need help with HijackThis scan

Casper · #4 01-16-2005, 04:12 PM

thanks for the rescan and you have alot of stuff to fix i will list below

Need to fix these ASAP

C:\temp\salm.exe
Nasty running process. (salm.exe)
180Search adware This is a nasty process! You should fix it and try to delete it manually!

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
Nasty running process. (BackWeb-8876480.exe)
Spyware This is a nasty process! You should fix it and try to delete it manually!

C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
Nasty running process. (tsm2.exe)
Uploader-R adware variant This is a nasty process! You should fix it and try to delete it manually!

C:\PROGRA~1\COMMON~1\tsa\ts2.exe
Nasty running process. (ts2.exe)
Spyware This is a nasty process! You should fix it and try to delete it manually!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-itnow.com/index.php
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-itnow.com/index.php
Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!

O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
Nasty The entered application VBundleOuterDL was identified: VBundleOuterDL. Hit rate: 99 % (result) Must be fixed!

O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
Nasty The entered application Tsa2 was identified: Tsa2. Hit rate: 99 % (result) Must be fixed!

O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
Nasty This entry is possibly nasty. Should be fixed.

O21 - SSODL: System - {446C035A-E8D0-4F69-BE9F-147134331102} - C:\WINDOWS\system32\system32.dll (file missing)
Nasty

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
Nasty These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (zeta.exe) seems to be nasty.

These are the unknowns

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
Unknown running process. (EabServr.exe)
Easy Access Buttons control panel on Compaq laptops. Only required if you use the extra keys This is a unknown process.

5.exe
Unknown running process. (5.exe)
This is a unknown process

C:\Program Files\Popup Ad SmasheR\Smasher.exe
Unknown running process. (Smasher.exe)
This is a unknown process.

C:\Program Files\Popup Ad SmasheR\Smasher.exe
Unknown running process. (Smasher.exe)
This is a unknown process.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com/
Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://us8l.hpwis.com/', delete it.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://us8l.hpwis.com', delete it.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://us8l.hpwis.com/
Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://us8l.hpwis.com/', delete it.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://us8l.hpwis.com/', delete it.

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6] - Result: 42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %
Unnecessary (deactivated) entry that can be fixed.

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
Unknown The entered application HPHUPD05 was identified: HPHUPD05. Hit rate: 99 % (result) Unknown application.

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0
Unknown The entered application HPDJ Taskbar Utility was identified: None. Hit rate: -1 % (result) Unknown application.

5.exe
Unknown running process. (5.exe)
This is a unknown process.

O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
Unknown The entered application SM1BG was identified: SM1BG. Hit rate: 99 % (result) Unknown application.

O4 - HKLM\..\Run: [ylmiwbil] C:\WINDOWS\System32\ifdccvt.exe
Unknown The entered application ylmiwbil was identified: None. Hit rate: -1 % (result) Unknown application.

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
Unknown The entered application VBouncer was identified: None. Hit rate: 24 % (result) Unknown application.

O4 - HKLM\..\Run: [daxwr] C:\WINDOWS\daxwr.exe
Unknown The entered application daxwr was identified: None. Hit rate: -1 % (result) Unknown application.

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
Unknown The entered application LDM was identified: None. Hit rate: -1 % (result) Unknown application.

O4 - Startup: SmasheR.lnk = C:\Program Files\Popup Ad SmasheR\Smasher.exe
Unknown The entered application 'SmasheR.lnk (Smasher.exe)' was identified: 'Kein ()'. Hit rate: 12 % (result) Unknown application.

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
Possibly nasty Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry 'Research ' is unknown.

O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
Possibly nasty This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'. This entry should be fixed if 'http://us8l.hpwis.com' is not your PC-manufacturer or your 'Internet-Service-Provider (ISP)'.

O15 - Trusted IP range: 64.127.104.144
Possibly nasty If you did not add these pages to your trusted pages, they should be fixed. If you didn't add '64.127.104.144' to your trusted pages, it should be fixed.

O15 - Trusted IP range: 64.127.104.144 (HKLM)
Possibly nasty If you did not add these pages to your trusted pages, they should be fixed. If you didn't add '64.127.104.144 (HKLM)' to your trusted pages, it should be fixed.

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.

O16 - DPF: {3B240FE6-F3DC-4E56-954D-257471ABF8F8} (Artwork Player) - http://www.geecreations.com/cab/artworkplayer.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.

looks like you got alot of spyware so you need to fix this stuff.The ones in the unknown section i posted i'am not sure about but the ones in the upper section you need to rid yourself of them. If you don't have a spybot removable tool i suggest Ad-Aware and spybot search & destroy to start also make sure you using a good virus scanner like nortons.

Hope this helps

use hijack to delette the entries and that should do it