Logfile of HijackThis v1.97.7
Scan saved at 2:57:22 PM, on 4/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Simply\CBWAttn.exe
C:\PROGRA~1\Simply\CBWHost.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\PV92Tray.exe
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Simply\Cheymon.exe
C:\Program Files\Simply\CBWUser.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\safe-share\SafeShare.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\StealthRay\StealthRay.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\WINDOWS\system32\msbb.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\The Howells\Local Settings\Temporary Internet Files\Content.IE5\0G1FD1WF\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SFPrnmon] C:\PROGRA~1\Simply\Cheymon.exe
O4 - HKLM\..\Run: [CBWUser] "C:\Program Files\Simply\CBWUser.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exe
O4 - HKLM\..\Run: [ydot] C:\WINNT\ydot.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Reboot.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: StealthRay.lnk = C:\Program Files\StealthRay\StealthRay.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/274c648cf9e255...ip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
Full Version: Webpages won't display, but email works fine
I've not analyzed the log yet fully, however a couple of questions
Did you have him check for a HOSTS file and delete any entries found beginning with 127.0.0.* ? (Did he find any in there?)
Also, does he have Adaware? If so, I need to know the version and build (in the bottom right corner of the opening screen) and also what Reference File # is loaded (also in the Opening screen.)
I'll go back and look closely at the log now, but on first glance did not see anything in there that would cause loss of ability to view webpages. So that's why the questions I wanted to ask first.
I'll be back :)
Did you have him check for a HOSTS file and delete any entries found beginning with 127.0.0.* ? (Did he find any in there?)
Also, does he have Adaware? If so, I need to know the version and build (in the bottom right corner of the opening screen) and also what Reference File # is loaded (also in the Opening screen.)
I'll go back and look closely at the log now, but on first glance did not see anything in there that would cause loss of ability to view webpages. So that's why the questions I wanted to ask first.
I'll be back :)
Answer to HOSTS q, yes, but only entry was 127.0.0.0...He deleted it, saved and tried...Still no.
Adaware, no. He mentioned seeing something called Spybot, and thought that he had it. I don't think that he has it and that it is something lingering from using the File Transfer Wizard when he got the new machine. He did have Spybot on his old...I have the install files for adaware, and can email them to him if you think it would be of assistance before getting him back surfing.
Adaware, no. He mentioned seeing something called Spybot, and thought that he had it. I don't think that he has it and that it is something lingering from using the File Transfer Wizard when he got the new machine. He did have Spybot on his old...I have the install files for adaware, and can email them to him if you think it would be of assistance before getting him back surfing.
PS...I was noticing the time our posts are showing...It's 4:03 here...Is it really after 9pm there, or is the system time wrong?
Ok - thanks for checking those things - eliminates a few possibilities.
Please ask him if he has a keylogger installed on purpose there?
[SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe <---Have him rightclick on this file and look under the tabs at the top and record any and all information found there.
It's 5:07 here (EDT). Could be your forum clock setting aren't set
Please ask him if he has a keylogger installed on purpose there?
[SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe <---Have him rightclick on this file and look under the tabs at the top and record any and all information found there.
It's 5:07 here (EDT). Could be your forum clock setting aren't set
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip or extract from HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} -C:\WINDOWS\System32\ATPART~1.DLL
O4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exe
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/274c648cf9e255...ip/RdxIE601.cab
...................................................
Reboot your PC
Delete the following
c:\windows\system32\msbb.exe <--delete file
.............................................................
Question:
Ask him if he know what this file is.
C:\WINNT\ydot.exe
If he doesn't know, ask him to check the tabs under properties on it as well
If he is still having a problem, I would start checking for network settings, etc.
Adware install isn't much help without the updates and he needs to be online to do that. If we can get him connected, it would be a really good idea to have him install it, get the updates and do a cleanup as there may be some leftovers it will find that Hijack can't see.
And I still need to know about the keylogger (I didn't include to remove it)
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} -C:\WINDOWS\System32\ATPART~1.DLL
O4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exe
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/274c648cf9e255...ip/RdxIE601.cab
...................................................
Reboot your PC
Delete the following
c:\windows\system32\msbb.exe <--delete file
.............................................................
Question:
Ask him if he know what this file is.
C:\WINNT\ydot.exe
If he doesn't know, ask him to check the tabs under properties on it as well
If he is still having a problem, I would start checking for network settings, etc.
Adware install isn't much help without the updates and he needs to be online to do that. If we can get him connected, it would be a really good idea to have him install it, get the updates and do a cleanup as there may be some leftovers it will find that Hijack can't see.
And I still need to know about the keylogger (I didn't include to remove it)
Forgot....also, if he did not install the MyWay Searchbar on purpose, you can remove that in the Control Panel under add/remove programs :)
Woo-Hoo! He did all that you said, but still no internet. I went on a limb and emailed him the installation file for Adaware, hoping that it could update itself without using IE. He installed it, and hit update...It worked.
It tried scanning and found 140+ objects, etc. Some of them it couldn't remove, but it asked him if he would like to try again after rebooting. Upon rebooting it automatically scanned again and was able to remove the remaining files.
Sure enough his IE began working again as soon as it was done.
BTW...The question about the keyhook file...It is a file installed when using a wireless keyboard, which he is doing. It allows the CAPS LOCK and NUM LOCK to show up in the system tray, since there are no lights on the keyboard for it. So, it is legit.
Hats off to CalamityJane! You are wonderful. Can't thank you enough. :thumb:
It tried scanning and found 140+ objects, etc. Some of them it couldn't remove, but it asked him if he would like to try again after rebooting. Upon rebooting it automatically scanned again and was able to remove the remaining files.
Sure enough his IE began working again as soon as it was done.
BTW...The question about the keyhook file...It is a file installed when using a wireless keyboard, which he is doing. It allows the CAPS LOCK and NUM LOCK to show up in the system tray, since there are no lights on the keyboard for it. So, it is legit.
Hats off to CalamityJane! You are wonderful. Can't thank you enough. :thumb:
Ya Hoooo! You're the star there Kerry!
:victory: :king:
I am so glad to hear all is well, now
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
And please be sure to visit Windows Update - get ALL the critical security updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
http://v4.windowsupdate.microsoft.com/en/default.asp
It's all about helping each other, isn't it? :thumb:
:victory: :king:
I am so glad to hear all is well, now
Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
And please be sure to visit Windows Update - get ALL the critical security updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
http://v4.windowsupdate.microsoft.com/en/default.asp
It's all about helping each other, isn't it? :thumb:
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.