WTF ... IS WTF!?
We are a collective of people who believe in freedom of speech, the rights of individuals, and free pancakes! We share our lives, struggles, frustrations, successes, joys, and prescribe to our own special brand of humor and insanity. If you are looking for a great place to hang out, make new friends, find new nemeses, and just be yourself, WTF.com is your new home.

A little help here

_Kitana_

Angel of Death
4,674
46
0
#1
This is a logfile for a friend of mine computer. He from the uk. Said something about someone hacking his webcam and broadcasting it at the local pub. I am guessing he has BO or a forum of it, I am not sure. I had him run the Hijack this and it falls below. Guys take a look at this pls... I have a pretty good guess what files to have him remove....

But just want to double check since this is someone else system. Thanks

Logfile of HijackThis v1.99.0
Scan saved at 11:03:21, on 05/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\htpatch.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\QuickTime\qttask.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\KODAK Software
Updater\7288971\Program\backWeb-7288971.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\john\Local Settings\Temp\Temporary Directory 1 for
hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.lbxesvqflfcvvwuhsdtmqts....qjJ8py0qZ6RF5Y_L_jQEwwiHvVIN6CqnBbqiNSgy.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://runonce.msn.com/
R3 - URLSearchHook: (no name) - _{43F02779-6D88-4958-8AD3-83C12D86ADC7} -
(no file)
R3 - URLSearchHook: Advanced Searchbar -
{43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced
Searchbar\Toolbar.dll (file missing)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -
C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D58B8597-7B1D-60E3-13B0-2901D10AD7BA} -
C:\DOCUME~1\john\APPLIC~1\MPEGAM~1\barbblue.exe
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} -
C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
O3 - Toolbar: FunBar - {2CA511C5-C677-4e33-A018-EADF07E08299} -
C:\PROGRA~1\FUNBAR~1.01\funbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [ActivSurf]
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet
Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common
Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program
Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program
Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN
Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ggkoukio] C:\WINDOWS\System32\tyjdmc.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE
Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo!
internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe
/startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Browse Knob] C:\DOCUME~1\john\APPLIC~1\PLAYOP~1\Web
Readme.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT
Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Trace with Visual Trace -
C:\PROGRA~1\VISUAL~1\NTXcontext.htm
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Advanced Searchbar -
{43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced
Searchbar\Toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Searchbar -
{43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced
Searchbar\Toolbar.dll (file missing)
O9 - Extra button: BT Yahoo! Sidebar -
{51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program
Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar -
{51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program
Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
- C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra button: McAfee Visual Trace -
{9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\VISUAL~1\NTXtoolbar.htm
(HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O15 - Trusted Zone: messenger.hotmail.com
O15 - Trusted Zone: loginnet.passport.com
O15 - Trusted Zone: login.passport.net
O15 - Trusted Zone: memberservicesnet.passport.net
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
 

_Kitana_

Angel of Death
4,674
46
0
#2
C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload
Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/binFramework/v10/ZIntro.cab32651.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://zone.msn.com/bingame/isan/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class)
- http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} -
http://direct.data-line.us/gbn298.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company -
C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation
- C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: Symantec Network Drivers Service - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) - H+H Software
GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1
 

Hypertron

Asshole of the Year
457
0
16
#4
430-B101-42AD-A544-FADC6B084872} -
_Kitana_ said:
C:\Apps\ActivBoard\nhksrv.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\KODAK Software
Updater\7288971\Program\backWeb-7288971.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R3 - URLSearchHook: (no name) - _{43F02779-6D88-4958-8AD3-83C12D86ADC7} -
(no file)
R3 - URLSearchHook: Advanced Searchbar -
{43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced
Searchbar\Toolbar.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} -
C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
O3 - Toolbar: FunBar - {2CA511C5-C677-4e33-A018-EADF07E08299} -
C:\PROGRA~1\FUNBAR~1.01\funbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ActivSurf]
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo!
internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
Files\KODAK\KODAK Software
O9 - Extra button: Advanced Searchbar -
{43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced
Searchbar\Toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Searchbar -
{43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced
Searchbar\Toolbar.dll (file missing)
O9 - Extra button: BT Yahoo! Sidebar -
{51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program
Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar -
{51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program
Files\Yahoo!\browser\ysidebarIE.dll
whew...ok lets see here, thats all i can see that is pretty much crap lets go through some stuff...

