MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: web viewer...please help!
August 17, 2019, 01:48:59 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
August 17, 2019, 01:48:59 PM

Login with username, password and session length
 
News
New  New Poll on our main page!
"My experience with Vista..."
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: web viewer...please help!  (Read 2976 times)
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« on: September 06, 2004, 05:23:15 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:Windows XP
Problem Application Name & Version:Web viewer
Problem Hardware Make & Model:
Error Messages:when i connect to internet a shortcut is formed on the desktop...e.g xxx

Logfile of HijackThis v1.97.7
Scan saved at 18:19:17, on 06/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\System32\gsicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\System32\hgilse.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Jasel.KAPU\Application Data\dooe.exe
C:\WINDOWS\System32\uaaad.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jasel.KAPU\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O1 - Hosts: as.valueclick.com
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3FF83B05-E512-2FB4-D607-64550DA92544} - C:\WINDOWS\System32\ulxvgztc.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [pjclxurhz] C:\WINDOWS\System32\hgilse.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797DB3E-1185-44C4-B4A6-ABBB7192E652}: NameServer = 194.74.65.68 194.72.9.34

thank you for any help you can give

Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #1 on: September 06, 2004, 05:50:08 PM »

Please download the newest version of hijack this from here and post a new log
http://www.tomcoyote.org/hjt/

Make sure you unzip hijack this to its own folder such as C:\Program files as this is where the backups will be created.Run Hijack this but do NOT fix anything.Click save log and a log will open in notepad.Copy and paste your log here.
Logged

John Vickers
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #2 on: September 06, 2004, 05:53:33 PM »

Logfile of HijackThis v1.98.2
Scan saved at 18:50:03, on 06/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\System32\gsicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\System32\hgilse.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Jasel.KAPU\Application Data\dooe.exe
C:\WINDOWS\System32\uaaad.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\dial32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O1 - Hosts: as.valueclick.com
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3FF83B05-E512-2FB4-D607-64550DA92544} - C:\WINDOWS\System32\ulxvgztc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [pjclxurhz] C:\WINDOWS\System32\hgilse.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797DB3E-1185-44C4-B4A6-ABBB7192E652}: NameServer = 194.74.65.68 194.72.9.34

thank you
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #3 on: September 06, 2004, 06:38:31 PM »

Ok I do see a few problems.If you don't have them please download and run the following programs.Then post back with a new log.

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware SE Personal

Install the program and launch it.

First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Restart your computer.


SPYBOT SEARCH & DESTROY

http://majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.


CWSHREDDER

http://www.majorgeeks.com/download4086.html

Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

Then restart your computer and post new log



Logged

John Vickers
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #4 on: September 06, 2004, 07:51:27 PM »

thank you for your time....
i did the three things
but problem still seems to be there
a web page comes up http://download.tibsystems.com/index7.fcgi?a=123922&c=44 followed by the addition of a xxx icon on the desktop.

this is my new logfile:

Logfile of HijackThis v1.98.2
Scan saved at 20:45:44, on 06/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\System32\gsicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\System32\hgilse.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\dial32.exe
C:\WINDOWS\System32\uaaad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O1 - Hosts: as.valueclick.com
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3FF83B05-E512-2FB4-D607-64550DA92544} - C:\WINDOWS\System32\ulxvgztc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [pjclxurhz] C:\WINDOWS\System32\hgilse.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797DB3E-1185-44C4-B4A6-ABBB7192E652}: NameServer = 194.74.65.68 194.72.9.34

Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #5 on: September 07, 2004, 12:34:00 PM »

Follow the instructions in the below link to remove the Harnig trojan then post back with a new HJT log





http://securityresponse.symantec.com/avcenter/venc/data/downloader.harnig.html
Logged

John Vickers
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #6 on: September 07, 2004, 06:12:46 PM »

Logfile of HijackThis v1.98.2
Scan saved at 19:01:56, on 07/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\System32\gsicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O1 - Hosts: as.valueclick.com
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [pjclxurhz] C:\WINDOWS\System32\hgilse.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797DB3E-1185-44C4-B4A6-ABBB7192E652}: NameServer = 194.74.65.68 194.72.9.34

is that clean?
thank you
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #7 on: September 07, 2004, 06:16:15 PM »

I have to leave for work right now but will check your log when I get home at 11pm tonight
Logged

John Vickers
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #8 on: September 07, 2004, 06:28:47 PM »

ok thanks
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #9 on: September 08, 2004, 03:35:22 AM »

Run HJT and fix

O1 - Hosts: as.valueclick.com
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll

These next 2 are optional but are considered to be resource hogs

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

This last one the IP address points to ripe.net   If you know it leave it.If you don't fix this one as well.

O17 - HKLM\System\CCS\Services\Tcpip\..\{8797DB3E-1185-44C4-B4A6-ABBB7192E652}: NameServer = 194.74.65.68 194.72.9.34



Then you should be clean but post new log just to be sure.

























Logged

John Vickers
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #10 on: September 08, 2004, 03:17:38 PM »

Logfile of HijackThis v1.98.2
Scan saved at 16:10:12, on 08/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\System32\gsicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [pjclxurhz] C:\WINDOWS\System32\hgilse.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax_gb.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #11 on: September 08, 2004, 03:26:31 PM »

your log looks good
Logged

John Vickers
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #12 on: September 08, 2004, 05:17:40 PM »

thanks alot mate:)
i think it great that people like you are taking time out to help others in desperate need of assistance with computer related issues.
Good on ya people!
Smiley
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #13 on: September 08, 2004, 05:36:41 PM »

Your Welcome.Take care and being from the UK originally have a pint for me
Logged

John Vickers
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #14 on: September 08, 2004, 05:37:38 PM »

Hi guys, jasel
This one here
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797DB3E-1185-44C4-B4A6-ABBB7192E652}: NameServer = 194.74.65.68 194.72.9.34
Directs me too BTNET, in the United Kingdom,possibly related to your ISP
You can restore it if it sounds okay to you
Open Hijackthis>>>>Config>>>Backups
Highlight it and click Restore

Set Windows to Show Hidden Files and Folders

Navigate to this file, I can find no info on it
C:\WINDOWS\System32\hgilse.exe

Right click on it----properties---version
Do you know what it is related too?
Could you submit it to Kapersky's for a free virus scan
http://www.kaspersky.com/scanforvirus
and/or
http://www.ravantivirus.com/scan/indexn.php
Simply use the Browse button to navigate to the file
Right click on it-----Select---Submit

If found bad or unknow or you can't find it

Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

O4 - HKLM\..\Run: [pjclxurhz] C:\WINDOWS\System32\hgilse.exe
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax_gb.cab

RESTART your computer
Delete this file if bad
C:\WINDOWS\System32\hgilse.exe <--file

Post back one more log for a final checking Smiley
Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page October 02, 2017, 03:55:49 AM