Would our resident HijackThis experts please take a look at the following.

Comes from the laptop of a friend, who suspects that teenage forces may have "suboptimised" it over several months!!

Logfile of HijackThis v1.99.0
Scan saved at 11:09:25, on 01/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\DHUpdt.exe
C:\WINNT\dhbrwsr.exe
C:\Program Files\MSN Apps\Updater\01.02.0001.1004\en-gb\msnappau.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\explorer.exe
C:\WINNT\dhsvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\COMPAQ1\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0001.1004\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0001.1004\en-gb\msntb.dll (file missing)
O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINNT\dealhlpr.dll
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINNT\dealhlpr.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0001.1004\en-gb\msntb.dll (file missing)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Explkw] C:\WINNT\System32\expup.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINNT\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINNT\dhbrwsr.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0001.1004\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msmc.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=bcd30af74226a5a201d2f77236eaf9838c6187dade2a4655a218dbb08c 7b73a8e5496816aea03d84946d3432af1b4ceef193a9f5415d77a1f85b42 :c116936837df0d58d3bae453b34442a0
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail.ko.com/iNotes.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mail.ko.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025976.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {EB533642-0AFC-4559-A494-8CFFA296ACAE} (Whale Attachment Wiper for IE4 and higher) - https://mail.ko.com/images/whlcache.cab?egap=internal
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{454D872A-43D2-4BC4-A9E8-9C83F6203889}: NameServer = 195.92.195.94 195.92.195.95
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\System32\msdhmd.dll
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\COMPAQ1\LOCALS~1\Temp\hpdj.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks in advance,

RC

Just nudging this back up to the top; is anyone able to provide advice please?

Thanks in advance,

RC

If E-Liam doesn't show up in the next half hour I'll reply.

Not an expert by any means but I think I might be able to help you a little bit.

DeepC

Rotorcraig,

I believe a call to Trend Micro House Call is in order to begin with!

You are going to have to excuse me here. I have posted the entries that I believe need fixing but I really think that you should wait till E-Liam has a peep at this thread and confirms what I am saying is kosher. He\'s lurking online now so perhaps he might care to add his 2p. He can add his cut and paste top and bottom!
Trying to learn the black art of HJT and using your thread for practice. I believe a call to Trend Micro House Call is in order to begin with!

DeepC

----------------------------------------------------

C:\\WINNT\\DHUpdt.exe
C:\\WINNT\\dhbrwsr.exe
C:\\Program Files\\Windows AdControl\\WinAdCtl.exe
C:\\Program Files\\Windows AdControl\\WinAdAlt.exe
C:\\WINNT\\dhsvr.exe

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\\WINNT\\bxxs5.dll
O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\\WINNT\\dealhlpr.dll
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\\WINNT\\dealhlpr.dll
O4 - HKLM\\..\\Run: [Explkw] C:\\WINNT\\System32\\expup.exe
O4 - HKLM\\..\\Run: [DealHelperUpdate] C:\\WINNT\\DHUpdt.exe
O4 - HKLM\\..\\Run: [DealHelperBrwsr] C:\\WINNT\\dhbrwsr.exe
O4 - HKLM\\..\\Run: [stcinstaller] c:\\installer\\id53.exe
O4 - HKLM\\..\\Run: [bxxs5] RunDLL32.EXE C:\\WINNT\\bxxs5.dll,DllRun
O4 - HKLM\\..\\Run: [Windows AdControl] C:\\Program Files\\Windows AdControl\\WinAdCtl.exe
O4 - HKCU\\..\\Run: [ClockSync] C:\\PROGRA~1\\CLOCKS~1\\Sync.exe /q
O4 - HKCU\\..\\Run: [msmc] C:\\WINNT\\system32\\msmc.exe
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\\WINNT\\System32\\msdhmd.dll

If you don\'t recognise any of the following then check these also.
O8 - Extra context menu item: Search with Wanadoo - res://C:\\PROGRA~1\\Wanadoo\\WSBar\\WSBar.dll/VSearch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\\WINNT\\web\\related.htm
O9 - Extra \'Tools\' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\\WINNT\\web\\related.htm

Hi RC,

I was indeed lurking, as Deep C alluded.. :D I was writing War and Peace on another thread.. :D:D

Just to let you know I'm checking it now.