1. anything with, C:\Apps\ActivBoard\ , does not need to be running.
2. i have no clue what, C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe , is so yeah ask jung or someone about that one.
3. Any kind of messanger dose not need to be in start up, we will go over that in a second.
4. get your friend to completely delete Internet Explorer, thats part of his problem with most of this crap here anyways, tell him to download mozilla firefox or opera
5. ok heres a big one...search bars, browers compainions, sidebars, advanced searchbars, CRAP...crap crap crap crap crap don't download them whatever you need them for you can do with google avoid at all costs, if you feel the urge to download one download googles, it has google search and a pop-up blocker
6. O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet...wtf would any program need a installquiet? thats bad.
7. Take kodak stuff off start up it dosn't need to be running in the background all its doin is using up resources, im pretty sure that he isn't using kodak stuff constantly
8. ok now for start up...go to start > run > msconfig > click on the tab that says start up > you are gonna want video drivers to be on start up, his keyboard and mouse drivers, viewmanager, ctfmon, a pretty good rule of thumb is if he has C:/WINDOWS in the command part of the info about it then it needs to be turned on, if it isn't that its a pretty safe bet that there is no need for it to be on start up, when you get done with that click apply and it will ask you to restart your computer, when you restart and get back into windows a box will come up that says you are running a custom start up config and it will ask if that is correct, make sure that you check the box that says something like do not display this at start up, or if its the other way around uncheck it.

hope i helped a lil, I'm more of a hardware and networking guy so these are just the things that jumped out at me, you might want to ask jung or max if there is anything that they see to add to this or take away from what i have put here.
 

Jung

???
Premium
13,998
2,267
487
#5
Hypertron said:
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe , is so yeah ask jung or someone about that one.
http://www.liutilities.com/products/wintaskspro/processlibrary/motivesb/
It can be disabled.
4. get your friend to completely delete Internet Explorer, thats part of his problem with most of this crap here anyways, tell him to download mozilla firefox or opera
You can't completely delete IE, it's just an extension of Explorer (the shell). You can remove it from add/remove components, but as soon as you go to windows update (from start menu), it'll open back up.

That said, IE is a HUGE security hole, and NOBODY should be using it, except for Windows Updates.

http://www.microsoft.com/technet/security/bulletin/advance.mspx

Microsoft just announced a press released of their upcoming 13 security patches. ALL of which were critical, most which have been known vulnerabilities for up to 6 months. Save yourself a lot of trouble, and drop IE. Microsoft isn't worried about it's security or standards compliance.

I'll second, third and fourth the suggestion to start using Opera or Firefox.
6. O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet...wtf would any program need a installquiet? thats bad.
That's the Nvidia 'Nwiz' service, it's mostly used for monitor spanning. It can be disabled.
C:\Apps\ActivBoard\nhksrv.exe
Pointless Compaq/Dell service; get rid of it.
backweb-4448364.exe
http://www.2-spyware.com/file-backweb-4448364-exe.html
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
Get rid of any and everything from new.net.
O4 - HKCU\..\Run: [Browse Knob] C:\DOCUME~1\john\APPLIC~1\PLAYOP~1\Web
Readme.exe
That looks like the Bagle D worm.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?Vname=WORM_BAGLE.D&VSect=T

Other than that, tell him to grab a trial copy of Kaspersky Anti Virus, Pest Patrol, Spyware Blaster and Spybot. Make sure all the programs are up to date, as well as the definitions and run through scans.

Also, some very thorough mal ware information (written by a friend of mine.): http://shsc.info/SpywareFAQ
 

Hypertron

Asshole of the Year
457
0
16
#6
so jung howd i do? that was the first hijack this system log i've ever gone through