kenx818
@ucr.edu
| help with hijack file
I have run trojan scanners, adaware, spybot etc.. and now i would like people to see if there is anything else to fix in the hijack log
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ken Ngarayawongse\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »webmail.ucr.edu/
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\System32\n3tpa1.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O16 - DPF: Yahoo! Chess - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - »www.wildtangent.com/install/jvm/···3805.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···r/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - »security.symantec.com/sscv6/Shar···niff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »fpdownload.macromedia.com/pub/sh···lash.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - »picturecenter.kodak.com/activex/···trol.cab |
|
johnpd
Premium
join:2003-11-20
Green Valley, AZ | Where is the rest of the log? You are missing the beginning part. |
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
 ·Comcast
| reply to kenx818
Can't help you with the rest but thought you might want to see these links for wildtangent:»www.kephyr.com/spywarescanner/li···ex.phtml
»Ad-aware really detects WildTangent now! |
|
johnpd
Premium
join:2003-11-20
Green Valley, AZ
·Cox HSI
| reply to kenx818
First of all, extract HijackThis to a permanent folder like "C:\Program Files\HijackThis".
From what I can see of the log, you have a few questionable entries which you might want to "fix" with HijackThis:
--> O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
--> O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\System32\n3tpa1.dll (file missing)
--> O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
--> O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
I also agree that Wild Tangent is questionable. You might want to uninstall that. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to kenx818
Some of these are mentioned above, this is a complete list of steps (we do need the top part of the log to be thorough, however)
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder and please don't run it directly from the zip file. We suggest you use a folder name like C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.
Look in Add/Remove Programs in Control Panel for WebSavingsfromEbates. If this entry is there (or EbatesWebSavings), uninstall it
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\System32\n3tpa1.dll (file missing)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
(Optional) O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
Additional Info here:
»www.sysinfo.org/startuplist.php?···t=&type=
quote:
GameChannel.exe
Wild Tangent GameChannel - notification of new games, quick access to games and fast and easy game downloads. Note that Wild Tanget's privacy policy states they also collect and share individuals information
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
Reboot
Delete the file (or just empty the contents of your TEMP folder)
C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
Delete these folders (if found)
C:\Program Files\ClearSearch
C:\Program Files\WebSavingsfromEbates
Run Hijack This again and post back a new log. Please include the very top part of the log this time.....it should begin with lines similar to this:
quote:
Logfile of HijackThis v1.97.7
Scan saved at 9:44:20 PM, on 2/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum |
|
normmork
join:2003-10-23
Canada
| reply to kenx818
Two tips about using Ad-aware 6 to make it work optimumly
1. Make sure the reference file is up to date. Update by using the globe icon in AA6
2. Once a week or when you think you are infected run a Full Scan instead of the default SMART Scan |
|
