Need help going over my Hijackthis Log, please.

Pushpin · 05-17-2008, 11:25 AM

Hey okay so yesterday night my computer was running fine. Well when i woke up i keept getting pop ups and annoying little messages from the system tray. I ran Ad-ware and Spybotsearch still having problems.

Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:43 AM, on 5/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\regsrv.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: 158117 helper - {427B1FD8-2123-4334-A7D8-7A497363914B} - C:\WINDOWS\System32\158117\158117.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\system32\Kernel32.win
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\system32\Israfel.vbs
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCNT] C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1701] command /c del "C:\WINDOWS\system32\dcom_14.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3690] cmd /c del "C:\WINDOWS\system32\dcom_14.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2603] command /c del "C:\WINDOWS\system32\durvil1.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2367] cmd /c del "C:\WINDOWS\system32\durvil1.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3732] command /c del "C:\Documents and Settings\Michael\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4794] cmd /c del "C:\Documents and Settings\Michael\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8682] command /c del "C:\Documents and Settings\Michael\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5768] cmd /c del "C:\Documents and Settings\Michael\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2791] command /c del "C:\WINDOWS\system32\dcom_14.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5185] cmd /c del "C:\WINDOWS\system32\dcom_14.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2446] command /c del "C:\WINDOWS\system32\regedit.com"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9527] cmd /c del "C:\WINDOWS\system32\regedit.com"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6776] command /c del "C:\WINDOWS\system32\regedit.com"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4381] cmd /c del "C:\WINDOWS\system32\regedit.com"
O4 - S-1-5-18 Startup: hpothb07.dat (User 'SYSTEM')
O4 - S-1-5-18 Startup: hpothb07.tif (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg SchedulerV2.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT Startup: hpothb07.tif (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.tif (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Startup: hpothb07.dat
O4 - Startup: hpothb07.tif
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3
O22 - SharedTaskScheduler: delayingly - {e89fa8e9-5c0b-45f6-a70e-f7b177bcd193} - C:\WINDOWS\System32\rtmipr.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

--
End of file - 12710 bytes

Please help me!

greyknight17 · 05-17-2008, 01:42 PM

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

NetProject

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
O2 - BHO: 158117 helper - {427B1FD8-2123-4334-A7D8-7A497363914B} - C:\WINDOWS\System32\158117\158117.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\system32\Kernel32.win
O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\system32\Israfel.vbs
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O22 - SharedTaskScheduler: delayingly - {e89fa8e9-5c0b-45f6-a70e-f7b177bcd193} - C:\WINDOWS\System32\rtmipr.dll (file missing)

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\winmgd.win
C:\WINDOWS\system32\mouse_configurator.win
C:\WINDOWS\System32\158117\
C:\Program Files\NetProject\
C:\Program Files\outlook\
C:\WINDOWS\system32\Kernel32.win
C:\WINDOWS\system32\Israfel.vbs
C:\WINDOWS\web\related.htm

1. Download combofix at http://www.techsupportforum.com/sect...s/ComboFix.exe or http://download.bleepingcomputer.com/sUBs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Ried · 06-16-2008, 09:33 PM

