another hijackthis list

Ok, when I first encountered the trojan, it did an about: homepage, as well as sent faked microsoft messages that said you may have spyware on this computer. Other symptoms are a little box that repeats when closed and says would you like to dl free software. There are also embarassing popups. I have done all things said to be done short of uninstalling java cause I require this for jgrasp. I use internet explorer and msn explorer for browsers. I don't think these problems are coming from online because it still happens off line. I need to know what to actually go after in my hijackthis list. If someone could help that would be great.

Logfile of HijackThis v1.99.0
Scan saved at 5:31:28 PM, on 1/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

If you can't help me, could you point to me where I could get help?

 

Just posting again so people can spot this.

 

Please relocate HJT to a safer folder, disconnect from internet, exit all browsers and rescan with HJT and attach the log.
Here is standard speech:
Note that your HijackThis MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.


The things that jump out at me from current log are:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {FDB2D236-2A9D-4439-AF80-CE2777898BA0} - C:\WINDOWS\system32\msjqp.dll

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iesp1.dll

O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe --> Don't know this one

O15 - Trusted Zone: http://*.63.219.181.7 --> Try to remove this one from Trusted Zone via TOOLS > Internet Options > Security Tab. You may have to D/L a tool to remove this one.

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab

O16 - DPF: {58F0B492-A42E-435A-BCBF-C6B2608077BA} - http://ak.imgfarm.com/images/nocach...etup1.0.0.7.cab

O23 - Service: Creative Service for CDROM Access - Unknown - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)

Please attach fresh log. The 015 item may prove difficult, so please download this tool and have it handy:

REMV3.ZIP Removal Tool

Somebody will try to check back as time permits.

PP

 

Ok, heres the uploaded hijackthis attachment

 

Ok, I deleted those items in hijackthis and none of the symptoms so far have come up. I keep getting a popup that says "Spybot-S&D reports that you want to download "DoubleClick". This is a known threat. Do you want to BLOCK this download?" and I believe I have gotten another different one of these. This keeps happening everytime I use IE.

 

http://forums.majorgeeks.com/showthread.php?t=48901&highlight=freshbar
this is my problem. Nothings come up so far. Waiting a couple of days to see if anything else happens

 

This Doubleclick is relatively harmless - it is a problem because Spybot pops up with question all the time. Remedy this by setting Spybot to block Silently so you don't get the popup all the time.

You still have a number of issues in your log that I will try to address this evening.
Plus, I do not like the looks of this one:
O17 - HKLM\System\CCS\Services\Tcpip\..\{77A395C4-C9DE-4592-A97E-1A5B424D2CBC}: NameServer = 69.50.176.156,195.225.176.31

Also, what is this? --> C:\Documents and Settings\Nathan Lothamer\Local Settings\Temporary Internet Files\Content.IE5\RYQ9MZFV\Windows XP Professional with SP1a[2].exe

How many active user accounts are on this machine?

PP

 

2 users plus, what does exactly mean?
O17 - HKLM\System\CCS\Services\Tcpip\..\{77A395C4-C9DE-4592-A97E-1A5B424D2CBC}: NameServer = 69.50.176.156,195.225.176.31

Also attached is an updated list from hijackthis.

 

Btw, I have no clue what this is.
C:\Documents and Settings\Nathan Lothamer\Local Settings\Temporary Internet Files\Content.IE5\RYQ9MZFV\Windows XP Professional with SP1a[2].exe

 

No Worries! - We're going to flush Temporary Internet Files anyway.

The 017 lines look like bad news. We'll address them as well.

Before we can start, however, I need to see Fresh HijackThis Logs from Normal Windows Boot for ALL User Accounts.

Otherwise, we will be wasting our time . . . .

PP

 

Ok, here is the other user hijackthis file. Btw I installed microsofts own beta antispyware. This is a first for microsoft aint it .

 

Yeah - They bought Giant AntiSpyware.
I am not going to recommend it until they work out all of the kinks!

RE your HJT Logs, some malware on the first log you submitted is now nowhere to be found, so maybe something caught it.

For now, please run HJT for both accounts and Fix the following, if found:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seekerbar.com/ie.aspx?tb_id=50154

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{0A3ED0F6-104B-45AF-87C4-E55E689285C5}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5F4B41-DBC4-4A97-8BEB-EBE2A723F8EC}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AD7E092-CBBD-4ECA-843B-42C4DEE0469A}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CAE4D06-98EF-4261-8855-BFAFB220C52C}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF00D584-933A-4E97-B833-087B5C0D80BF}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A3ED0F6-104B-45AF-87C4-E55E689285C5}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A3ED0F6-104B-45AF-87C4-E55E689285C5}: NameServer = 69.50.176.156,195.225.176.31
Make sure All Browsers are Closed when you click FIX.

I also suggest you uninstall Weatherbug.

Please Reboot and attach fresh HijackThis logs for each account from Normal Windows boot and we'll see what remains.

PP

 

No, I just deleted those items you told me at the beginning you thought was bad.

 

Ok, here is the two files. Btw you've been a big help. Wish there were more websites like this who has never ending patience and dedication to helping people like us .

 

Happy to help

Your logs look good - How are things running now?

The items I was referring to earlier are:

C:\WINDOWS\system32\smbdins.exe
C:\WINDOWS\system32\sethcd.exe
C:\WINDOWS\system32\tsmsetup.exe
C:\WINDOWS\system32\nbtrstat.exe

I didn't recognize them . . . . But they are gone now, so maybe one of the tools caught them.

PP

 

Yeh, no popups or anything. Are there firewalls that work well with online videogames without having to take off the software support on the firewall?

 

I don't play online games, so not sure. Perhaps ask Software or Games Forum?

PP