Options
looking for some assistance identifying files in HJT logfile
I ran Spybot and Adaware and a few other ad/spy removal apps to take care of a really bad pop up problem. I have the new Yahoo tool bar installed, just trying it out to see how it works and it doesn't see to work as well as they say it does in the articles I have read. Below is the HJT log after running spybot and adaware. I have identified most of the processes that I need to remove and marked them(***). The rest I am not sure of.
Thank you in advance for you help,
Tim
Logfile of HijackThis v1.98.1
Scan saved at 11:44:09 AM, on 8/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\Client Recovery Agent\AeXAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Altiris\eXpress\Client Recovery Agent\AeXRD32.Exe
C:\documents and settings\kellymo\local settings\temp\Dl8m.exe***
C:\documents and settings\kellymo\local settings\temp\3.exe***
C:\WINNT\System32\ipmodisc.exe***
C:\WINNT\System32\vbaodisc.exe***
C:\PROGRA~1\Web Offer\wo.exe***
C:\CacheSys\Bin\csystray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\XfbLkTj.exe***
C:\WINNT\System32\XfbLkTj.exe***
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sam/authorizer.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 172.17.1.25 termserver2000
O1 - Hosts: 172.17.1.31 mailer1.stewartsshops.com mailer1
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\kellymo\Local Settings\Temp\xnHb0.dll***
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AEXAgentEXE] C:\Program Files\Altiris\eXpress\Client Recovery Agent\AeXAgent.exe -Logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Dl8m] C:\documents and settings\kellymo\local settings\temp\Dl8m.exe***
O4 - HKLM\..\Run: [3] C:\documents and settings\kellymo\local settings\temp\3.exe***
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\SnuRDcQ5.exe***
O4 - HKLM\..\Run: [0soh3nj] ipmodisc.exe***
O4 - HKCU\..\Run: [HB7nRhH4P] vbaodisc.exe***
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe***
O4 - Global Startup: CACHE.lnk = C:\CacheSys\Bin\csystray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - https://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{58B8BAF7-313C-4C9F-A34E-B0DE58C95991}: NameServer = 141.155.0.68,141.154.0.68
Thank you in advance for you help,
Tim
Logfile of HijackThis v1.98.1
Scan saved at 11:44:09 AM, on 8/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\Client Recovery Agent\AeXAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Altiris\eXpress\Client Recovery Agent\AeXRD32.Exe
C:\documents and settings\kellymo\local settings\temp\Dl8m.exe***
C:\documents and settings\kellymo\local settings\temp\3.exe***
C:\WINNT\System32\ipmodisc.exe***
C:\WINNT\System32\vbaodisc.exe***
C:\PROGRA~1\Web Offer\wo.exe***
C:\CacheSys\Bin\csystray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\XfbLkTj.exe***
C:\WINNT\System32\XfbLkTj.exe***
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sam/authorizer.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 172.17.1.25 termserver2000
O1 - Hosts: 172.17.1.31 mailer1.stewartsshops.com mailer1
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\kellymo\Local Settings\Temp\xnHb0.dll***
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AEXAgentEXE] C:\Program Files\Altiris\eXpress\Client Recovery Agent\AeXAgent.exe -Logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Dl8m] C:\documents and settings\kellymo\local settings\temp\Dl8m.exe***
O4 - HKLM\..\Run: [3] C:\documents and settings\kellymo\local settings\temp\3.exe***
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\SnuRDcQ5.exe***
O4 - HKLM\..\Run: [0soh3nj] ipmodisc.exe***
O4 - HKCU\..\Run: [HB7nRhH4P] vbaodisc.exe***
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe***
O4 - Global Startup: CACHE.lnk = C:\CacheSys\Bin\csystray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - https://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{58B8BAF7-313C-4C9F-A34E-B0DE58C95991}: NameServer = 141.155.0.68,141.154.0.68
0