Avast WEBforum
Other => General Topics => Topic started by: DouglasMiller on May 31, 2005, 01:11:52 PM
-
None of my antivirus (avast) or my spyware (Ad-Aware) programs load. When I try to download and install new ones they won't open either. I also have an emachines and have big fix which won't load. I am attaching my HJT logfile. I believe the problem is the following line.
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
I try to repair it but it keeps coming up. I don't know where it is coming from. Any one suggest something? I can access the computer through safe mode and administrator and run the virus scan and adaware with no problems. However once I access it normally it stops working again.
Logfile of HijackThis v1.99.1
Scan saved at 7:09:32 AM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\aim\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Douglas Miller\My Documents\My Downloads\Virus Related\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115059049000
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FF42BC1-C61E-4FA3-A82F-576E7B1AA544}: NameServer = 199.45.32.43 199.45.32.38
-
-1-
Your online hijackthis log analysis (will be there for 3 days):
http://hijackthis.de/logfiles/42517631ad98ae77f299a3f3a4694b09.html
-2-
From Eddy's hijackthis log file analyzer:
--------------------------------------------------------------------------------
CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :
--------------------------------------------------------------------------------
Old version of Internet Explorer detected, please update.
Your Operating System is not up-to-date. (Latest service pack not installed)
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.
--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
\progra~1\verizo~1\suppor~1\smartb~1\motivesb.exe
\program files\aws\weatherbug\weather.exe
r1 - hklm\software\microsoft\internet explorer\main
o2 - bho: (no name) - {0ad937e7-2f37-4873-a05e-548a67ef1d0e} - (no file)
o4 - hklm\..\run: [motive smartbridge] c:\progra~1\verizo~1\suppor~1\smartb~1\motivesb.exe
o4 - hkcu\..\run: [weather] c:\program files\aws\weatherbug\weather.exe 1
o4 - global startup: verizon online support center.lnk = c:\program files\verizon online\supportcenter\bin\matcli.exe
o9 - extra button: weatherbug - {af6cabab-61f9-4f12-a198-b7d41ef1cb52} - c:\progra~1\aws\weathe~1\weather.exe (hkcu)
o16 - dpf: {17492023-c23a-453e-a040-c7c580bbf700} (windows genuine advantage validation tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
o16 - dpf: {2ed9bc2b-4df1-472e-9b5e-55477d2c97f5} (microsoft data collection control) - https://support.microsoft.com/oas/activex/odc.cab
o16 - dpf: {4f1e5b1a-2a80-42ca-8532-2d05cb959537} (msn photo upload tool) - http://by102fd.bay102.hotmail.msn.com/resources/msnpupld.cab
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1115059049000
-
I ran it through the log analysis. That is how I came up with that one line being the problem.
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
Everything that you suggested is harmful is part of some program I use as far as I know. All of them have valid uses. Weatherbug, smart bridge, verizon, or microsoft. Does anyone see anything wrong with this log from a different perspective? Did anyone else ever hear of someone having this line in their account and it disabling antivirus/spyware programs?
-
I'm not sure about the danger caused by this unknown object. However, if you want delete it, please deactivate the System Restore , restart, delete the suspicious BHO, turn off the machine and reboot. If the object is still live, try to download WinPatrol (freeware): this program cannot delete it but can deactivate this type of files.
-
Douglas
Weatherbug,although not spyware, is considered Adware.
Please look at the following:
http://www.pchell.com/support/weatherbug.shtml
An alternative would be to use Weather Pulse (http://tropicdesigns.net/weatherpulse.php).
It's also free and isn't ad supported.
-
I suspect that the BHO line is not responsible for your problem. It's more likely to be a malware process running in memory and blocking anti-virus programs etc.
Some malware processes are stared by additions to the registry which don't appear in the HijackThis log, so you will never remove them this way. The secret is to run several anti-malware programs one after the other and then manually remove anything that is left.
The anti-spyware programs you run will probably remove some programs you wanted to keep. You will have to do a Google search on these and see why they were removed and decide if you want to reinstall them: you may decide to accept any privacy concerns or advertising that comes with the program. As Bob mentioned, there are often ad/spyware free alternatives available.
Here are the anti-malware programs you should run:
1. A boot time scan with Avast! (A boot time scan is vital because it can detect malware before it loads into memory.)
2. A double check with Trend Micro Sysclean run in safe mode: download Sysclean and its defintion file:
http://uk.trendmicro-europe.com/enterprise/support/tsc.php
http://uk.trendmicro-europe.com/enterprise/support/pattern.php
3. A triple check for Trojans with these programs:
TDS-3 (Download the definitions file and move to the program folder.)
http://tds.diamondcs.com.au/
and TrojanHunter
http://www.trojanhunter.com/
4. All of these anti-spyware programs:
Ad-Aware: http://www.lavasoft.de/
Spybot Search & Destroy: http://www.safer-networking.org/en/download/
Webroot Spy Sweeper: http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10373771.html
MS AntiSpyware: http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en
Yahoo! Anti-Spy: http://toolbar.yahoo.com/
X-Cleaner Free: http://www.xblock.com/download-freeware.php
(They really do all find something different, although it may be traces of the same thing.)
5. F-Secure's BlackLight to check for rootkits and hidden files. (If you find rootkits, reinstalling Windows may be the only way to guarantee security.)
http://www.f-secure.com/blacklight/
When you've done all this, restart your computer and check for any suspicious activity: anti-virus programs nor working, suspicious processes in memory (use Process Explorer: malware writers sometimes give their processes an evil icon!) and suspicious internet traffic: a lot of traffic when you're not doing anything.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
Hopefully you won't find anthing. Run another HijackThis scan an get it analysed: it can help tidy up any loose ends.