HijackThis log--please help!

Question

Hi--I've installed and run the shredder, Spybot, and Ad-Aware and deleted the files that they came up with.  My computer is slow, Internet Explorer constantly encounters problems and shuts down, and I have a ton of popups.  Here is my log.  I would greatly appreciate any help that you can give me. Thanks, Jackie   Logfile of HijackThis v1.97.7Scan saved at 5:48:47 PM, on 5/16/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\atiptaxx.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\DELL\AccessDirect\dadapp.exeC:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exeC:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exeC:\Program Files\DELL\AccessDirect\DadTray.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exeC:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exeC:\WINDOWS\System32\ctfmon.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\AIM95\aim.exeC:\Program Files\SpyKiller\spykiller.exeC:\Program Files\Handspring\HOTSYNC.EXEC:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exeC:\WINDOWS\System32\Ati2evxx.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton SystemWorks\Norton Antivirus
avapsvc.exeC:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXEC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXEC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\HJT\hijackthis\HijackThis.exeC:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=9365&R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon OnlineR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dllO3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [AtiPTA] atiptaxx.exeO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exeO4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exeO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exeO4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exeO4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exeO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [IPInSightLAN 01] 'C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe' -lO4 - HKLM\..\Run: [IPInSightMonitor 01] 'C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe'O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe'O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startupO4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /schedulerO4 - HKLM\..\Run: [Q3C] C:\windows	emp\Q3C.exeO4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] 'C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe'O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [DealHelperDown] 'C:\Documents and Settings\Jacqueline\Local Settings\Temp\msF.tmp'O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exeO4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXEO4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: Control Pad (HKLM)O9 - Extra button: AIM (HKLM)O9 - Extra button: Real.com (HKLM)O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://start.starpower.net/home/O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38115.7273263889O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Texruss · Answer

You've got Clientman and others:

Run Hijackthis, scan and check the boxes by these items:

O4 - HKLM\..\Run: [Q3C] C:\windows\temp\Q3C.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\Jacqueline\Local Settings\Temp\msF.tmp"
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe

O14 - IERESET.INF: START_PAGE_URL=http://start.starpower.net/home/
Comments: If this is your Internet Service Provider leave it alone...otherwise check it.

With no other windows open except for Hijackthis, click on fix checked button.

Reboot to SAFE MODE and Show HIDDEN FILES and folders

FAQ 8 and 9 on this page: http://www.russelltexas.com/spywareinfo/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files:

C:\WINDOWS\System32\msgked.exe
C:\windows\temp\Q3C.exe
C:\Documents and Settings\Jacqueline\Local Settings\Temp\msF.tmp

Exit Explorer and run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

Reboot in normal Windows and browse a bit, then post a fresh Hijackthis log here. Report issues or comments.

Texruss

jackie0405 · Answer

Thanks!  Here is my latest log.  Please let me know if I missed anything.   Jackie   Logfile of HijackThis v1.97.7Scan saved at 10:53:59 PM, on 5/17/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\atiptaxx.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\DELL\AccessDirect\dadapp.exeC:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exeC:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exeC:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exeC:\Program Files\DELL\AccessDirect\DadTray.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exeC:\WINDOWS\System32\ctfmon.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\AIM95\aim.exeC:\Program Files\Handspring\HOTSYNC.EXEC:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exeC:\WINDOWS\System32\Ati2evxx.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton SystemWorks\Norton Antivirus
avapsvc.exeC:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXEC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXEC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\HJT\hijackthis\HijackThis.exeC:\Program Files\Windows NT\Accessories\WORDPAD.EXEC:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=9365&R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon OnlineR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dllO3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [AtiPTA] atiptaxx.exeO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exeO4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exeO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exeO4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exeO4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exeO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [IPInSightLAN 01] 'C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe' -lO4 - HKLM\..\Run: [IPInSightMonitor 01] 'C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe'O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe'O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startupO4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /schedulerO4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] 'C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe'O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odlO4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXEO4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: Control Pad (HKLM)O9 - Extra button: AIM (HKLM)O9 - Extra button: Real.com (HKLM)O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38115.7273263889O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Texruss · Answer

Good cleanup job! Looks fine to me. Any special issues? Texruss

jackie0405 · Answer

Explorer is still freezing up on me...specifically when I am in my yahoo mail. I've continued to run Spybot and Ad-Aware, but it will freeze immediately after the programs are run as well as before.

Jackie

Texruss · Answer

Scan and fix this entry:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

You might also check your HOSTS file:

http://www.russelltexas.com/spywareinfo/HOSTS.htm

Reboot and run IE and report back with new log and comments.

Texruss

Message Edited by Texruss on 05-19-2004 07:36 PM

Virus & Spyware

Was this post helpful?