Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


HijackThis Log: Please help Diagnose

  • Please log in to reply
2 replies to this topic

#1 dubya


  • Members
  • 2 posts
  • Local time:04:50 PM

Posted 22 February 2005 - 05:21 AM

Logfile of HijackThis v1.99.1

Scan saved at 11:24:16 PM, on 2/21/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:










C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe



C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe



C:\Program Files\PCI Audio Applications\Mixer.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\PestPatrol\PPControl.exe




C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe



C:\Program Files\Ahead\InCD\InCD.exe



C:\Program Files\MSN Messenger\MsnMsgr.Exe



C:\Program Files\Supreme Office Suite3.0\program\soffice.exe


C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zxzzx.dll/sp.html#10001

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zxzzx.dll/sp.html#10001

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zxzzx.dll/sp.html#10001

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zxzzx.dll/sp.html#10001

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zxzzx.dll/sp.html#10001

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zxzzx.dll/sp.html#10001

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zxzzx.dll/sp.html#10001

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = [URL=http://www.yahoo.com/]http://www.yahoo.com/[/URL]

R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=c:\windows\system32\monitormgt.exe

O2 - BHO: (no name) - {455E5895-2869-A744-5B87-61CAF3244117} - C:\WINDOWS\appfm32.dll

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE

O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

O4 - HKLM\..\Run: [ljubkryq] C:\WINDOWS\System32\kikgxw.exe

O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\

O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe

O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [sysmz.exe] C:\WINDOWS\system32\sysmz.exe

O4 - HKLM\..\Run: [15.tmp] C:\DOCUME~1\STEVEN~1.BRA\LOCALS~1\Temp\15.tmp.exe 0 10001

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe

O4 - HKLM\..\RunServices: [Runtime Process] C:\WINDOWS\lmpdsrv.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe

O4 - HKCU\..\RunServices: [Runtime Process] C:\WINDOWS\lmpdsrv.exe

O4 - Startup: Supreme Office Suite 3.0.lnk = C:\Program Files\Supreme Office Suite3.0\program\quickstart.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.crmishawaka.com

O15 - Trusted Zone: *.05p.com

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.scoobidoo.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.static.topconverting.com

O15 - Trusted Zone: *.xxxtoolbar.com

O15 - Trusted Zone: *.05p.com (HKLM)

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.blazefind.com (HKLM)

O15 - Trusted Zone: *.clickspring.net (HKLM)

O15 - Trusted Zone: *.flingstone.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.mt-download.com (HKLM)

O15 - Trusted Zone: *.my-internet.info (HKLM)

O15 - Trusted Zone: *.scoobidoo.com (HKLM)

O15 - Trusted Zone: *.searchbarcash.com (HKLM)

O15 - Trusted Zone: *.searchmiracle.com (HKLM)

O15 - Trusted Zone: *.slotch.com (HKLM)

O15 - Trusted Zone: *.static.topconverting.com (HKLM)

O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)

O15 - Trusted IP range:

O15 - Trusted IP range: (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [URL=http://messenger.zone.msn.com/binary/msgrchkr.cab]http://messenger.zone.msn.com/binary/msgrchkr.cab[/URL]

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - [URL=http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab]http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab[/URL]

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [URL=http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab]http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab[/URL]

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [URL=http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab]http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab[/URL]

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - [URL=http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab]http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab[/URL]

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [URL=http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe]http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe[/URL]

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [URL=http://software-dl.real.com/018f049977d5f752e922/netzip/RdxIE601.cab]http://software-dl.real.com/018f049977d5f7...ip/RdxIE601.cab[/URL]

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - [URL=http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab]http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab[/URL]

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [URL=http://messenger.zone.msn.com/binary/MessengerStatsClient.cab]http://messenger.zone.msn.com/binary/Messe...StatsClient.cab[/URL]

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [URL=http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll]http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll[/URL]

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [URL=http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab]http://messenger.msn.com/download/MsnMesse...pDownloader.cab[/URL]

O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - [URL=http://directplugin.com/tl4000.dll]http://directplugin.com/tl4000.dll[/URL]

O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - [URL=http://activex.microsoft.com/controls/vb5/comdlg32.cab]http://activex.microsoft.com/controls/vb5/comdlg32.cab[/URL]

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)

O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINDOWS\system32\apilq32.exe

Edited by dubya, 22 February 2005 - 11:41 AM.

BC AdBot (Login to Remove)


#2 dubya

  • Topic Starter

  • Members
  • 2 posts
  • Local time:04:50 PM

Posted 22 February 2005 - 11:40 AM

I'm not sure why this isn't getting a response, but let me describe exactly what the problem is. My dad has been having problems with his computer. He has this program that he can't remove called My Web Search. He has tried to uninstall it, but it will not. His home page constantly changes and he gets rerouted to other webpages sometimes without his permission. I had him download the most recent version of Hijack This, and send me his log file (the one posted above). If I missed any information, please let me know, and I will add it. I understand that the symptoms that I described are very common among browser hijacks, but any help is appreciated. Thanks.

#3 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,663 posts
  • Gender:Male
  • Local time:03:50 PM

Posted 02 March 2005 - 02:55 AM

Sorry you seem to have fallen thru the cracks there dubya. The logs forum is extremely busy and to be fair we work on a first come first served basis so we generally look for the oldest log with zero replies. You made one (a reply) to your own thread so it looked as if you were getting help.

If you still need help, please post another log. I would also prefer that you not put the log in a quotebox--easier to read that way.

Edited by Papakid, 02 March 2005 - 02:56 AM.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users