Can anybody check my Hijack This log?

[FJV]

Hello, I was wondering if anybody can check my hijack this log? I have had
viruses/Trojans in the past and was hoping that someone could check and see
if I am clean. I have used all the updated recommended anti-spyware
software and scanned with several online virus scans. Here is my log:

Thanks,
ZFJ


Logfile of HijackThis v1.98.0
Scan saved at 9:11:51 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Apoint\Apoint.exe
C:\documents and settings\frank volena\local settings\temp\LNbQjq.exe
C:\documents and settings\frank volena\local settings\temp\F.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\T-Mobile GPRS software\Monitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://login.passport.net/uilogin.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = http://localhost;
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} -
C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [LNbQjq] C:\documents and settings\frank volena\local
settings\temp\LNbQjq.exe
O4 - HKLM\..\Run: [F] C:\documents and settings\frank volena\local
settings\temp\F.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [T-Mobile GPRS software Monitor] C:\Program Files\T-Mobile
GPRS software\Monitor.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony
Handheld\HOTSYNC.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) -
http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4375/mcfscan.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -
http://download.overpro.com/WildApp.cab

 

[Roy]

Hi Frank,
I saw the information below posted on the "alt.privacy.spyware"
newsgroup posted by Lawrence Abrams. I'm sure he won't mind me passing it
on. It's:


Download HijackThis from:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save this file into the directory you made previously and then run the
program. Click on the Scan button and when it is finished click on the Save
Log button. A Notepad window will open with the contents of this log. Click
on Edit then click on Select all. Then click on Edit and then Click on
Copy.

Register an account at http://www.bleepingcomputer.com and post this created
log into the Hijackthis Logs forum at that site. To do this, once you are
registered, create a new post, right click in message area and select paste
to paste the log into the post.

An expert will reply to you after reading this post. DO NOT fix any entries
unless you are absolutely sure you know what you are doing as you may cause
more damage to the system

To see a tutorial on using HijackThis you can click on the link below.

http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

--
Lawrence Abrams

Regards,
Roy.



Hello, I was wondering if anybody can check my hijack this log? I have had
viruses/Trojans in the past and was hoping that someone could check and see
if I am clean. I have used all the updated recommended anti-spyware
software and scanned with several online virus scans. Here is my log:

Thanks,
ZFJ


Logfile of HijackThis v1.98.0
Scan saved at 9:11:51 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Apoint\Apoint.exe
C:\documents and settings\frank volena\local settings\temp\LNbQjq.exe
C:\documents and settings\frank volena\local settings\temp\F.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\T-Mobile GPRS software\Monitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://login.passport.net/uilogin.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = http://localhost;
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} -
C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [LNbQjq] C:\documents and settings\frank volena\local
settings\temp\LNbQjq.exe
O4 - HKLM\..\Run: [F] C:\documents and settings\frank volena\local
settings\temp\F.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [T-Mobile GPRS software Monitor] C:\Program Files\T-Mobile
GPRS software\Monitor.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony
Handheld\HOTSYNC.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) -
http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4375/mcfscan.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -
http://download.overpro.com/WildApp.cab

 

[Spacen Jasset]

C:\documents and settings\frank volena\local settings\temp\LNbQjq.exe

C:\documents and settings\frank volena\local settings\temp\F.exe

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} -

O4 - HKLM\..\Run: [LNbQjq] C:\documents and settings\frank volena\local
settings\temp\LNbQjq.exe
O4 - HKLM\..\Run: [F] C:\documents and settings\frank volena\local
settings\temp\F.exe

The above look suspecious to me. I would strongly recommend you get more
experienced advice though, via the forum mentioned by the other poster.

If you want to try - this is what I would do - look at the files in a hex
editor and determine what they do ( if you have experience of this ). Kill
the active processes with the said names. Then rename the .exe files to
..exe.bak ( making notes ). , reboot and check the hijcak log again, and make
sure the pc is running ok.

I would remove the BHO WinPage affilate thing, I am not sure it's spyware
but I just don't like a load of junk hanging around anyway.

You could try "The Cleaner" that scanner part is quite useful. The active
monitoring isn't so efficient though.