Could someone cast their eyes over this HJT log please?

Got this lot off another friends computer :-

Logfile of HijackThis v1.97.7
Scan saved at 08:20:35, on 09/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Apps\ActivBoard\OSD.exe
C:\Dan\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aifind.inf/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aifind.inf/?id=54
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {8699D723-6DC6-47D3-B55C-489BA006B917} - http://membersites.namezero.com/webmaster.sub-webdesign.de/tori/england/webinstall.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

I'm suspicious of the 016 entries and a few 04's

Advice greatly appreciated

 

Downloadand and run CWShredder
http://www.net-integration.net/tools/hijackthis.html#cwshredder <<from there Click Fix, don't just scan. You have several CoolWebSearch components which it should remove.
If you already have it, just download another copy and overwrite the old one..
To ensure its the latest version. currently its ver 1.57

Reboot after doing so
then run hijackthis
Place a check next to these, close all browers and programs that show in the taskbar including explorer folder's and hit fix selected.. usualy we say to reboot afterward but since theres no run items its not nessesary

Fix any unwanterd R1's and R0's
O16 - DPF: {8699D723-6DC6-47D3-B55C-489BA006B917} - http://membersites.namezero.com/web.../webinstall.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
then go get and install Spywareblaster


then please do post a fallow up log

 

In addition to what Lonny suggested, these R1's should be fixed.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aifind.inf/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aifind.inf/?id=54

Also recommend you fix this.

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

Then end task on the msmsgs.exe process and maybe even uninstall Windows Messenger.

 

Heres the 'after fix' HJT log...

Logfile of HijackThis v1.97.7
Scan saved at 15:51:31, on 09/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Apps\ActivBoard\OSD.exe
C:\Dan\Hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Once again, thanks very much for your help.I'm gradually teaching my self how to read these logs, but its always a good idea to have a second opinion

 

Pondlife

A little hint from experience ( sad one )

Once you get things cleaned up make sure you remove any and all Restore Points and any backups that may have been made. Especially from the C: drive.

If you do not do this you may be ( as I was ) right back to a re-infected machine. Or make all your cleanup time wasted.

BillyBob

 

Looks good to me. If you did uninstall Windows messenger, you could fix these too.

O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)

 

You could also do a huge favor to everyone in this person's address book by getting rid of the IncrediMail stuff.

 

Newt,

I'm intrigued and perplexed by that recommendation. Was it security related? I know nothing about Incredimail, so would you be kind enough to educate me please?

 

One of the free apps that let folks add lots of eye candy to email.

Not sure about when they first wrote it (maybe 4-5 years ago) but while it is not sending info out, it does seem to invite other baddies in. And I have no firm evidence that IncrediMail is doing the inviting - it may just be like a flower that puts out a sight and scent that attracts bees.

My main objection when I receive the stuff is all the overhead it adds to the email and the fact that it makes the post into a sort of picture so you really can't edit the thing if you want to pass parts along.

It really isn't a sneak app since you for sure have to install it if you want it.

Their site is Here. The fact that their download is over 5Mb and the add-ons folks have written for it are pretty large as well may give you an idea.

The do make a strong case that they are Not Spyware and make all their revinue from adverts. May be true.

 

Thank you Newt. Dont think I'll even go to their site though. That "over 5Mb" is enough to steer me the other way.

 

Thank you gents for your time and the pointers

Unfortunately the owner of this machine likes their Messanger and Incredimail so no joy there. Maybe once the machine has problems enough times they might reconsider

Billybob, they hadn't made any restore points thank god

 

Glad to help. BTW, the messenger I suggested uninstalling is not MSN Messenger, which is the more commonly used and is very similar. If they have MSN Messenger on board too, that would be the one they are using and uninstalling Windows Messenger will not affect it's use. Might want to install a firewall for them and a few other things to help protect against drive-bys and hijacks. Some progs. listed in Lonny's pinned thread, "TonyKleins-So how did I get infected" at the top of this forum.

 

Are you saying that XP is not doing its' job of making Restore Points ? ( just like my machine )

I would suggest that you check the HD for a System Volume Information folder to see if there is anything it. Or just run System Restore and check to see if it picks up any.

I suggest this because I have yet to see my XP Pro make a Restore Point on its own other than when installing or removing things ( as you are doing ) It does pretty good at that ( usually )

With Win98, 98SE it was a MUST that the RB00X.cab ( registry backup ) files be deleted after any housecleaning. 98 is MUCH more reliable about making the backups that it should.

Now mind you. This info I write is from the behavior of my machine. And things I have learned from same.

BillyBob