help with hijackthis log

[traecastles]

hey, i've run adaware and spybot s&d and avg anti-virus, and usually after every start up, they always find something new. please help me with this log. thanks.


Logfile of HijackThis v1.99.1
Scan saved at 3:58:17 PM, on 4/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\DOCUME~1\JRiley\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.connectchurch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 81.211.105.49 greatsearch.biz
O1 - Hosts: 81.211.105.49 www.greatsearch.biz
O1 - Hosts: 81.211.105.49 cashsearch.biz
O1 - Hosts: 81.211.105.49 www.cashsearch.biz
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Dell Home - {91CF7A40-4889-11D4-9113-0001031C84F3} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com

thanks alot!

 

[MicroBell]

Please move hijackthis to it's own folder on C: (C:\HJT)


Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the logÂ…..

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Download Hoster http://members.aol.com/toadbee/hoster.zip

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 81.211.105.49 greatsearch.biz
O1 - Hosts: 81.211.105.49 www.greatsearch.biz
O1 - Hosts: 81.211.105.49 cashsearch.biz
O1 - Hosts: 81.211.105.49 www.cashsearch.biz
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

C:\WINDOWS\SYSTEM32\NZDD.DLL <-- delete that file
C:\Program Files\Ebates_MoeMoneyMaker <-- delete that folder

Now run the hoster program and restore your hosts file.

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not

 

[Osiris]

Remove entries at your own risk


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank
Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!

R3 - Default URLSearchHook is missing
Nasty Should be fixed if you do not know the application or if no application is mentioned. This entry should be fixed.

O1 - Hosts: 81.211.105.49 greatsearch.biz
Nasty This entry should be fixed immediately! Must be fixed!

O1 - Hosts: 81.211.105.49 www.greatsearch.biz
Nasty This entry should be fixed immediately! Must be fixed!

O1 - Hosts: 81.211.105.49 cashsearch.biz
Nasty This entry should be fixed immediately! Must be fixed!

O1 - Hosts: 81.211.105.49 www.cashsearch.biz
Nasty This entry should be fixed immediately! Must be fixed!

O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL Must be fixed!

O9 - Extra button: Dell Home - {91CF7A40-4889-11D4-9113-0001031C84F3} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
Possibly nasty Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry 'Dell Home ' is unknown.

O17 - HKLM\System\CCS\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'bddeng.com'? If not, fix this entry.

O17 - HKLM\System\CS1\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'bddeng.com'? If not, fix this entry.

O17 - HKLM\System\CS2\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com