Hijackthis Log

[rhema7]

Logfile of HijackThis v1.99.1

Scan saved at 3:31:07 PM, on 1/22/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\System32\RunDll32.exe

F:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

F:\Program Files\Prevx Home\SAGUI.exe

F:\Program Files\Common Files\Real\Update_OB\realsched.exe

F:\Program Files\iTunes\iTunesHelper.exe

F:\Program Files\QuickTime\qttask.exe

F:\Program Files\Messenger\msmsgs.exe

F:\Program Files\NetZero\exec.exe

F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

F:\WINDOWS\system32\

F:\Program Files\Prevx Home\PXAgent.exe

F:\Program Files\iPod\bin\iPodService.exe

F:\WINDOWS\System32\cmd.exe

F:\Program Files\Mozilla Firefox\firefox.exe

F:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

F:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://F:\DOCUME~1\KONWAY~1\LOCALS~1\Temp\sp.dll/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://F:\DOCUME~1\KONWAY~1\LOCALS~1\Temp\sp.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant

= about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant

= about:blank

O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} -

F:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll

O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program

files\google\googletoolbar1.dll

O2 - BHO: (no name) - {D5860FA8-6237-4151-A48E-962DD0E38334} -

F:\WINDOWS\System32\kmhb.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

F:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Pop-Up Stopper &Companion -

{8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - F:\Program

Files\Panicware\Pop-Up Stopper Companion\popupus.dll

O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} -

F:\Program Files\NetZero\Toolbar.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

f:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] F:\Program

Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [PrevxHome] F:\Program Files\Prevx Home\SAGUI.exe

O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "F:\Program

Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NetZero_uoltray] F:\Program Files\NetZero\exec.exe regrun

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Google Search - res://f:\program

files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://f:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page -

res://f:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://f:\program

files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English -

res://f:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- F:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.real.com/30fbe74a7500ec...ip/RdxIE601.cab

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.

- F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - F:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - F:\Program

Files\iPod\bin\iPodService.exe

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. -

F:\WINDOWS\system32\pctspk.exe

O23 - Service: Prevx Agent (PrevxAgent) - Prevx Ltd. - F:\Program

Files\Prevx Home\PXAgent.exe

Please help me review this I see that he does not have SP2. He told me he found several Viruses with AVG but did not send the names so I cannot tell if they are false positives or not. To be honest I work with this guy and don't think it is a legit install of XP this may account for not installing SP2.

[Matt]

We need to disable Prevx first.

Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console.

On the Management Console click the Protection Level drop-down menu.

You will see three levels:

Maximum

Off

User Defined

To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.

Click the X on the upper right hand corner to exit the Management console. Once we are done cleaning up, you can repeat the steps setting the level this time to Maximum in order to reenable protection.

Scan with HJT and place a check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://F:\DOCUME~1\KONWAY~1\LOCALS~1\Temp\sp.dll/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://F:\DOCUME~1\KONWAY~1\LOCALS~1\Temp\sp.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant

= about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant

= about:blank

O2 - BHO: (no name) - {D5860FA8-6237-4151-A48E-962DD0E38334} -

F:\WINDOWS\System32\kmhb.dll (file missing)

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.real.com/30fbe74a7500ec...ip/RdxIE601.cab

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once in safe mode, find and delete the following files:

c:\eied_s7.cab

c:\ex.cab

Then, reboot your computer normally, scan with HJT, and post a new log.

[rhema7]

I got him on it Matt thanks. I was kinda wondering about the .cab files there. I expect most (un-learned) IE users to have a ton of useless toolbars. My next step is to head over to TomCoyote and actuall learn more about Hijackthis it is long over due.

Preston

[rhema7]

He can't seem to get into Safemode and I'm not going across town to do it. He says he has tried everything.

[Matt]

If he can't boot into safe mode, do this for file deletion:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
  
• Please double-click Killbox.exe to run it.
  
• Select:
  • Delete on Reboot
    
  • then Click on the All Files button.
    

  [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  c:\eied_s7.cab

  c:\ex.cab

  [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

  [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Edited January 25, 2006 by Matt

[Dragon]

Inactive topic...

If you still need help on this problem, contact me or one of the Moderators to re-open this up.

Topic closed.