|
Answer» The symptoms are slow internet and many pop-ups. I thought I had it cleaned out several times but keeps comming back. If one of you experts could let me know what needs to go I WOULD be grateful. Here is the log. I have windows xp pro and a hardware firewall. No antivirus software running. Thanks for your time.
LOGFILE of HijackThis v1.99.1
Scan saved at 8:19:52 PM, on 1/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Default\Desktop\HijackThis.exe
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7BC87158-55FB-3A77-DF75-3764B3B38F10} - C:\WINDOWS\ufcygdzo.dll
O2 - BHO: (no name) - {8431AAA5-6F48-40CC-69B2-16F3BD4066C0} - C:\WINDOWS\System32\kaneomy.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O2 - BHO: SuperSecretServer.Shhh - {FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} - C:\WINDOWS\System32\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63}.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\System32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Search - {F64A1646-5CF5-EDF5-25E9-D11E790941AD} - C:\WINDOWS\ufcygdzo.dll
O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\System32\jumb.exe
O4 - HKLM\..\Run: [thrbfzfA] C:\WINDOWS\thrbfzfA.exe
O4 - HKLM\..\Run: [{99-93-36-68-ZN}] C:\WINDOWS\system32\rkdsregp.exe CORN001
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\msbk32.dll,DllRun
O4 - HKLM\..\Run: [win32100-207031004] C:\WINDOWS\win32100-207031004.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe
O4 - HKCU\..\Run: [Qipr] C:\WINDOWS\System32\w?nword.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinlsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://F:\content\include\XPPatchInstaller.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab41096.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://F:\Content\include\msSecUcd.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.44/ttinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\thrbfzf.exe (file missing) gliss...... Ok .......the first thing you should do is install a anti virus......I cant believe your on-line with out one .........Now then ....that would probably explain all the questionable entries in your hijack log ...... The next thing I would do is D/l service pack 2 and the other critical updates ........
So mark for removal the following :
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: (no name) - {7BC87158-55FB-3A77-DF75-3764B3B38F10} - C:\WINDOWS\ufcygdzo.dll
O2 - BHO: (no name) - {8431AAA5-6F48-40CC-69B2-16F3BD4066C0} - C:\WINDOWS\System32\kaneomy.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O2 - BHO: SuperSecretServer.Shhh - {FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63} - C:\WINDOWS\System32\{FB0FDDBA-27C2-441E-A4A6-7EC0E9F60E63}.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\System32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O3 - Toolbar: Search - {F64A1646-5CF5-EDF5-25E9-D11E790941AD} - C:\WINDOWS\ufcygdzo.dll
O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\System32\jumb.exe
O4 - HKLM\..\Run: [thrbfzfA] C:\WINDOWS\thrbfzfA.exe
O4 - HKLM\..\Run: [{99-93-36-68-ZN}] C:\WINDOWS\system32\rkdsregp.exe CORN001
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\msbk32.dll,DllRun
O4 - HKLM\..\Run: [win32100-207031004] C:\WINDOWS\win32100-207031004.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe
O4 - HKCU\..\Run: [Qipr] C:\WINDOWS\System32\w?nword.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinlsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBIni tialSetup1.0.0.15.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c8.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.44/ttinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\thrbfzf.exe (file missing)
Now click "FIX MARKED and reboot
BTW ......
Quote I thought I had it cleaned out several times but keeps comming back.
what software do you use to clean out this crap....?
dl65
Thanks for your reply dl65. I had tried using AdawareSE and the Yahoo antispyware tool. That didn't get me very far so I RAN adawareSE in safe mode and deleted some registry entries in the run section that I knew did'nt belong there. Things were fine for a few minutes but like I said it always found it's way back. I know Hijack this is a powerful tool for getting rid of these things but also have to UNDERSTAND what you are checking for removal. I'm not up on all that but I know where to come for good advice I will definately take your advice on the sp2 and updates and get anantivirus app installed. Again thanks for the help. By the way the computer infected is used by my 12 year old daughter and unfortunatly despite my preaching she will just click on about anything without a second thought. All the more reason to protect it properly.
Spybot, AVG Free, CCleaner, and A2 come to mind as required items for this machine. gliss..... you have to understand that a unprotected pc can and usually does become infected with all sorts of nasties within minutes of being online .
I would strong suggest that you do a bit of boning up on nasties and how to avoid them . And yes Hijackthis is a powerful tool ........but it does a great job .
dl65 Is it fixed?
[timestamp=1136437738]
QuoteBy the way the computer infected is used by my 12 year old daughter and unfortunatly despite my preaching she will just click on about anything without a second thought.
Make her user account "restricted." This will GREATLY lower the chance of her unintentionally installing something malcious, and it restricts the abilities of anything that does manage to get through.
with regardsYes, I did as dl65 said and it worked like a charm. I will now take the rest of the advice offered here and get to work hardening the system against future threats. It sometimes takes a good "wake up" call like this to realize how important security is. Thanks to dl65 and all who replied.
|
