Strange items in HijackThis Log

Anybody know how to fix these entries in red? I select them to be fixed and it say's they are being deleted .. but they keep coming back

Thanks
Rockit

Logfile of HijackThis v1.99.1
Scan saved at 3:03:07 PM, on 2/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Internet\Spybot - Search & Destroy\TeaTimer.exe
C:\Internet\Avant Browser\avant.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Internet\Misc\HijackThis.exe

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

 

Hi Rockit

If you post the whole log someone may be able to help you, with nothing in the ignore list.

 

Ok .. Here it is ..

Logfile of HijackThis v1.99.1
Scan saved at 7:08:40 AM, on 2/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Utilitys\Misc\Gibson\PowerMenu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Internet\Spybot - Search & Destroy\TeaTimer.exe
C:\Internet\Avant Browser\avant.exe
C:\Internet\Misc\HijackThis.exe

O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [PowerMenu] C:\Utilitys\Misc\Gibson\PowerMenu -hideself on
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Internet\Spybot - Search & Destroy\TeaTimer.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

 

Hi

Scroll down to this section "Various Registry Fixes
here http://www.mvps.org/winhelp2002/unwanted.htm
And use the >RepairDefaultPrefix.reg<


Let us know if that helped

 

Hey Lonny,
Thanks for the suggestion but .. I applied the reg file >RepairDefaultPrefix.reg< and the entries keep comimg back. Tried deleting them with Hijact This but they keep coming back? I'm curious how I got the entries in the first place? Any other idea's?

Cheers
Rockit

 

Thats Odd

Try the
RepairIE4XP.reg

Run Hijackthis fix those items(if there) and restart the PC

 

Don't what the heck I stumbled into but it won't die !! Did what you said Lonny and it's back? Looks like the reg file added a few extra item's that I deleted also but they just came back? I also noticed a new service and have disabled it from running. Now I have to figure out how to remove this service. It's called "GEARSecurity ". Not sure where I picked it up. I have just installed Norton Ghost 9.

Well this explains the new service:

These are the entries that keep coming back:

O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
Thanks
Rockit

 

I've attached a zipped reg file to reset the default protocols. Unzip and close ALL IE windows before merging, then reboot and post a new log.

 

Thanks Alot Dave,
That got rid of those pesky little devils. Now I delete these and they don't come back till I reboot.

O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -

The file you attached wanted to download as "attachment.php" I just renamed it to a zip file and it worked. Will be saving that one.

Thanks Again
Rockit

 

Open Internet options and click the settings button in the temporary internet files section, then view objects. By the looks of your HJT log, there shouldn't be anything there. If there is, right click and remove. Download RegSeeker and extract to it's own folder. Open and click find in registry. Paste in the CSLID's and check the boxes for all area's of the registry. I would suggest selecting all and exporting by right clicking within the search results. Then delete all. When done, reboot and run another scan. Let us know how it goes.

{31FF080D-12A3-439A-A2EF-4BA95A3148E8}

{53707962-6F74-2D53-2644-206D7942484F}

{0E5F0222-96B9-11D3-8997-00104BD12D94}

 

Did what you said Dave and here's what keeps coming back.

Thanks Alot

Logfile of HijackThis v1.99.1
Scan saved at 10:00:47 AM, on 2/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Utilitys\Misc\Gibson\PowerMenu.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Utilitys\Misc\Winamp\winampa.exe
C:\Internet\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Internet\Misc\HijackThis.exe

O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -

 

Hi

Those are inadvertanly being put back by tea timer, an easy way to deal with that is to uninstall SpyBot, reboot the PC delete spybots folder in program files, Run Hijackthis and fix those items, then re-install, check for updates then problems.

Now if tea timer alerts to a change dont use the remember decion option.

 

Thanks Lonny and Noahdfear,

All set. Didn't have to uninstall spybot .. just went to advanced tools and removed them there.

You guy's are Fantastic !!

Cheer's
Rockit

 

Glad to help Rockit.