Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

common hijack help


  • This topic is locked This topic is locked
1 reply to this topic

#1 bartmarquardt

bartmarquardt

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 13 July 2004 - 02:27 PM

thanks for any help, here is my log file

Logfile of HijackThis v1.97.7
Scan saved at 2:26:09 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\LDCLIENT\SOFTMON.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\LDCLIENT\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\LDCLIENT\QIPCLNT.EXE
C:\LDClient\tmcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\qgyx.exe
C:\WINDOWS\System32\mcamgr.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Gary Orler\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\LDCLIENT\SOFTMON.EXE
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Gary Orler\Application Data\Mozilla\Profiles\default\ib56i3iw.slt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IntelAPMClient] C:\LDClient\amclient.exe /apm /s
O4 - HKLM\..\Run: [zthhouosqseu] C:\WINDOWS\System32\cidnkozw.exe
O4 - HKLM\..\Run: [sok0] C:\WINDOWS\qgyx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Task Completion.LNK = C:\LDClient\AMCLIENT.EXE
O4 - Global Startup: Inventory Scan.LNK = C:\LDClient\LDISCN32.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: www.bonddesk.com
O15 - Trusted Zone: *.rjf.com
O15 - Trusted Zone: http://*.rjf.com
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {3C4C243E-89CE-11D4-AD0A-00508B0AE258} (acxPayroll.Utility) - https://meadowridge.rjf.com/corporate_actio.../acxPayroll.CAB
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {88F3DCEE-3BE9-45A5-A70F-5E42ED61ACDB} (RJUpdWeb.RJUpdLoader) - http://gandy.rjf.com/Controls/RJUpdWeb.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7949.5068518519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F8B53C17-E393-42B0-8AEB-B01F0CFD107A} (IdmInstaller Class) - http://www.topicks.com/util/Topicks.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:47 PM

Posted 13 July 2004 - 03:03 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [zthhouosqseu] C:\WINDOWS\System32\cidnkozw.exe
O4 - HKLM\..\Run: [sok0] C:\WINDOWS\qgyx.exe
O15 - Trusted Zone: www.bonddesk.com
O15 - Trusted Zone: *.rjf.com
O15 - Trusted Zone: http://*.rjf.com
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx


Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\System32\cidnkozw.exe
C:\WINDOWS\qgyx.exe

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and do the following:


Download VX2Finder from this link:

http://tools.zerosrealm.com/VX2Finder(126).exe

or

http://www.downloads.subratam.org/VX2Finder(126).exe

Run Vx2Finder and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users