Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help analyzing


  • This topic is locked This topic is locked
3 replies to this topic

#1 robnwan

robnwan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 09 July 2004 - 07:51 PM

Hello,

I am not very saavy on this and need some help. I have read several of the posts and not sure how to fix this. If I have to remove some files could someone tell me and then very detailed explain what I need to do step by step to fix this.

I say it this was as to some removing a file is easy, I don't know how. Here is the log file.

Logfile of HijackThis v1.97.7
Scan saved at 5:40:23 PM, on 7/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\mskb32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nthn32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Robert Michael\Local Settings\Temporary Internet Files\Content.IE5\CPQFG56J\j2re-1_4_2_04-windows-i586-p-iftw[1].exe
C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\Jav1A.tmp.exe
C:\WINDOWS\System32\MSIEXEC.EXE
C:\WINDOWS\System32\MsiExec.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ctfbf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ctfbf.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ctfbf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ctfbf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ctfbf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ctfbf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9436A461-8EBA-8CCA-C8D5-98D6F786767A} - C:\WINDOWS\d3iz32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [mskb32.exe] C:\WINDOWS\system32\mskb32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Pop-up Blocker\Ultimate Pop-up Blocker.exe
O4 - HKLM\..\RunOnce: [nthn32.exe] C:\WINDOWS\system32\nthn32.exe
O4 - HKLM\..\RunOnce: [netki32.exe] C:\WINDOWS\system32\netki32.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

Thank you very much!

BC AdBot (Login to Remove)

 


#2 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:06:53 PM

Posted 10 July 2004 - 01:37 AM

Hi robnwan

Welcome to BC


press
ctrl - alt - del scroll down to these two processes right click on
them and end them


mskb32.exe
nthn32.exe
--------------------------------------------------------------------------------------
Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {9436A461-8EBA-8CCA-C8D5-98D6F786767A} - C:\WINDOWS\d3iz32.dll
O4 - HKLM\..\Run: [mskb32.exe] C:\WINDOWS\system32\mskb32.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKLM\..\RunOnce: [nthn32.exe] C:\WINDOWS\system32\nthn32.exe
O4 - HKLM\..\RunOnce: [netki32.exe] C:\WINDOWS\system32\netki32.exe



Download About:Buster from here:

http://www.downloads.subratam.org/AboutBuster.zip

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.

Reboot and post a new HijackThis log along with the two reports from About:Buster.

Lobos

Edited by Lobos, 10 July 2004 - 01:38 AM.

<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD

#3 robnwan

robnwan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 10 July 2004 - 11:07 AM

Thanks for the welcome. I think I am up and running again :thumbsup: Would you look at this new log file and let me know how it looks to you. I really appreciate your efforts and thank you very much.



Logfile of HijackThis v1.97.7
Scan saved at 9:05:27 AM, on 7/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ctfbf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ctfbf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ctfbf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ctfbf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ctfbf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Pop-up Blocker\Ultimate Pop-up Blocker.exe
O4 - HKLM\..\RunOnce: [appxd32.exe] C:\WINDOWS\appxd32.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

#4 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:06:53 PM

Posted 10 July 2004 - 09:48 PM

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ctfbf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ctfbf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ctfbf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ctfbf.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ctfbf.dll/sp.html#37049

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\RunOnce: [appxd32.exe] C:\WINDOWS\appxd32.exe


these two are resource hog you dont need them at startup they are optional fixes too

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE



-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:

How to see Hidden files and Folders
reboot into safe mode
How to boot into safe mode
delete
this file
C:\WINDOWS\appxd32.exe

empty your recyle bin
reboot to normal



come back post another log and tell me how you computers running

Lobos

Edited by Lobos, 10 July 2004 - 09:49 PM.

<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users