New log file, Please Check

Question

Logfile of HijackThis v1.99.1 Scan saved at 9:02:05 PM, on 8/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32
vsvc32.exe C:\Program Files\Protector Plus\PPAVMon.exe C:\Program Files\Protector Plus\PPServ.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\PROTEC~1\PPTbc.EXE C:\PROGRA~1\PROTEC~1\PPInupdt.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\Documents and Settings\Bungard\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O4 - HKCU\..\Run: [AWMON] 'C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe' O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZTxdm006YYUS O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120428870515 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{FF80915D-058E-48E4-84E9-B0BDED8F598D}: NameServer = 69.41.131.3,69.41.131.4 O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Program Files\Protector Plus\PPAVMon.exe O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown

RKinner · Answer

Log looks clean.  Are you having a problem?   Ron

gingergal · Answer

Thank you, yes, I'm experiencing two problems, one is that intermittently (couple times a week) the computer won't shut down except manually. The other is that I can't change my homepage.

I go to a site I want to change to, go to Tools, Internet Options, and hit current site for homepage and then apply and it looks like it has indeed changed the page, but when I reboot or hit homepage the old one is still there.

I run Adaware, SpyBot and Protector Plus virus protection and in going through the checks of the guidelines for posting here, all came up clean. Would the problems I'm experiencing be due to malware or some type of hijacking?

RKinner · Answer

Ad-Watch keeps malware from making changes to your registry so it might also be keeping you from changing your home page.  I believe it keeps a log of its actions so you can try to change the home page then check the log and see if you see a response in the log or just turn it off for a while and make your change.   The antivirus you use is not one I'm familiar with.  I have seen Norton keep you from shutting down a laptop when it tried to check the a:\ drive on shutdown when the floppy drive had been disconnected.  There was an option in the config to not check the floppy.   It's also possible that you have something in C:\windows	asks that is running at shutdown.   Start, Run, cmd, OK to bring up a black cmd screen.  Type   cd \ dir /a \windows	asks   to see what is hiding in your tasks folder.   Ron

gingergal · Answer

Thanks very much!

gingergal · Answer

It was indeed the Ad-Watch keeping me from changing homepage, if the shutdown problem recurs I'll try your other suggestion.  Thanks! :smileyhappy:

gingergal · Answer

RKinner, I did have the shutdown problem again and followed your excellent directions and look what I found in the log "304 XoftSpy.Job", now my SpyBot and AdAware aren't cleaning this out, how do I get rid of it?

Thanks very much!

gingergal · Answer

One more question, on closer reading I found this entry above on my hijack log

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZTxdm006YYUS

Isn't mywebsearch a malware?

RKinner · Answer

Start, Run, cmd, OK to bring up a black DOS like cmd screen.

Type:

cd \Windows\tasks

dir /a

(you should see your .job files.)

attrib -r -h -s *.*

(make all files in this folder easy to see and to remove)

del XoftSpy.Job

(or )

del "304 XoftSpy.job"

XoftSpy is, I think, a not very highly rated antispy product.

Found this quote:

" ParetoLogic’s spyware removal product, XoftSpy, provides moderate coverage at a higher price."

As far as MyWay is concerned, I don't like it but it comes with your Dell. Feel free to check it and Fix Checked it.

Ron

gingergal · Answer

Thanks Ron, I followed your very clear instructions and XoftSpy.job is gone.  I'm thinking since mywebsearch came with the Dell it may be a good idea to leave it in.

RKinner · Answer

Make sure you have System Restore running (toggle it off and on today to get rid of any bad stuff it may have retained) and then you can just go back to an earlier time if you hit a bad site. One way to make this more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new.

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx

To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm

Never hurts to do one of the free on line scans from Panda or Trend. They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
In addition to Microsoft AntiSpy
http://www.microsoft.com/athome/security/downloads/default.mspx

I like to run Spybot S&D.
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while.
http://www.lavasoftusa.com/software/adaware/

Ron

gingergal · Answer

Ron, after removing the XoftSpy.job I am still having problems with the computer not shutting down, it is becoming more frequent. Since it seems that spyware/malware is not the problem, could you tell me please where to go next?

Thanks again.

RKinner · Answer

Boot into Safe Mode (F8) and select the Safe Mode with Networking option.   Then shut it down.  Does that work?  If so you can Start, Run, msconfig, OK and try turning off the various programs and services that run at startup and see if one of them is causing your shutdown problem.   See http://www.netsquirrel.com/msconfig for detailed instructions.   Another possibility is to use (Ctrl + Alt + Del) and select Task manager then Processes.  Then shutdown processes one at a time and see if you can find one that causes the problem.   Ron

Virus & Spyware

New log file, Please Check

Was this post helpful?