dementedsnake Posted December 23, 2005 Report Share Posted December 23, 2005 (edited) Here's my first log since downloading it. ... Any help is appreciated. Logfile of HijackThis v1.99.1Scan saved at 2:45:56 AM, on 12/23/2005Platform: Windows ME (Win9x 4.90.3000)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\SPOOL32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\STIMON.EXEC:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXEC:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXEC:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXEC:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXEC:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXEC:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXEC:\WINDOWS\SYSTEM\MSTASK.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXEC:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXEC:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXEC:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXEC:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXEC:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exeC:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXEC:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\PROGRAM FILES\AIM\AIM.EXEC:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\DESKTOP\HIJACKTHIS.EXER1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.netR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)O2 - BHO: (no name) - {8E5FE119-5BDA-1722-879E-76A2D8A069C2} - (no file)O2 - BHO: (no name) - {ECEA0EEC-E77F-FCD6-2734-CCA9389F58C3} - (no file)O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLLO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [symantec Core LC] "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" startO4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /ConsumerO4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /startupO4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXEO4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"O4 - HKLM\..\RunServices: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exeO4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -regO4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWizO4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXEO4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk.disabledO4 - Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\Csinsm32.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL/201O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXEO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\SYSTEM\SHDOCVW.DLLO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLLO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLLO9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.netO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in) - O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Plug-in) - O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) - O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.4.3.36/lott...o-ob-assets.cabO16 - DPF: Canasta by pogo - O16 - DPF: Tri-Peaks by pogo - O16 - DPF: Dominoes by pogo - O16 - DPF: Keno by pogo - O16 - DPF: Checkers by pogo - O16 - DPF: Fortune Bingo by pogo - O16 - DPF: Perfect Pair Solitaire by pogo - O16 - DPF: Dice Derby by pogo - O16 - DPF: Stax by pogo - O16 - DPF: {AC58FDA4-4896-4967-88CD-52CF05571F1E} - O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cabO16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO19 - User stylesheet: (file missing)O20 - AppInit_DLLs: apitrap.dll;Sorry, I forgot to add a problem description...Well, anthing that you can think of has happened to the computer. Pop-ups, adware, random crashes, identity theft, courpted anitvirus programs, 480-ish viruses at one time....Like I said... HELP!EDIT: I'll be more specific...The computer's memory runs dry from time to time. At start-up there are around 280 files open/running (according to Norton). The internet connection will slow, freeze or crash my computer (hacker?) but most of the time when I hit stand-by on the modem, it's stops within a few seconds. Icons, such as the one related to Word Processer, will change on an unknown time frame. The change is always to a random icon (well, mostly...it'll rarely change to a program that's running). What I mean is, that icon will change but the program it starts with stays the same. I think the two most common victims are media player files and any type of document files. One of my AIM account was stolen. I'm convinced that (it's been removed for awhile) Yahoo Instant Messenger was a trojan. ( <-- Random shut-downs, constant errors and blue screens, program freezes, etc). There's tons more but I cannot think of any right now. Sorry. Edited December 23, 2005 by dementedsnake Link to post Share on other sites
Matt Posted December 24, 2005 Report Share Posted December 24, 2005 Hi dementedsnake! Welcome to Besttechie! I will be assisting you in cleaning up your computer!Please print out these directions for use if/when you cannot access this page.You are currently using HijackThis from your desktop, this can cause problems.HijackThis creates backups, these are needed in case of any recovery issues.Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.Scan with HJT, and place a check next to the following items:R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blankO2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)O2 - BHO: (no name) - {8E5FE119-5BDA-1722-879E-76A2D8A069C2} - (no file)O2 - BHO: (no name) - {ECEA0EEC-E77F-FCD6-2734-CCA9389F58C3} - (no file)O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in) - O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Plug-in) - O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) - O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -O16 - DPF: {54771E6F-A5A2-4413-8FB8-7B8F85398174} - O19 - User stylesheet: (file missing)Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.Next, locate and delete the following folders:C:\Program Files\PartyPoker\C:\WINDOWS\Start Menu\Programs\IMVU\Then, Reboot your coputer, rescan with HJT, and post a new log for check.Matt Link to post Share on other sites
Matt Posted January 10, 2006 Report Share Posted January 10, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts