# HijackThis log file (Swatkat Help)



## pirates1323 (Apr 14, 2005)

I scanned my computer "swatkat" do u think anything wrong in there cause me using opera and me not able to browse tht much fast which I should:

Logfile of HijackThis v1.99.1
Scan saved at 3:52:07 PM, on 4/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\WINNT\System32\cisvc.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
E:\WINNT\system32\pctspk.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
E:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINNT\system32\ZoneLabs\vsmon.exe
E:\WINNT\system32\ping.exe
E:\Program Files\Sify Broadband\BBClient.exe
E:\Program Files\Opera\opera.exe
E:\WINNT\System32\cidaemon.exe
E:\Program Files\DAP\DAP.exe
E:\Program Files\WinRAR\WinRAR.exe
E:\DOCUME~1\Robin\LOCALS~1\Temp\Rar$EX00.484\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "E:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] E:\PROGRA~1\McAfee\MANAGE~1\VScan\Splash.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BTTray.lnk = E:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: PCSuiteForNokiaN-Gage QD Detect.lnk = E:\Program Files\Nokia\PC Suite for N-Gage QD\connmngmntbox.exe
O4 - Global Startup: PCSuiteForNokiaN-Gage QD TS.lnk = E:\Program Files\Nokia\PC Suite for N-Gage QD\ectaskscheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - *static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c337.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - *us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{742D29F6-E2C4-43B7-8F0B-744639B6E6C2}: NameServer = 202.144.50.4,202.144.115.4
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - E:\Program Files\McAfee\Managed VirusScan\Agent\myRmProt3.0.0.624.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINNT\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Network Associates, Inc. - E:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - E:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - E:\WINNT\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SuperProServer - Unknown owner - E:\Tally\spnsrvnt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - E:\WINNT\system32\ZoneLabs\vsmon.exe

Host file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost


----------



## pirates1323 (Apr 14, 2005)

Also want to tell you that when I disable "generic host process for win32 Services" and "Services and Controller app" to connect to the internet in zone alarm then browser does not open any sites..... if I make them to connect then site opens....


----------



## aadipa (Apr 14, 2005)

I am not HJT expert but this entry looks odd to me.



> O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - *static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c337.cab


----------



## theraven (Apr 14, 2005)

> Logfile of HijackThis v1.99.1
> Scan saved at 3:52:07 PM, on 4/14/2005
> Platform: Windows 2000 SP4 (WinNT 5.00.2195)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
> ...



remove the bold entries
and yeah u need to allow those services in ZAP


----------



## drgrudge (Apr 14, 2005)

pirates1323 said:
			
		

> Logfile of HijackThis v1.99.1
> Scan saved at 3:52:07 PM, on 4/14/2005
> Platform: Windows 2000 SP4 (WinNT 5.00.2195)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
> ...



Remove those two entries in *red*!


----------



## swatkat (Apr 14, 2005)

pirates1323 said:
			
		

> I scanned my computer "swatkat" do u think anything wrong in there cause me using opera and me not able to browse tht much fast which I should:
> 
> Logfile of HijackThis v1.99.1
> Scan saved at 3:52:07 PM, on 4/14/2005
> ...



HOSTS file is alright.

Download CleanUp! and install it.
*cleanup.stevengould.org/

Now boot in SAFE Mode, close all applications.
Go to Control Panel> Add/Remove Programs. Here uninstall the software which is listed as *Wind Updates*.

Then run only HijackThis. Select the *red* entries and click "Fix".
After this, run CleanUp! and reboot and post a fresh log.


----------



## drgrudge (Apr 14, 2005)

Swatkat: 



> O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
> O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
> O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)


First and the second CSLIDs' points to sypware doctor. So is it safe to remove? 
Is it safe to remove all the entries which have "no file" thing?


----------



## pirates1323 (Apr 14, 2005)

swatkat said:
			
		

> Now boot in SAFE Mode, close all applications.
> Go to Control Panel> Add/Remove Programs. Here uninstall the software which is listed as Wind Updates.



I have posted this many times that my computer is not booting in safe mode but no one listen to me......... It says windows is starting than nothing happens........   

In Add/Remove Programs there is no something like wind updates


----------



## pirates1323 (Apr 14, 2005)

I run hijackthis I removed the ones which u said swatkat but an error camed then I click ok and closed the app. then I restarted my comp... then I run again and the errors were fixed.. so in between I run clean up two times this is last one log file:


CleanUp! started on 04/14/05 21:15:52.
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\blank[2].htm - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\corner-bl[1].gif - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\UIFrame[1].htm - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\LLCXMM48\corner-tl[1].gif - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\LLCXMM48\corner-tr[1].gif - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\LLCXMM48\icn_support[1].gif - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\QDX1SYCI\corner-br[1].gif - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\QDX1SYCI\default[1].css - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\QDX1SYCI\icn_help[1].gif - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\QDX1SYCI\Install[1].htm - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\UP8CSNFP\Bar[1].gif - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\UP8CSNFP\hdr_mvs_400x39[1].gif - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\UP8CSNFP\icn_updates[1].gif - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\UP8CSNFP\myCioMain[1].htm - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\UP8CSNFP\Share[1].vbs - deleted
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
*virusscan.securesynergyonline.com/VS2/Agent/Scripts/Share.vbs - deleted
*virusscan.securesynergyonline.com/VS2/Agent/Install.asp?Mode=SkipUpdate - deleted
*virusscan.securesynergyonline.com/VS2/Agent/images/icn_support.gif - deleted
*virusscan.securesynergyonline.com/VS2/Agent/images/corner-br.gif - deleted
*virusscan.securesynergyonline.com/VS2/Agent/default.css - deleted
*virusscan.securesynergyonline.com/VS2/Agent/images/corner-tr.gif - deleted
*virusscan.securesynergyonline.com/VS2/Agent/images/icn_updates.gif - deleted
*virusscan.securesynergyonline.com/VS2/Agent/images/corner-bl.gif - deleted
*virusscan.securesynergyonline.com/VS2/Agent/UIFrame.asp - deleted
*virusscan.securesynergyonline.com/VS2/Agent/images/icn_help.gif - deleted
*virusscan.securesynergyonline.com/VS2/Agent/images/Bar.gif - deleted
*virusscan.securesynergyonline.com/VS2/Agent/blank.htm - deleted
*virusscan.securesynergyonline.com/VS2/Agent/images/corner-tl.gif - deleted
*virusscan.securesynergyonline.com/VS2/Agent/images/hdr_mvs_400x39.gif - deleted
E:\Documents and Settings\Robin\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\History\History.IE5\MSHist012005041420050415\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\History\History.IE5\MSHist012005041420050415\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\History\History.IE5\MSHist012005041420050415\index.dat currently in use. Will be deleted when Windows is restarted.
'Typed URLs' (Internet Explorer) - removed from the registry.
Visited: Robin@file:///E:/Documents%20and%20Settings/Robin/My%20Documents/cleanup.txt - deleted
Visited: Robin@myui://Update.htm - deleted
Visited: Robin@*virusscan.securesynergyonline.com/VS2/Agent/myCioMain.asp?Mode=SkipUpdate&Components=1&CompanyKey=36292f2a3d215c4544415a5d%2D677a736d1800050d060a040306050a060104060c0501&PolicyToken=0000000000000000%2D20050414124901&MachineID=37a2eba4%2Ded81%2D4e23%2Db9db%2D27bb482ab3ee&G=0 - deleted
Visited: Robin@*virusscan.securesynergyonline.com/VS2/CheckUpdate.asp?CompanyKey=36292f2a3d215c4544415a5d-677a736d1800050d060a040306050a060104060c0501&MachineID=37a2eba4-ed81-4e23-b9db-27bb482ab3ee&G=0&MYCIOAGT=20050411163225&MYUPDATE=20050411163225&VSASAP=20050411163225&MYGETDAT=20050413113432&MYXTRDAT=20050411163225&VSENGINE=20050411163225&EMAILSCN=20050411163225&BOENG=20050411163225&BOF=20050411163225&PolicyToken=0000000000000000-20050414124901 - deleted
E:\Documents and Settings\Robin\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Cookies\robin@sify[1].txt - deleted
Cookie:robin@sify.com/ - deleted
E:\Program Files\Opera\opera.win - deleted
E:\Program Files\Opera\Opera.win - deleted
E:\Documents and Settings\Robin\Recent\cleanup.txt.lnk - deleted
E:\WINNT\temp\ZLT07d6e.TMP currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\History\History.IE5\MSHist012005041420050415\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Default User\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Default User\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Default User\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Default User\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\History\History.IE5\MSHist012005041420050415\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
E:\Program Files\McAfee\Managed VirusScan\VScan\Report\CIO3.tmp currently in use. Will be deleted when Windows is restarted.
E:\Program Files\Opera\profile\opera6.adr.bak - deleted
E:\WINNT\system32\NtmsData\NTMSDATA.BAK - deleted
E:\WINNT\Temp\ZLT07d6e.TMP currently in use. Will be deleted when Windows is restarted.
'Run MRU' list - removed from the registry.
'FilesNamedMRU' list - removed from the registry.
Paint Recent File List - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
CleanUp! 4.0 recovered 186.6 KB of disk space from 40 files.
CleanUp! finished on 04/14/05 21:16:38.


----------



## theraven (Apr 14, 2005)

grudge no file there means its an unnecessary entry !!!
so its safe to remove

@pirates u have to tick "show updates" to see the windows updates installed
theres a check box there
see it


----------



## pirates1323 (Apr 14, 2005)

theraven said:
			
		

> @pirates u have to tick "show updates" to see the windows updates installed theres a check box there see it



wherer??????/  .... in which program... what r u talking


----------



## drgrudge (Apr 14, 2005)

theraven said:
			
		

> grudge no file there means its an unnecessary entry !!!
> so its safe to remove


Hmm..., thanks for clearing it up!  I will remember it next time around.


----------



## swatkat (Apr 15, 2005)

Anyway, it's better to scan your PC with AntiSpyware tools.
AdAware
SpyBot SnD

*AdAware* --> _Click "Scan Now" button in the left pane and select the radio button "Perform full system scan" and click "Start"_

*SpyBot SnD* --> _Go to "Mode" menu and click "Advanced". Then "Settings" tab in the left pane, and click "File Sets" and here selec the file set named "Usage Tracking" and "Tracks.uti". Then click "SpyBot S&D" button in the left pane and click "Check For Problems"_


----------

