Home › Forums › Archives › Computer Support › Computer Support Discussion › Hijack This Log
- This topic has 26 replies, 8 voices, and was last updated 18 years, 11 months ago by m3rcy.
-
AuthorPosts
-
February 15, 2005 at 1:58 am #16981pacificMember
Im getting pop-ups on IE.. sometimes when I’m not using it. I’ve scanned using Ad-aware and Spybot (both fully updated) and deleted all the bad stuff listed on those but I am still getting pop-ups. So can you please tell me what I need to remove?
Logfile of HijackThis v1.99.0
Scan saved at 8:54:52 PM, on 2/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:WINDOWSsystem32driversKodakCCS.exe
C:WINDOWSsystem32pctspk.exe
C:WINDOWSsystem32ScsiAccess.EXE
C:WINDOWSSystem32svchost.exe
C:Program FilesWZCBDL ServiceWZCBDLS.exe
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:Program FilesD-LinkAir USB UtilityAirCFG.exe
C:WINDOWSsystem32??erinit.exe
C:Program FilesKodakKODAK Software Updater7288971ProgramKodak Software Updater.exe
C:Program FilesLogitechMouseWaresystemem_exec.exe
C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
C:Program FilesWindows Media Playerwmplayer.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesAIMaim.exe
C:Documents and SettingsShawn GebertDesktopShawn’s StuffProgramsHijackThis.exeR0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
O2 – BHO: (no name) – {C06B6751-D3EA-8D60-B36A-FB7A93B10D91} – C:WINDOWSsystem32ategc.dll
O2 – BHO: (no name) – {C36B6721-D39E-841E-B36F-F47A96B80D97} – C:WINDOWSsystem32ategc.dll
O3 – Toolbar: (no name) – {BA52B914-B692-46c4-B683-905236F6F655} – (no file)
O4 – HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 – HKLM..Run: [Logitech Utility] Logi_MwX.Exe
O4 – HKLM..Run: [D-Link Air USB Utility] C:Program FilesD-LinkAir USB UtilityAirCFG.exe
O4 – HKCU..Run: [Rueu] C:Documents and SettingsShawn GebertApplication Datascic.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = ?
O4 – Global Startup: Kodak EasyShare software.lnk = C:Program FilesKodakKodak EasyShare softwarebinEasyShare.exe
O4 – Global Startup: Kodak software updater.lnk = C:Program FilesKodakKODAK Software Updater7288971ProgramKodak Software Updater.exe
O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:Program FilesYahoo!Messengeryhexbmes0521.dll
O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:Program FilesYahoo!Messengeryhexbmes0521.dll
O9 – Extra button: AIM – {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} – C:Program FilesAIMaim.exe
O16 – DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) – http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100547544014
O16 – DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) – http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 – DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) – http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 – DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) – http://ns-radio.netscape.com/radio/cabs/ampx.cab
O16 – DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} – http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O23 – Service: avast! iAVS4 Control Service – Unknown – C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown – C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 – Service: Kodak Camera Connection Software – Eastman Kodak Company – C:WINDOWSsystem32driversKodakCCS.exe
O23 – Service: PCTEL Speaker Phone – PCtel, Inc. – C:WINDOWSsystem32pctspk.exe
O23 – Service: ScsiAccess – Unknown – C:WINDOWSsystem32ScsiAccess.EXE
O23 – Service: WZCBDL Service – D-Link – C:Program FilesWZCBDL ServiceWZCBDLS.exeFebruary 15, 2005 at 4:01 am #114648ArsenalParticipantDon’t delete it yet but IMO, C:WINDOWSsystem32??erinit.exe looks very suspicious. But don’t delete it until someone else agrees or something you trust.
February 15, 2005 at 6:02 pm #114639SS_AntiHackerMemberPossibly a new malware program. You can upload it into a temporary free server and give us the link so we can further analyze it or just copy it into a different drive and delete it. I’m not 100% sure about this program until I actually have it, but 80% I would say it is not something that should be there.
February 15, 2005 at 11:22 pm #114649ArsenalParticipantlooks like a keylogger IMO.
February 16, 2005 at 9:06 pm #114645pacificMemberOkay I removed the ????erinet.exe. and am still getting pop-ups in IE.
This is the new log:
Logfile of HijackThis v1.99.0
Scan saved at 4:04:30 PM, on 2/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:WINDOWSsystem32driversKodakCCS.exe
C:WINDOWSsystem32pctspk.exe
C:WINDOWSsystem32ScsiAccess.EXE
C:WINDOWSSystem32svchost.exe
C:Program FilesWZCBDL ServiceWZCBDLS.exe
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:Program FilesD-LinkAir USB UtilityAirCFG.exe
C:WINDOWSsystem32??erinit.exe
C:Program FilesKodakKODAK Software Updater7288971ProgramKodak Software Updater.exe
C:Program FilesLogitechMouseWaresystemem_exec.exe
C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
C:Program FilesWindows Media Playerwmplayer.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesAIMaim.exe
C:PROGRA~1INCRED~1binIMApp.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsShawn GebertDesktopShawn’s StuffProgramsHijackThis.exeR0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
O2 – BHO: (no name) – {C06B6751-D3EA-8D60-B36A-FB7A93B10D91} – C:WINDOWSsystem32ategc.dll
O2 – BHO: (no name) – {C36B6721-D39E-841E-B36F-F47A96B80D97} – C:WINDOWSsystem32ategc.dll
O3 – Toolbar: (no name) – {BA52B914-B692-46c4-B683-905236F6F655} – (no file)
O4 – HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 – HKLM..Run: [Logitech Utility] Logi_MwX.Exe
O4 – HKLM..Run: [D-Link Air USB Utility] C:Program FilesD-LinkAir USB UtilityAirCFG.exe
O4 – HKCU..Run: [Rueu] C:Documents and SettingsShawn GebertApplication Datascic.exe
O4 – HKCU..Run: [IncrediMail] C:Program FilesIncrediMailbinIncMail.exe /c
O4 – Global Startup: Adobe Gamma Loader.lnk = ?
