HJT for cleaning up my old laptop

**Wilber** · 03-13-2005, 04:51 PM

I can't get enough of this scanning lark!

I am cleaning out my old laptop which runs WINDOWS ME . I abused this little toy when I was younger and so I would appreciate it if someone can look at this log and run me through the procedure of removing the obvious miscrients on it. Thanks

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 00:33:51, on 14/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\QBROWSE.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.crooder.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
O4 - HKLM\..\Run: [QBROWSE] C:\WINDOWS\Qbrowse.exe
O4 - Startup: Qbrowse.lnk = C:\WINDOWS\Qbrowse.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O15 - Trusted IP range: 206.161.125.149

End of KRC HijackThis Analyzer Log.
====================================================================

~~Lobos~~ · 03-14-2005, 12:56 AM

Hi Wilber

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Run hijackthis Put a check next to each of these with all browsers closed and click fix

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.crooder.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/

Do you know what these are if not fix these too

O4 - HKLM\..\Run: [QBROWSE] C:\WINDOWS\Qbrowse.exe
O4 - Startup: Qbrowse.lnk = C:\WINDOWS\Qbrowse.exe

www.trendmicro.com and click "Free Online Scan", then "Scan now, it's free!". When it's downloaded, select all available drives, then check(tick) "Auto clean", then click "Scan".

Run AdAware SE Personal and "perform a full system scan", then Spybot S&D, and "Check for Problems". Let them both remove the residual 'problems' left that HiJackThis couldn't fix.

Come back and post another log

Lobos

**Wilber** · 03-14-2005, 04:02 PM

Some of the entries had disappeared when I redid the scan but anyway. I don't erally know what Qbrowse is. I am sure I have had it since I got the laptop but I can't be sure. I looked on the the net and no one seems to have a clue as to what it is or what it does. I decided to get rid of it anyway as it'll be out of my system tray and that'll speed up the old girl a little. Here is the new log.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 23:53:02, on 14/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com

End of KRC HijackThis Analyzer Log.
==================================================================

Cheers

greyknight17 · 03-14-2005, 11:25 PM

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

**Wilber** · 03-16-2005, 03:25 AM

Cool. thanks people. I have been playing a little bit with IE and stuff and I think that it is fine. I will probably post a new log if the missing entries return but I doubt they will. Theyt must have been part of a virus/malware I killed I guess. Thanks for you help.

03-13-2005, 04:51 PM	#1 (permalink)
Wilber I helped the forums. Join Date: Jan 2005 Location: Liverpool (England) Posts: 83 OS: Win XP Home, Fedora core 3 64 bit	HJT for cleaning up my old laptop I can't get enough of this scanning lark! I am cleaning out my old laptop which runs WINDOWS ME . I abused this little toy when I was younger and so I would appreciate it if someone can look at this log and run me through the procedure of removing the obvious miscrients on it. Thanks ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 00:33:51, on 14/03/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\QBROWSE.EXE C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.crooder.com/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://drvvv.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080 O4 - HKLM\..\Run: [QBROWSE] C:\WINDOWS\Qbrowse.exe O4 - Startup: Qbrowse.lnk = C:\WINDOWS\Qbrowse.exe O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com O15 - Trusted IP range: 206.161.125.149 End of KRC HijackThis Analyzer Log. ==================================================================== __________________ "One who is a Samurai must before all things keep constantly in mind, by day and by night... the fact that he has to die" -Daidoji Yuzan 16th century

03-14-2005, 04:02 PM	#3 (permalink)
Wilber I helped the forums. Join Date: Jan 2005 Location: Liverpool (England) Posts: 83 OS: Win XP Home, Fedora core 3 64 bit	Some of the entries had disappeared when I redid the scan but anyway. I don't erally know what Qbrowse is. I am sure I have had it since I got the laptop but I can't be sure. I looked on the the net and no one seems to have a clue as to what it is or what it does. I decided to get rid of it anyway as it'll be out of my system tray and that'll speed up the old girl a little. Here is the new log. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 23:53:02, on 14/03/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080 O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INETREPL.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com End of KRC HijackThis Analyzer Log. ================================================================== Cheers __________________ "One who is a Samurai must before all things keep constantly in mind, by day and by night... the fact that he has to die" -Daidoji Yuzan 16th century

03-14-2005, 11:25 PM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Your log is clean. If you disabled System Restore, make sure to enable it now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-16-2005, 03:25 AM	#5 (permalink)
Wilber I helped the forums. Join Date: Jan 2005 Location: Liverpool (England) Posts: 83 OS: Win XP Home, Fedora core 3 64 bit	Cool. thanks people. I have been playing a little bit with IE and stuff and I think that it is fine. I will probably post a new log if the missing entries return but I doubt they will. Theyt must have been part of a virus/malware I killed I guess. Thanks for you help. __________________ "One who is a Samurai must before all things keep constantly in mind, by day and by night... the fact that he has to die" -Daidoji Yuzan 16th century

03-14-2005, 12:56 AM	#2 (permalink)
~~Lobos~~ Troubled Join Date: Apr 2004 Location: California Posts: 943 OS: Windows XP	Hi Wilber Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Run hijackthis Put a check next to each of these with all browsers closed and click fix R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.crooder.com/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://drvvv.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/ Do you know what these are if not fix these too O4 - HKLM\..\Run: [QBROWSE] C:\WINDOWS\Qbrowse.exe O4 - Startup: Qbrowse.lnk = C:\WINDOWS\Qbrowse.exe www.trendmicro.com and click "*Free Online Scan", then "Scan now, it's free!". When it's downloaded, select all available drives, then check(tick) "Auto clean", then click "Scan". Run AdAware SE Personal and "perform a full system scan", then Spybot S&D, and "Check for Problems". Let them both remove the residual 'problems' left that HiJackThis* couldn't fix. Come back and post another log Lobos