 02-14-2006 09:27 AM
ky331
3 Apprentice
•
15.6K Posts
0
February 14th, 2006 13:00
First: You're running HJT from a TEMP directory:
C:\DOCUME~1\Owner\LOCALS~1\Temp\~~PDTEMP\HijackThis.exe
When you do so, either HJT will not create its log files and backup files; or if it does, you risk losing them when the TEMP's cache is cleared. It's important that you save these backup files, in case you have to "undo" [restore] some of the things you "FIX" incorrectly.
So you need to move HJT into a separate, non-temporary, non-Desktop, directory of its own. We recommend using the directory C:\HJT , so that it will then appear in your log, under running processes, as C:\HJT\HiJackThis.exe
*******************
close your internet browser
Run HJT. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of each of the lines:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsf2F.dll
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
Click on FIX CHECKED. Close HJT. Reboot. then generate a brand-new, up-to-date HJT log, REPLY to this thread, and PASTE it here.
ky331
3 Apprentice
•
15.6K Posts
0
February 14th, 2006 17:00
Good luck.
rinad
31 Posts
0
February 14th, 2006 17:00
Im sorry I thought i had made the correct file. I went back and changed it. I went into the c drive in explore went to program files selected it then created a new folder named it HJT. Is that what I suppose to have done?
ky331
3 Apprentice
•
15.6K Posts
0
February 14th, 2006 17:00
Message Edited by ky331 on 02-14-2006 02:33 PM
rinad
31 Posts
0
February 14th, 2006 17:00
i figured it out. I had to unzip the file before i could find it usinf c:\program files\hjt\hijackthis.exe
so this is the new hjt log.
Logfile of HijackThis v1.99.1
Scan saved at 2:34:19 PM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\trpd\btoe.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - {AE5F1D65-87DD-D923-809C-AC0FD09549C7} - C:\WINDOWS\system32\oonda.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AE5F1D65-87DD-D923-809C-AC0FD09549C7} - C:\WINDOWS\system32\oonda.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKCU\..\Run: [Erac] "C:\Program Files\trpd\btoe.exe" -vt tzt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?64ca19f23e29425fbe107557d2b7710
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?64ca19f23e29425fbe107557d2b7710
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/7514-b230h/rnl/java/RntX.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
rinad
31 Posts
0
February 14th, 2006 17:00
ky331
3 Apprentice
•
15.6K Posts
0
February 14th, 2006 17:00
Message Edited by ky331 on 02-14-2006 02:11 PM
ky331
3 Apprentice
•
15.6K Posts
0
February 14th, 2006 17:00
rinad
31 Posts
0
February 14th, 2006 17:00
rinad
31 Posts
0
February 14th, 2006 18:00
rinad
31 Posts
0
February 14th, 2006 18:00
rinad
31 Posts
0
February 14th, 2006 18:00
right now they are coming from advertisement by outer info
im going to stay on the net to see if any mor start popping up
ky331
3 Apprentice
•
15.6K Posts
0
February 14th, 2006 18:00
then let's dump these PartyPoker references right away:
close your internet browser
Run HJT. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of each of the lines:
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
Click on FIX CHECKED. Close HJT. Reboot. then generate a brand-new, up-to-date HJT log, REPLY to this thread, and PASTE it here.