Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

56hijack log. HELP!


  • This topic is locked This topic is locked
1 reply to this topic

#1 studmasterflash

studmasterflash

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 15 July 2004 - 07:35 PM

Ad-aware & spybot have already been run on this computer. Please help with what files to delete.

Logfile of HijackThis v1.98.0
Scan saved at 4:53:53 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\d3wm32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\iplv.exe
C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\zstatus.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ohxvu.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ohxvu.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ohxvu.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ohxvu.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ohxvu.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ohxvu.dll/index.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {394BD4B5-4802-877E-81D2-592DCC6B1F0D} - C:\WINDOWS\system32\msul32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [iplv.exe] C:\WINDOWS\iplv.exe
O4 - HKLM\..\RunOnce: [sdked32.exe] C:\WINDOWS\system32\sdked32.exe
O4 - HKLM\..\RunOnce: [d3wm32.exe] C:\WINDOWS\system32\d3wm32.exe
O4 - HKLM\..\RunOnce: [mszw32.exe] C:\WINDOWS\mszw32.exe
O4 - HKLM\..\RunOnce: [apprs32.exe] C:\WINDOWS\system32\apprs32.exe
O4 - HKLM\..\RunOnce: [winnb.exe] C:\WINDOWS\winnb.exe
O4 - HKLM\..\RunOnce: [sysrn.exe] C:\WINDOWS\sysrn.exe
O4 - HKLM\..\RunOnce: [addxw32.exe] C:\WINDOWS\addxw32.exe
O4 - HKLM\..\RunOnce: [ntdj32.exe] C:\WINDOWS\ntdj32.exe
O4 - HKLM\..\RunOnce: [netpg32.exe] C:\WINDOWS\system32\netpg32.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: Jonas Management System.lnk = GJCWIN\sbbwin.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MicroTouch TouchWare Monitor.lnk = C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11111111-1111-1111-1111-112530954948} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f12802.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WWCC.Local
O17 - HKLM\Software\..\Telephony: DomainName = WWCC.Local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WWCC.Local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WWCC.Local

BC AdBot (Login to Remove)

 


#2 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:10:27 PM

Posted 15 July 2004 - 10:15 PM

hi studmasterflash

welcome to BC

do this read it and print it out first because all of this is going to be done in safe mode


Download About:Buster from here:

http://www.downloads.subratam.org/AboutBuster.zip

unzip it to your desktop

enable the viewing of Hidden files follow these steps:

How to see Hidden files and Folders


reboot into safe mode
How to boot into safe mode
----------------------------------------------------------------------------------
* Right-click on My Computer
* Choose Manage
* Double-click on Services and Applications
* Click on Services
* In the righthand column find "Network Security Service", and double-click on it
(in Safe Mode this may already be stopped)
* Choose Stop and then write down the name and path of the file in the "Path to Executable" section
* Set the Startup Type to Disabled
* Click Ok
* Close the Computer Management window
------------------------------------------------------------------------------
Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button. some of them may not be there but fixwhat is.


R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {394BD4B5-4802-877E-81D2-592DCC6B1F0D} - C:\WINDOWS\system32\msul32.dll
O4 - HKLM\..\Run: [iplv.exe] C:\WINDOWS\iplv.exe
O4 - HKLM\..\RunOnce: [sdked32.exe] C:\WINDOWS\system32\sdked32.exe
O4 - HKLM\..\RunOnce: [d3wm32.exe] C:\WINDOWS\system32\d3wm32.exe
O4 - HKLM\..\RunOnce: [mszw32.exe] C:\WINDOWS\mszw32.exe
O4 - HKLM\..\RunOnce: [apprs32.exe] C:\WINDOWS\system32\apprs32.exe
O4 - HKLM\..\RunOnce: [winnb.exe] C:\WINDOWS\winnb.exe
O4 - HKLM\..\RunOnce: [sysrn.exe] C:\WINDOWS\sysrn.exe
O4 - HKLM\..\RunOnce: [addxw32.exe] C:\WINDOWS\addxw32.exe
O4 - HKLM\..\RunOnce: [ntdj32.exe] C:\WINDOWS\ntdj32.exe
O4 - HKLM\..\RunOnce: [netpg32.exe] C:\WINDOWS\system32\netpg32.exe
O16 - DPF: {11111111-1111-1111-1111-112530954948} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f12802.exe:

-----------------------------------------------------------------------------------------
delete
C:\WINDOWS\iplv.exe
C:\WINDOWS\system32\sdked32.exe
C:\WINDOWS\system32\d3wm32.exe
C:\WINDOWS\mszw32.exe
C:\WINDOWS\system32\apprs32.exe
C:\WINDOWS\winnb.exe
C:\WINDOWS\sysrn.exe
C:\WINDOWS\addxw32.exe
C:\WINDOWS\ntdj32.exe
C:\WINDOWS\system32\netpg32.exe
-------------------------------------------------------------------------------------
Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes.
Then run aboutbuster.exe again. Make a copy of that log. so you you should have two about buster logs
----------------------------------------------------------------------------------------
then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
while in the temp folder, select view and select details.
then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
select all the files/folders except the today ones and delete them all.

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive
--------------------------------------------------------------------------------------------------------------
empty your recyle bin
reboot to normal

post a new HijackThis log along with the two reports from About:Buster. and let me how you computers running


Lobos
<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users