New thread and new instructions here

05-17-2008, 11:25 AM	#1 (permalink)
Pushpin Registered User Join Date: Feb 2008 Location: USA, Arizona Posts: 54 OS: Vista/XP	Need help going over my Hijackthis Log, please. Hey okay so yesterday night my computer was running fine. Well when i woke up i keept getting pop ups and annoying little messages from the system tray. I ran Ad-ware and Spybotsearch still having problems. Hijackthis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:08:43 AM, on 5/17/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Softex\OmniPass\Omniserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\wt\updater\wcmdmgr.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\outlook\outlook.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\WINDOWS\system32\regsrv.exe C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\Program Files\SECRETMAKER\secretmaker.exe C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe C:\Program Files\MSN\MSNCoreFiles\msn6.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/ F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: 158117 helper - {427B1FD8-2123-4334-A7D8-7A497363914B} - C:\WINDOWS\System32\158117\158117.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\system32\Kernel32.win O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\system32\Israfel.vbs O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [BCNT] C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [SpybotDeletingA1701] command /c del "C:\WINDOWS\system32\dcom_14.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingC3690] cmd /c del "C:\WINDOWS\system32\dcom_14.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingA2603] command /c del "C:\WINDOWS\system32\durvil1.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingC2367] cmd /c del "C:\WINDOWS\system32\durvil1.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingA3732] command /c del "C:\Documents and Settings\Michael\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt" O4 - HKLM\..\RunOnce: [SpybotDeletingC4794] cmd /c del "C:\Documents and Settings\Michael\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt" O4 - HKLM\..\RunOnce: [SpybotDeletingA8682] command /c del "C:\Documents and Settings\Michael\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt" O4 - HKLM\..\RunOnce: [SpybotDeletingC5768] cmd /c del "C:\Documents and Settings\Michael\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt" O4 - HKLM\..\RunOnce: [SpybotDeletingA2791] command /c del "C:\WINDOWS\system32\dcom_14.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingC5185] cmd /c del "C:\WINDOWS\system32\dcom_14.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingA2446] command /c del "C:\WINDOWS\system32\regedit.com" O4 - HKLM\..\RunOnce: [SpybotDeletingC9527] cmd /c del "C:\WINDOWS\system32\regedit.com" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB6776] command /c del "C:\WINDOWS\system32\regedit.com" O4 - HKCU\..\RunOnce: [SpybotDeletingD4381] cmd /c del "C:\WINDOWS\system32\regedit.com" O4 - S-1-5-18 Startup: hpothb07.dat (User 'SYSTEM') O4 - S-1-5-18 Startup: hpothb07.tif (User 'SYSTEM') O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM') O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM') O4 - S-1-5-18 Startup: PowerReg SchedulerV2.exe (User 'SYSTEM') O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'SYSTEM') O4 - .DEFAULT Startup: hpothb07.dat (User 'Default user') O4 - .DEFAULT Startup: hpothb07.tif (User 'Default user') O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user') O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user') O4 - .DEFAULT Startup: PowerReg SchedulerV2.exe (User 'Default user') O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user') O4 - .DEFAULT User Startup: hpothb07.dat (User 'Default user') O4 - .DEFAULT User Startup: hpothb07.tif (User 'Default user') O4 - .DEFAULT User Startup: PowerReg Scheduler.exe (User 'Default user') O4 - .DEFAULT User Startup: PowerReg SchedulerV2.exe (User 'Default user') O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user') O4 - Startup: hpothb07.dat O4 - Startup: hpothb07.tif O4 - Startup: PowerReg Scheduler.exe O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = ? O4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exe O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3 O17 - HKLM\System\CS1\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3 O22 - SharedTaskScheduler: delayingly - {e89fa8e9-5c0b-45f6-a70e-f7b177bcd193} - C:\WINDOWS\System32\rtmipr.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe -- End of file - 12710 bytes Please help me!

05-17-2008, 01:42 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Re: Need help going over my Hijackthis Log, please. Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found: NetProject Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/ F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win O2 - BHO: 158117 helper - {427B1FD8-2123-4334-A7D8-7A497363914B} - C:\WINDOWS\System32\158117\158117.dll O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\system32\Kernel32.win O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\system32\Israfel.vbs O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O22 - SharedTaskScheduler: delayingly - {e89fa8e9-5c0b-45f6-a70e-f7b177bcd193} - C:\WINDOWS\System32\rtmipr.dll (file missing) Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them): C:\WINDOWS\system32\winmgd.win C:\WINDOWS\system32\mouse_configurator.win C:\WINDOWS\System32\158117\ C:\Program Files\NetProject\ C:\Program Files\outlook\ C:\WINDOWS\system32\Kernel32.win C:\WINDOWS\system32\Israfel.vbs C:\WINDOWS\web\related.htm 1. Download combofix at http://www.techsupportforum.com/sect...s/ComboFix.exe or http://download.bleepingcomputer.com/sUBs/ComboFix.exe Save it to your Desktop before you run it. 2. Double-click combofix.exe & follow the prompts. 3. When finished, it will produce a log for you. Post that log in your next reply. Note: Do not click on combofix's window while it's running. That may cause it to stall. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

06-16-2008, 09:33 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 19,025 OS: WinXP and Vista	Re: Need help going over my Hijackthis Log, please. New thread and new instructions here __________________ Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."