Hijack this-log file help please.

[Xanth]

Hello all,
Please review and let me know what to remove.
Thanks,
Dave-


Logfile of HijackThis v1.97.7
Scan saved at 8:14:49 PM, on 12/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant
Updater\RuLaunch.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\QUICKEN2000\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Dump\Misc. Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://dev.ntcor.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.wnbc.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.worldnet.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://dev.ntcor.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by AT&T WorldNet Service
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\WINDOWS\Downloaded Program Files\ycomp5_1_1_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program
Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\WINDOWS\Downloaded Program Files\ycomp5_1_1_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QBCD Autorun] E:\autorun.exe restart TIMER_SEQUENCE first
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator
5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee
VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program
Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe"
/STARTMONITOR
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
6.0\Distillr\acrotray.exe
O4 - Global Startup: Billminder.lnk = C:\Program
Files\QUICKEN2000\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program
Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program
Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program
Files\QUICKEN2000\QWDLLS.EXE
O9 - Extra button: AnyWho (HKLM)
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: ConferenceRoom Java Client -
http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: DigiChat Applet -
http://chat.foundrymusic.com/DigiCha.../Client_IE.cab
O16 - DPF: symsupportutil -
https://www-secure.symantec.com/tech...upportutil.CAB
O16 - DPF: Yahoo! Freecell Solitaire -
http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor
Class) -
http://download.microsoft.com/downlo...?1070070762687
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) -
http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) -
http://content.hiwirenetworks.net/in....30/Hiwire.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) -
http://office.microsoft.com/productu.../opuc/opuc.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX
Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://207.188.7.150/23903c3f3fb3fca...p/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243}
(SecureLogin.SecureControl) -
http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {76D31A21-9402-11D6-97B6-0010DC2A6243}
(SecureLogin.SecureControl) -
https://secure2.comned.com/signuptem...veSecurity.CAB
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.co...587.8165509259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) -
http://us.dl1.yimg.com/download.yaho...bio5_1_1_0.cab

[YoKenny]

Xanth wrote:
> Hello all,
> Please review and let me know what to remove.
> Thanks,
> Dave-

<snip all good parts>

With only HJT running check and remove:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://dev.ntcor.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://dev.ntcor.com/search.html
R3 - Default URLSearchHook is missing
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) -
http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register
Class) -http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.c
ab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://207.188.7.150/23903c3f3fb3fca...p/RdxIE601.cab

Read this to help stop getting infected:
http://forums.net-integration.net/in...showtopic=3051

[nobody760]

Load down Spybot.

After installation go into

Start > Progams

You will see there are 2 versions of Spybot easy mode (default) and Advanced
click on advanced.

When this is loaded open Spybot again and click on Immunize.

At the bottom of the frame there are three options to stop this crap getting
on to your computer in the first place! It also recommends that you go to
SpywareBlaster and load it down - do so.

It works for me.

[Roy]

In article <bqhop1$v0v$1@newsg3.svr.pol.co.uk>, nobody760
@NOSPAMhotmail.com says...

> At the bottom of the frame there are three options to stop this crap getting
> on to your computer in the first place! It also recommends that you go to
> SpywareBlaster and load it down - do so.
>

But the second and third options will also prevent the user from
accessing their Internet User Options in IE.

That's fine until you need to examine them, or change them, by which
time you will probably have forgotten how you locked them.

Cheers,

Roy