HJT log...can someone please take a look.

Status
Not open for further replies.
2

24giovanni

Banned
Messages
878
Can someone please look at my HJT log and tell me if I can delete anything? Any help is greatly appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 3:34:21 PM, on 11/1/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\ARCSERVE\dbeng.exe
C:\ARCSERVE\jobeng.exe
C:\ARCSERVE\RDS.EXE
C:\ARCSERVE\msgeng.exe
C:\ARCSERVE\tapeeng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
c:\program files\timbuktu pro\tb2launch.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\winnt\180ax.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\WINNT\medload.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\updatetc.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://results.dashbar.com/search?c=27440&b=17862&t=0&ce=DI&m=NDY2MTUyMzUz&ver=2.1.0.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar21.dll (file missing)
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tb2initPath] "c:\program files\timbuktu pro\tb2init.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [180ax] c:\winnt\180ax.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [loads.exe] C:\WINNT\medload.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [atevwz] C:\WINNT\atevwz.exe
O4 - HKLM\..\Run: [tpcupdater] C:\WINNT\updatetc.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/mmed.cab
 
double post combined
Adaware scanning now.

Inaris, It's done scanning...now what? Should I select next?
 
double post combined....again
I'll post another hjt log in a few mins....thanks.

Logfile of HijackThis v1.98.2
Scan saved at 5:21:56 PM, on 11/1/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\ARCSERVE\dbeng.exe
C:\ARCSERVE\jobeng.exe
C:\ARCSERVE\RDS.EXE
C:\ARCSERVE\msgeng.exe
C:\ARCSERVE\tapeeng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
c:\program files\timbuktu pro\tb2launch.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\medload.exe
C:\WINNT\Ldun.exe
C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
C:\WINNT\System32\wowanmgr.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINNT\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tb2initPath] "c:\program files\timbuktu pro\tb2init.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [loads.exe] C:\WINNT\medload.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
O4 - HKLM\..\Run: [eoga] C:\WINNT\Ldun.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
O4 - HKCU\..\Run: [I077RRN7i] wowanmgr.exe
O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
 
Yea, although I'm not seeing any CWS on there. there is one more scanner that you might want to use:
http://www.safer-networking.org/en/download/

This one needs to run on there as well. Then post what your finding are.

combining double posts


something else, can you post an export of the following registry key:
HKLM\software\microsoft\windows\currentversion\run


looks like you have a bunch of junk there...
 
combing quadruple posts:
Inaris said:
something else, can you post an export of the following registry key:
HKLM\software\microsoft\windows\currentversion\run

looks like you have a bunch of junk there...
Click to expand...

how do I do this?

Inaris said:
Yea, although I'm not seeing any CWS on there. there is one more scanner that you might want to use:
http://www.safer-networking.org/en/download/

This one needs to run on there as well. Then post what your finding are.
Click to expand...

there are multiple things that can be downloaded from this site. Which one? Do you mean SPYBOT s & D

Inaris said:
something else, can you post an export of the following registry key:
HKLM\software\microsoft\windows\currentversion\run

looks like you have a bunch of junk there...
Click to expand...

For local machine?




Here's latest after all scans

Logfile of HijackThis v1.98.2
Scan saved at 6:59:46 PM, on 11/1/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\ARCSERVE\dbeng.exe
C:\ARCSERVE\jobeng.exe
C:\ARCSERVE\RDS.EXE
C:\ARCSERVE\msgeng.exe
C:\ARCSERVE\tapeeng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
c:\program files\timbuktu pro\tb2launch.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\program files\timbuktu pro\tb2init.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\medload.exe
C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\regedit.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINNT\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tb2initPath] "c:\program files\timbuktu pro\tb2init.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [loads.exe] C:\WINNT\medload.exe
O4 - HKLM\..\Run: [Create A Monster] "C:\Program Files\Kudd.com\createAMonster.exe" -run
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
O4 - HKCU\..\Run: [I077RRN7i] wowanmgr.exe
O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
 
yes from Local machine. HKey_Local_Machine...
find the key, then right click it and select export. Save the file to your desktop and then right click the file and tell it to edit. Then save the file as a .txt file inplace of a .reg. That way you can just double click it. Post the values as you have been doing.

You need to kill the process medload.exe from taskmanager and then delete the file and the entry in the registry.
this entry worries me...
O4 - HKLM\..\Run: [Tb2initPath] "c:\program files\timbuktu pro\tb2init.exe"
as that is a remote control tool. Did you install this?
The multiple downloads are for the same thing. Spy bot is pretty good at catching a few of the trailers...
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
R
Please Help
Replies
3
Views
3K
carnageX
carnageX
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
Back
Top Bottom