Need some help with Hijackthis log

This time it's my wife's PC that I need some help with. She was working online and AVG popped up a window that said she was infected with some kind of trojan virus. She stopped working (after closing the window of course) and asked me to take a look at it.

I noticed the icon for Date Manager on the task bar and immediately uninstalled it. I updated Spybot, Adaware, and AVG and ran scans with each. AVG did not find any infected files which I found strange since it had already said there was one. Spybot found some things to clean up but also popped up an error. It said some things could not be fixed and asked to run on reboot. I closed it and did a restart and let it run again. It did the same thing (a copy of the results file is posted below). Adaware found some things to delete, mostly tracking cookies. I ran CWShredder and it came up clean. I also deleted the temporary internet files along with offline content, turned off system restore and ran the scans again. Spybot still comes up with the error, but the rest is clean.

I'm posting the HJT log and the results file from Spybot in hopes that someone will take a look and let me know if anything else needs doing.

HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 7:35:11 PM, on 10/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Msoffice.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Quickenw\Qwdlls.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\spw\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqfru07.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://www.altavista.com "); (C:\Program Files\InfiNet Surfer Kit\Netscape\Users\Default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .bat: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .mov: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPQTW32.DLL
O12 - Plugin for .scr: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O13 - WWW. Prefix: http://
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab


Spybot results file:

Error during check!: Cabrotor (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()


GAIN.Gator: Log file (File, fixing failed)
C:\WINDOWS\GatorUninstaller_cme_u.log

GAIN.Gator: Log file (File, fixing failed)
C:\WINDOWS\GatorUninstaller_cme.log

GAIN.Gator: Log file (File, fixing failed)
C:\WINDOWS\GatorHDPlugin.log


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\LSP.sbi
2004-08-11 Includes\Cookies.sbi
2004-10-26 Includes\Dialer.sbi
2004-10-26 Includes\Hijackers.sbi
2004-10-07 Includes\Keyloggers.sbi
2004-10-26 Includes\Malware.sbi
2004-10-05 Includes\Revision.sbi
2004-10-25 Includes\Security.sbi
2004-10-26 Includes\Spybots.sbi
2004-10-26 Includes\Trojans.sbi
2004-10-21 Includes\Tracks.uti


Any help would be greatly appreciated.

 

Hello

Close all browsers Have hijackthis fix these items
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O13 - WWW. Prefix: http://
====================

Run SpyBot check for updates , you have missed a couple.
then close the program.
Download and run this updater, it will update/replace the actual spybot exicutable
Spybot - Search 1.3.1 TX: http://www.majorgeeks.com/download4392.html

Next run spybot check for problems, fix anything found if prompted that spybot need's to start with windows always do so.

Post a new Hijackthis log and mention any problems you have noticed

 

Hi Lonny,

Thanks for the reply. I followed your instructions, fixed the items in HJT, updated Spybot and downloaded the program update and ran it. Spybot found and fixed the 3 Gator entries this time. I was having trouble keeping the home page set in IE but that seems to be fixed now. Here is the new HJT log. Thanks again for the help.

Logfile of HijackThis v1.98.2
Scan saved at 11:23:11 AM, on 10/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Msoffice.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Quickenw\Qwdlls.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\spw\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://www.altavista.com "); (C:\Program Files\InfiNet Surfer Kit\Netscape\Users\Default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .bat: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .mov: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPQTW32.DLL
O12 - Plugin for .scr: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab

 

Looks good BillB

Sometimes folks who had this and have fixed it report problems searching from the addressbar O13 - WWW.
If you do go here and use the RepairDefaultPrefix.reg
http://www.mvps.org/winhelp2002/unwanted.htm

Interested n a firewall ?

 

Lonny,

Thanks for the help, I really appreciate it. Her PC seems to be working fine again. Her PC is on our home network with cable internet behind a firewall router. She didn't start having problems until recently, especially after she signed up on Ebay and starting participating in auctions. I recently updated the PC from Win98SE to XP Pro also.

I guess with the number of problems she's had it's time to consider firewall software for it. I have a copy of BlackIce, but are the free ones like Kerio and Zone Alarm just as good? I would prefer one that is not extremely difficult to setup, do you have any recommendations?

 

Im not sure about blackice, I have to assume any firewall thats is a paid for version will be slightly better than those which are free.
Za seams best for first time users, Keiro, sygate are great to.

I suggest you fix these with hijackthis, espesialy find fast, its useless.
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
============
Restart,, in control panel findfast icon click close stop.

 

I run black ice myself and no way will it ever qualify as easy to set up.

I think the latest free version of Zone Alarm is playing nice with XP but from what I read, some folks seem to prefer Kerio. If I were going with a different firewall and based on what I've read (but not tried) I think Kerio would be my choice.

 

Hi Lonny & Newt,

I fixed the OSA and Findfast entries, if I removed the shortcut bar I would never hear the end of it.

BlackIce definitely isn't easy to setup, I had it installed on my PC a while back when I first bought it and it was a bear to get working the way I wanted it to. I removed it a while after installing my router, never saw any hits in it once the router was in place. I've heard some people say that ZA is pretty good, those that I know of that have tried Kerio say it isn't as user friendly. User friendly doesn't bother me too much as long as it is fairly intuitive. I think I will get the latest version of it and try it on my wife's machine. As long as I can get a firewall setup that she doesn't have to interact with much, otherwise I will be getting lots of calls at work.

Thanks for the help and input guys, I really appreciate it.

Bill