My HijackThis log

[Guest]

i am inundated with Spyware. Help!

Ive run 4 or 5 different spyware apps. you are my last hope!! My log is
below:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Logfile of HijackThis v1.99.1
Scan saved at 4:03:49 PM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} -
C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} -
C:\WINDOWS\system32\communicator.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common
Files\AOL\1109205119\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common
Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program
Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} -
C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace -
{04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
- C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MLB StatTracker -
http://aud3.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer
Control) - http://www.tpiconnect.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings
Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online -
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online,
Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SNT Service (SNT_Service) - Unknown owner -
C:\SNT\bin\Sntntrun.exe

 

[Bill Sanderson]

We really are not set up to do this kind of work in this forum. You'd be
much better off picking one of these forums for the log:
----------------------------------------
Appendix 2. Forums where you can get expert advice for Hijack This! logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order


http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Her...
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

 

[Guest]

I fully agree with Bill that your best using Hijack This forums but I just
came on the newsgroups and couldnt resist having a look at your log, wait for
the 'experts' to give a response but I thought Id post my opinion on the
problem

There's one entry I'm not sure about so unless you know what it is Id
recommend uploading the file at Jotti's malware scan site to be sure its
clean,

You have these on your system:

Adware FFinder

http://vil.nai.com/vil/content/v_134892.htm

DelFin Media Viewer

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076775

Goto Jotti's site : http://virusscan.jotti.org/

Press Browse and find this file :

C:\SNT\bin\Sntntrun.exe

(Open C:\drive then the SNT folder then the bin folder and left click
Sntntrun.exe and press Open) Then press Submit on Jotti's site and check the
results from each Vendor, Let us know if it detects any problems.

Run Hijack This and choose System scan and place a check next to these
entries:

R3 - Default URLSearchHook is missing

O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} -
C:\WINDOWS\system32\communicator.dll (file missing)

O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe

O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe

Close all open browser windows except Hijack This and press 'Fix Checked'

Restart the pc

Enable hidden files and folders :

Click Start > Open My Computer > Select the Tools menu from the top bar and
click Folder Options > Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm > Click OK.

Set this back after you have removed the files by opening the same page and
pressing "Restore Defaults"

Delete this file and folder :

C:\WINDOWS\system32\stb.exe <- Delete this file

C:\WINDOWS\system32\vidmon\ <- Delete this folder

Check Crogram files these and remove the folders if they exist:

c:\program files\quick links
c:\program files\communicator toolbar
c:\program files\related sites toolbar

To be sure there isnt other traces left you could run a scan using Adaware
SE ,

download Ad-Aware SE from here:

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html

Install Ad-Aware and run it. In the bottom-right hand corner, click "Check
for updates now". Click "Connect" to download the newest reference file. Then
click the "Start" button on the bottom right side to begin a scan. Select
"Perform Full System Scan" and then click "Next". Ad-Aware will then scan for
malware. When it is finished, make sure any objects listed in RED are
selected and click "Next" to remove the objects. Then restart your computer.

Regards

Andy