O4 – Global Startup: Kodak EasyShare software.lnk = C:Program FilesKodakKodak EasyShare softwarebinEasyShare.exe
O4 – Global Startup: Kodak software updater.lnk = C:Program FilesKodakKODAK Software Updater7288971ProgramKodak Software Updater.exe
O8 – Extra context menu item: &Add animation to IncrediMail Style Box – C:PROGRA~1INCRED~1binresourcesWebMenuImg.htm
O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:Program FilesYahoo!Messengeryhexbmes0521.dll
O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:Program FilesYahoo!Messengeryhexbmes0521.dll
O9 – Extra button: AIM – {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} – C:Program FilesAIMaim.exe
O16 – DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) – http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100547544014
O16 – DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) – http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 – DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) – http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 – DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) – http://ns-radio.netscape.com/radio/cabs/ampx.cab
O16 – DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} – http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O23 – Service: avast! iAVS4 Control Service – Unknown – C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown – C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 – Service: Kodak Camera Connection Software – Eastman Kodak Company – C:WINDOWSsystem32driversKodakCCS.exe
O23 – Service: PCTEL Speaker Phone – PCtel, Inc. – C:WINDOWSsystem32pctspk.exe
O23 – Service: ScsiAccess – Unknown – C:WINDOWSsystem32ScsiAccess.EXE
O23 – Service: WZCBDL Service – D-Link – C:Program FilesWZCBDL ServiceWZCBDLS.exeFebruary 16, 2005 at 9:22 pm #114650ArsenalParticipantFound this via Google.
C:WINDOWSsystem32??erinit.exe<–Be careful not to delete the a valid file of the same name (probably userinit.exe). If in doubt, right click the file and select 'Properties'. Check under the version tab that it's signed by Micro$oft. The malware file will be blank.
February 16, 2005 at 9:40 pm #114640SS_AntiHackerMemberHi Pacific,
You might want to check for “??erinit.exe” one more time. It looks like it is still in your computer under c:windowssystem32. Sometimes it might be hidden so check “Show hidden files and folders” under “Tools” => “Folder Options” => “View” tab. You can manually remove it in Safe Mode if Normal Mode doesn’t work or remove through the HiJackThis program.
The reason I said this is because your log still shows that file name on it.
Come back if you still have problems, we glad to help you =)
February 17, 2005 at 1:09 am #114644pacificMemberSo delete userinit.exe ?
February 17, 2005 at 1:12 am #114637TigerbladeParticipantNO. do not delete that file, it is a system file that your computer needs. i’ll try to check into this a little more and get back to you. but no, don’t delete that file if you want your computer to still run.
February 17, 2005 at 2:19 am #114647ArsenalParticipantpacific wrote:So delete userinit.exe ?
NOOOO You’ve obviously misunderstood. The one with ?? is a virus/adware/something bad. You should delete that. The userinit is good and you need it. The point of ??erinit is to confuse you into thinking its a system file so you won’t delete it.Here:
Delete: ??erinit.exe
DO NOT DELETE:
Userunit.exe
February 17, 2005 at 5:05 am #114652TBob2000MemberME TOO! ME TOO! I’m having this same problem and it’s just started in the past 2-3 days. Did the last suggestion listed in this thread fix the problem? Should I try it?
Delete ??erinit.exe
But not userunit.exeI’ve been wasting all my time with this problem. The taskmanager keeps showing prjmensagem is ‘running’ but there is no evidence of anything like that anywhere on my PC. I’ve been running Microsoft AntiSpyware, Norton A/V & I/S, AdAware, & SpyBot. I’ve even scanned with all of these in the SafeMode.
I’ve been using this PC for over a year and nothing like this has happened thus far, I’ve been successful or lucky in preventing this &#%@!!!!
Thanks for any advise or assistance or miracles.
February 17, 2005 at 6:01 am #114641SS_AntiHackerMemberThis is a new adware definately, it would be nice if any of you can zip it up, upload it into any free server and give me the link so I can analyze it. Could you guys make a screenshot of your task manager for the applications and processes tabs? I think that this new adware program was made in VB. I will try to find out what the program called so you can zip it up. But first please zip up the “??erinit.exe” file =)
UPDATE: Try to search for all files that starts with “newpop”. The adware might have its file name as “newpopxx.exe” where “xx” is any number.
February 18, 2005 at 4:04 am #114651ArsenalParticipantJust curious, how good is HijackThis? Are it’s scans fast/slow? I’m thinking about getting it.
February 18, 2005 at 7:56 am #114642SS_AntiHackerMemberHi Arsenal,
HiJackThis is not a program to scan and detect adware, spyware, etc. It’s just a tool to view everything, well…almost everything installed that auto-start on your computer so you can remove it manually. That mean if you don’t know what you are doing, you can remove a perfectly good file.
February 18, 2005 at 3:09 pm #114646pacificMemberThere is no ??erinit.exe and i looked in Hidden files too.
-
AuthorPosts
- You must be logged in to reply to this topic.