Options
log questions
Hi,
I'm trying to follow the directions to get rid of the Home Search Assistant spyware. I'm not too familiar with reading logs, and before I deleted files I thought I'd pass by for some more experienced eyes. Below is my Log.
Questions:
1. Should I fix: O4 - Startup: netdb.exe
2. do I do anything to get rid of the O15 trusted zone
3. Any other general tips on knowing which parts of the LOG to "fix"
Regards and much thanks!
Logfile of HijackThis v1.99.1
Scan saved at 3:55:54 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator.MYCOMPUTER-JTG\Desktop\removal programs\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\udokf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F7BDA65D-1EEA-FBCD-9F9B-79556234850C} - C:\WINDOWS\system32\apime.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
O4 - HKLM\..\Run: [sysxd32.exe] C:\WINDOWS\system32\sysxd32.exe
O4 - HKLM\..\Run: [crhu32.exe] C:\WINDOWS\crhu32.exe
O4 - HKLM\..\RunOnce: [addoq.exe] C:\WINDOWS\addoq.exe
O4 - HKLM\..\RunOnce: [mscm32.exe] C:\WINDOWS\system32\mscm32.exe
O4 - HKLM\..\RunOnce: [winnh.exe] C:\WINDOWS\system32\winnh.exe
O4 - HKLM\..\RunOnce: [atldo32.exe] C:\WINDOWS\system32\atldo32.exe
O4 - HKLM\..\RunOnce: [netcu.exe] C:\WINDOWS\netcu.exe
O4 - HKLM\..\RunOnce: [netcw32.exe] C:\WINDOWS\netcw32.exe
O4 - HKLM\..\RunOnce: [appdr.exe] C:\WINDOWS\appdr.exe
O4 - HKLM\..\RunOnce: [appbh.exe] C:\WINDOWS\system32\appbh.exe
O4 - HKLM\..\RunOnce: [apisv32.exe] C:\WINDOWS\apisv32.exe
O4 - HKLM\..\RunOnce: [ipcc32.exe] C:\WINDOWS\ipcc32.exe
O4 - HKLM\..\RunOnce: [netyt32.exe] C:\WINDOWS\system32\netyt32.exe
O4 - HKLM\..\RunOnce: [iewn32.exe] C:\WINDOWS\system32\iewn32.exe
O4 - HKLM\..\RunOnce: [addhi32.exe] C:\WINDOWS\addhi32.exe
O4 - HKLM\..\RunOnce: [atlgq32.exe] C:\WINDOWS\system32\atlgq32.exe
O4 - HKLM\..\RunOnce: [msjj.exe] C:\WINDOWS\system32\msjj.exe
O4 - HKLM\..\RunOnce: [addlb.exe] C:\WINDOWS\system32\addlb.exe
O4 - HKLM\..\RunOnce: [adddl32.exe] C:\WINDOWS\system32\adddl32.exe
O4 - HKLM\..\RunOnce: [addjk32.exe] C:\WINDOWS\system32\addjk32.exe
O4 - HKLM\..\RunOnce: [sdklu32.exe] C:\WINDOWS\sdklu32.exe
O4 - HKLM\..\RunOnce: [mfcnn.exe] C:\WINDOWS\mfcnn.exe
O4 - HKLM\..\RunOnce: [crem32.exe] C:\WINDOWS\system32\crem32.exe
O4 - HKLM\..\RunOnce: [netkm32.exe] C:\WINDOWS\netkm32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\q1272325.exe
O4 - Startup: netdb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.blazefind.com
I'm trying to follow the directions to get rid of the Home Search Assistant spyware. I'm not too familiar with reading logs, and before I deleted files I thought I'd pass by for some more experienced eyes. Below is my Log.
Questions:
1. Should I fix: O4 - Startup: netdb.exe
2. do I do anything to get rid of the O15 trusted zone
3. Any other general tips on knowing which parts of the LOG to "fix"
Regards and much thanks!
Logfile of HijackThis v1.99.1
Scan saved at 3:55:54 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator.MYCOMPUTER-JTG\Desktop\removal programs\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\udokf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\udokf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F7BDA65D-1EEA-FBCD-9F9B-79556234850C} - C:\WINDOWS\system32\apime.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
O4 - HKLM\..\Run: [sysxd32.exe] C:\WINDOWS\system32\sysxd32.exe
O4 - HKLM\..\Run: [crhu32.exe] C:\WINDOWS\crhu32.exe
O4 - HKLM\..\RunOnce: [addoq.exe] C:\WINDOWS\addoq.exe
O4 - HKLM\..\RunOnce: [mscm32.exe] C:\WINDOWS\system32\mscm32.exe
O4 - HKLM\..\RunOnce: [winnh.exe] C:\WINDOWS\system32\winnh.exe
O4 - HKLM\..\RunOnce: [atldo32.exe] C:\WINDOWS\system32\atldo32.exe
O4 - HKLM\..\RunOnce: [netcu.exe] C:\WINDOWS\netcu.exe
O4 - HKLM\..\RunOnce: [netcw32.exe] C:\WINDOWS\netcw32.exe
O4 - HKLM\..\RunOnce: [appdr.exe] C:\WINDOWS\appdr.exe
O4 - HKLM\..\RunOnce: [appbh.exe] C:\WINDOWS\system32\appbh.exe
O4 - HKLM\..\RunOnce: [apisv32.exe] C:\WINDOWS\apisv32.exe
O4 - HKLM\..\RunOnce: [ipcc32.exe] C:\WINDOWS\ipcc32.exe
O4 - HKLM\..\RunOnce: [netyt32.exe] C:\WINDOWS\system32\netyt32.exe
O4 - HKLM\..\RunOnce: [iewn32.exe] C:\WINDOWS\system32\iewn32.exe
O4 - HKLM\..\RunOnce: [addhi32.exe] C:\WINDOWS\addhi32.exe
O4 - HKLM\..\RunOnce: [atlgq32.exe] C:\WINDOWS\system32\atlgq32.exe
O4 - HKLM\..\RunOnce: [msjj.exe] C:\WINDOWS\system32\msjj.exe
O4 - HKLM\..\RunOnce: [addlb.exe] C:\WINDOWS\system32\addlb.exe
O4 - HKLM\..\RunOnce: [adddl32.exe] C:\WINDOWS\system32\adddl32.exe
O4 - HKLM\..\RunOnce: [addjk32.exe] C:\WINDOWS\system32\addjk32.exe
O4 - HKLM\..\RunOnce: [sdklu32.exe] C:\WINDOWS\sdklu32.exe
O4 - HKLM\..\RunOnce: [mfcnn.exe] C:\WINDOWS\mfcnn.exe
O4 - HKLM\..\RunOnce: [crem32.exe] C:\WINDOWS\system32\crem32.exe
O4 - HKLM\..\RunOnce: [netkm32.exe] C:\WINDOWS\netkm32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\q1272325.exe
O4 - Startup: netdb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.blazefind.com
0
Comments
Open my computer or any windows explorer window (not interent explorer). Click TOOLS then FOLDER OPTIONS. Then click the VIEW tab. Tick "show hidden files and folders" and untick "hide extensions for known file types." Now click apply, ok and then exit this.
Post a new HJT log.