check my HJT

[bharathbala2003]

guys i suppose most of will u know the problem i faced with windows.. now the prob i think is that my system is afftected a lot by spywares and stuffs.. am not gettin my display properties full.. chck it


*img202.echo.cx/img202/2738/prob0yd.th.jpg

i have installed SPYBOT,ZA and AVG with all updates and i have deleted a lot of spywares that S&D detected.. below ill paste the log file of HJT

Logfile of HijackThis v1.99.1
Scan saved at 6:49:09 PM, on 5/15/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\bsw.exe
C:\WINNT\System32\win32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Bala\My Documents\dxwebsetup.exe
C:\DOCUME~1\Suga\LOCALS~1\Temp\IXP000.TMP\dxwsetup.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\HT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Suga\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F12AA1A5-DEBC-4FD1-8D8B-E9F06EB56EA6} - C:\WINNT\System32\daog.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Suga\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINNT\System32\atiupdpl.exe
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Suga\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WindowsFY] C:\bsw.exe
O4 - HKCU\..\Run: [wupd] C:\WINNT\System32\win32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {5B42B2FA-8294-45DB-AE1F-1EAF2931F838} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5B42B2FA-8294-45DB-AE1F-1EAF2931F838} - (no file) (HKCU)
O18 - Filter: text/html - {A6A31B77-9EAB-46FE-878C-294D2940A97A} - C:\WINNT\System32\daog.dll
O18 - Filter: text/plain - {A6A31B77-9EAB-46FE-878C-294D2940A97A} - C:\WINNT\System32\daog.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

 

[swatkat]

This is the About:Blank CWS hijacker.
Follow these steps:

1] Download these tools:-
CWShredder
SpSeHjFix
CleanUp!

2] Create a folder called SpFix on Desktop, and extract the SpSeFix.ZIP file contents to that folder.
Install CleanUp!. Dont run any of them now.

3] Boot in safe mode.
Run CleanUp! and click "Options" and move the slider to "Thorough CleanUp!" and click "OK" to warning message, and exit from Options. Click "Run CleanUp". After cleaning, click "Close" and reboot back to Safe Mode.

Run SpSeHjFix.exe and click "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder that SpSeHjfix is located in.
Now run CWShredder and click on the "Fix" button.


4] Go to Start> Run and type regedit and press ENTER.
Then navigate to this key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies and click on it to select(highlight) it. Then go to File Menu (or Registry Menu) and click "Export" and type filename as info and save it.
Then open NotePad, and go to File> Open and here choose "All files(*.*)" in the "Show files of type" option, then open the file info.reg and copy the entire contents and post it here.

Also post a fresh HijackThis log and also the log the SpSeHjFix created.

 

[expertno.1]

he is right .

you can also use system mechanic to solve the problem and if it doesn't soles the problem then pm me and i will send you the best solution

 

[imported_dheeraj_kumar]

as swatkat said, navigate to that key, and delete all keys on the right hand pane.
and then reboot your system.
now it should work right. i believe you have a spyware on your system.

 

[anomit]

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

I have something interesting to share about this piece of malware.
I located it on my computer in the program files folder. It had a readme files which says(something like this, I dont recall it fully):

---------------------------------------------------------------------------
HOW DID MEDIA ACCESS GET INSTALLED ONTO MY COMPUTER
---------------------------------------------------------------------------

MediaAccess is a free, ad-delivery system that delivers ads about interesting products that may concern you right to your computer.

-------------------------------------------------------------
UNINSTALL INFORMATION
-------------------------------------------------------------

Go to Control Panel,Add Remove Programs...(Blah,Blah) and uninstall

And after I 'uninstalled' it, I was shown a message very poltely "Media-Access has been uninstallled from your computer. Do you still want ads to be delivered to your computer? Yes/NO" . It was still there, in the Program Files, snug and secure. I deleted it in Safe Mode.

This is for swatkat.
Is there any function of the file rundll32.exe in WinXP? Its vital for Win98, I know that.

 

[shwetanshu]

Hey SwatKat, that cleanup! link is not working for me