Need an experts help reading HiJack log

  1. 29-06-2004  #1
    suzanne@ztrend.com
    suzanne@ztrend.com is offline Newbie

    Question Need an experts help reading HiJack log

    I downloaded and ran HiJack and need help to understand what I should keep and what I should remove. The log is at the bottom of this page.

    I need help in removing the “advertising virus/program”. It has been on my machine now for a while and is causing it to slow down quite a bit. Sometimes I will see that 99 percent of my processor for system idle process (1/2 gig) is being used in idle mode. When I look at all of the programs running under the process, half of them I cannot identify. When I go to stop the process on them it will tell me that the program is currently being used and the process cannot be stopped. I can no longer use the browser IE (pages cannot be found). I have downloaded Fox Fire Browser.

    I have found unidentified programs installed with my other programs under add/remove programs. When I have gone to the Internet to check the name of a program that I cannot identify, I confirm that this is the advertising program. It will also place thick green unwanted links in browser pages. When connected to the Internet it will allow me to remove the .exe from the add/remove program window but will then create another program with another name somewhere on my hard drive.. When disconnected to the Internet I cannot remove the program This is a real problem. I know I have other Virus or Trojans or whatever you want to call them. They are all unwanted. Not only do I want to get rid of them but would like to prevent them.

    I currently have Norton Antivirus – runs at start up to check for new updates. I am running Windows 2000 Professional. I use a cable to connect to the Internet. I blocked my TCP Port 4444 at the firewall level. I blocked TCP Port 135 “DCOM RPC” and UDP Port 69, TFFP. I set my firewall (Zone Alarm internal) to ask if a program can access the Internet with the exception of Zone Alarm and Norton Antivirus. Unfortunately when my computer loads up if I do not allow “Services” and “Explorer” to access the Internet I will not be able to download my email or view web pages. I understand that Explorer is what I use to browse, but my firewall will be asking this at start up before I have launched Explorer.

    I downloaded all of the most recent Microsoft Service Pack Critical Updates and kept restarting my computer after every download (this took forever). I have the following programs installed in my computer and ran them: Spybot, Adaware, CWShredder, Spyware Blaster, Spyware Guard and Swat It - Swat It is completely useless since the interface cannot be fully seen in the tiny window, making it impossible to run the program.



    Logfile of HijackThis v1.97.7
    Scan saved at 2:09:19 PM, on 6/29/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\cisvc.exe
    C:\WINNT\System32\CTSvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\ZipToA.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\devldr32.exe
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\WINNT\SYSTEM32\3cshtdwn.exe
    C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
    C:\WINNT\SYSTEM32\3cmlink.exe
    C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\SCANJET\PrecisionScanPro\HPLamp.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\system32\cidaemon.exe
    C:\PROGRA~1\MOZILL~1\firefox.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ztrend.com/pages/suzanne.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINNT\system32\mseggo.gif
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINNT\system32\msnkmi.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
    O4 - HKLM\..\Run: [CopernicPerUserTaskMgr] "C:\WINNT\system32\CopernicPerUserTaskMgr.exe" /run
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msgked.exe
    O4 - HKLM\..\RunOnce: [CopernicPerUserTaskMgr] "C:\WINNT\system32\CopernicPerUserTaskMgr.exe" /runonce
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PayPal Plug-In for Outlook Express.lnk = C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdspl ay.dll
    O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdspl ay.dll
    O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf3 2.dll
    O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudi o.dll
    O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdspl ay.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/tech...upportutil.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...5/sdcregie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...149.2244444444
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
    O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/ca...ile=stamps.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
    Last edited by suzanne@ztrend.com; 29-06-2004 at 09:46 PM.

+ Reply to Thread
« Need Help before I go Balistic!!! | Anyone please . . . What is msgked.exe? »