Cheers

Liam

Hi RC,

First a note. Bearshare is bundled with Spy/Adware. I\'ve recommended deletion in the following . If you want an alternative, then please read here (http://www.spywareinfo.com/articles/p2p/).

Please go here (http://www.thepykiller.co.uk) and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.

Then you need to place Hijack This in it’s own folder (e.g. C:\\HJT\\….) so it can generate backup files to the same folder; needed should an entry be accidentally deleted. Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven\'t missed any. Next, close all browser windows and click the Fix checked button…

R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = about :blank

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant = about :blank

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\\WINNT\\bxxs5.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\\Program Files\\MSN Apps\\MSN Toolbar\\01.02.0001.1004\\en-gb\\msntb.dll (file missing)

O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\\WINNT\\dealhlpr.dll

O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\\WINNT\\dealhlpr.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\\Program Files\\MSN Apps\\MSN Toolbar\\01.02.0001.1004\\en-gb\\msntb.dll (file missing)

O4 - HKLM\\..\\Run: [Explkw] C:\\WINNT\\System32\\expup.exe

O4 - HKLM\\..\\Run: [DealHelperUpdate] C:\\WINNT\\DHUpdt.exe

O4 - HKLM\\..\\Run: [DealHelperBrwsr] C:\\WINNT\\dhbrwsr.exe

O4 - HKLM\\..\\Run: [stcinstaller] c:\\installer\\id53.exe

O4 - HKLM\\..\\Run: [bxxs5] RunDLL32.EXE C:\\WINNT\\bxxs5.dll,DllRun

O4 - HKLM\\..\\Run: [MessengerPlus3] "C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe"

O4 - HKLM\\..\\Run: [P2P Networking] C:\\WINNT\\System32\\P2P Networking\\P2P Networking.exe /AUTOSTART

O4 - HKLM\\..\\Run: [Windows AdControl] C:\\Program Files\\Windows AdControl\\WinAdCtl.exe

O4 - HKLM\\..\\Run: [BearShare] "C:\\Program Files\\BearShare\\BearShare.exe" /pause

O4 - HKCU\\..\\Run: [ClockSync] C:\\PROGRA~1\\CLOCKS~1\\Sync.exe /q

O4 - HKCU\\..\\Run: [msmc] C:\\WINNT\\system32\\msmc.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...b3444
2a0

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025976.exe

O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\\WINNT\\System32\\msdhmd.dll

Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\\Windows\\Temp (or C:\\WINNT\\Temp) folder, but not the folder itself. Next please find and delete the following bolded files...

C:\\WINNT\\bxxs5.dll

C:\\WINNT\\dealhlpr.dll

C:\\WINNT\\System32\\expup.exe

C:\\WINNT\\DHUpdt.exe

C:\\WINNT\\dhbrwsr.exe

C:\\WINNT\\dhsvr.exe

c:\\installer\\id53.exe

C:\\WINNT\\system32\\msmc.exe

C:\\WINNT\\System32\\msdhmd.dll

..and these folders...

C:\\WINNT\\System32\\P2P Networking

C:\\Program Files\\Windows AdControl

C:\\Program Files\\BearShare

C:\\PROGRA~1\\CLOCKS~1

Then please boot back into normal mode and download AdAware SE from here (http://www.lavasoftusa.com/support/download/).

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file

· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed

3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information

4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot

5. Click on Proceed to save the settings.

6. Click Start and on the next screen choose:
· Use Custom Scanning Options

7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Next, please reboot again and download Spybot - Search & Destroy 1.3 from here (http://security.kolla.de): if you haven\'t already got the program.

Click on Updates | Download Updates, and follow the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

Next reboot and go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.

Next, download and run CCleaner (http://www.ccleaner.com/). If you have certain cookies you want to retain, then click on the Options button before running, and move across the ones that you want to keep...

Cheers

Liam

EDIT: Apologies, I forgot to disable smilies before posting, hence all the \\. Too many to remove on edit.. :ok: :)

Thanks guys will get my mate to follow that through, and will repost a HijackThis log when done!

RC