Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UncleRed needs help


  • This topic is locked This topic is locked
1 reply to this topic

#1 UncleRed

UncleRed

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 17 August 2004 - 12:48 PM

Please help me! I've been hijacked and don't know what to do. THANKS!!!!

Logfile of HijackThis v1.98.2
Scan saved at 12:36:12 PM, on 8/17/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\WINNT\System32\w32sup.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\documents and settings\user\local settings\temp\DYiXKu6S.exe
C:\documents and settings\user\local settings\temp\J4DS6Y.exe
C:\documents and settings\user\local settings\temp\rZKMD.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINNT\System32\tftptdlg.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\WINNT\System32\rrxabm.exe
C:\WINNT\System32\trkasf.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Documents and Settings\User\Desktop\HijackThis.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\WINNT\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\HPOFXM07.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50171
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sublimedirectory.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: MyObj Class - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINNT\msopt.dll
O2 - BHO: (no name) - {4AFF3A5D-EC32-01B5-8753-6D5509D52F48} - C:\WINNT\System32\lomecad.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: (no name) - {8403CB53-12B3-4537-9DEC-4F12F70A883D} - C:\WINNT\System32\anti-pp.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {AD4B232D-252F-4396-A5DC-47E58E3D9C04} - C:\WINNT\system32\pjp.dll (file missing)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\User\Local Settings\Temp\u6NaaXq5F.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [w32sup] C:\WINNT\System32\w32sup.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [DYiXKu6S] C:\documents and settings\user\local settings\temp\DYiXKu6S.exe
O4 - HKLM\..\Run: [J4DS6Y] C:\documents and settings\user\local settings\temp\J4DS6Y.exe
O4 - HKLM\..\Run: [rZKMD] C:\documents and settings\user\local settings\temp\rZKMD.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [47Fk3sP] tftptdlg.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Hahh] C:\Documents and Settings\User\Application Data\astt.exe
O4 - HKCU\..\Run: [Rmfaldr] C:\WINNT\System32\rrxabm.exe
O4 - HKCU\..\Run: [LwwqRijqe] trkasf.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CHECKIT\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CHECKIT\86\CheckIt86.exe
O16 - DPF: {10000030-1000-0000-1000-000000000000} - its:mhtml:file://c:\\MAIN.MHT!http://zloeboogle.biz/dial.chm?wmid=71::/x.exe
O16 - DPF: {11311111-1111-1111-1111-11111121115F} - file://C:\Recycled\Q381010.exe
O16 - DPF: {121AC498-3F3A-4C39-9BEA-CFC4EA809FDF} (XlocatorInstall.Install) - http://www.xlocator.com/download/xlocatorlight.CAB

Attached Files



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:05 AM

Posted 17 August 2004 - 11:01 PM

You are currently using hijackthis from a temp directory. This can cause problems. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on.

For a tutorial on how to use HijackThis please see the following link:

Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Then,

Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

Window Search
Win Tools
IEtools
IESearch
Windows Assistant
WindowsSA
Search Assistant
Windows Search Assistant

When uninstalling you wil prompted to insert a security code. Please do so and reboot when done.

If you do not see thsee two programs in your Add/Remove programs then download and run both of these uninstallers:

http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe

Finally,

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50171
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sublimedirectory.com/
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: MyObj Class - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINNT\msopt.dll
O2 - BHO: (no name) - {4AFF3A5D-EC32-01B5-8753-6D5509D52F48} - C:\WINNT\System32\lomecad.dll
O2 - BHO: (no name) - {8403CB53-12B3-4537-9DEC-4F12F70A883D} - C:\WINNT\System32\anti-pp.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {AD4B232D-252F-4396-A5DC-47E58E3D9C04} - C:\WINNT\system32\pjp.dll (file missing)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\User\Local Settings\Temp\u6NaaXq5F.dll
O4 - HKLM\..\Run: [w32sup] C:\WINNT\System32\w32sup.exe
O4 - HKLM\..\Run: [DYiXKu6S] C:\documents and settings\user\local settings\temp\DYiXKu6S.exe
O4 - HKLM\..\Run: [J4DS6Y] C:\documents and settings\user\local settings\temp\J4DS6Y.exe
O4 - HKLM\..\Run: [rZKMD] C:\documents and settings\user\local settings\temp\rZKMD.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [47Fk3sP] tftptdlg.exe
O4 - HKCU\..\Run: [Hahh] C:\Documents and Settings\User\Application Data\astt.exe
O4 - HKCU\..\Run: [Rmfaldr] C:\WINNT\System32\rrxabm.exe
O4 - HKCU\..\Run: [LwwqRijqe] trkasf.exe
O16 - DPF: {10000030-1000-0000-1000-000000000000} - its:mhtml:file://c:\\MAIN.MHT!http://zloeboogle.biz/dial.chm?wmid=71::/x.exe
O16 - DPF: {11311111-1111-1111-1111-11111121115F} - file://C:\Recycled\Q381010.exe
O16 - DPF: {121AC498-3F3A-4C39-9BEA-CFC4EA809FDF} (XlocatorInstall.Install) - http://www.xlocator.com/download/xlocatorlight.CAB



Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\msopt.dll
C:\WINNT\System32\lomecad.dll
C:\WINNT\System32\anti-pp.dll
C:\PROGRAM FILES\COMMON FILES\WinTools\
C:\Documents and Settings\User\Local Settings\Temp\u6NaaXq5F.dll
C:\WINNT\System32\w32sup.exe
C:\documents and settings\user\local settings\temp\DYiXKu6S.exe
C:\documents and settings\user\local settings\temp\J4DS6Y.exe
C:\documents and settings\user\local settings\temp\rZKMD.exe
C:\WINNT\System32\tftptdlg.exe
C:\Documents and Settings\User\Application Data\astt.exe
C:\WINNT\System32\rrxabm.exe
C:\WINNT\System32\trkasf.exe

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users