Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack this


  • This topic is locked This topic is locked
6 replies to this topic

#1 ginpony

ginpony

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 05 May 2004 - 07:32 PM

I did everything like the posting said. Would someone let me know if I have to fix anything??? Thank you
Logfile of HijackThis v1.97.7
Scan saved at 8:25:55 PM, on 5/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan NT\MCSHIELD.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chewy\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
F1 - win.ini: run=C:\WINNT\SYSTEM32\services\y.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [FcpEXE] "C:\Program Files\Network Associates\VirusScan NT\fcp.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\SYSTEM32\services\y.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8109.9006481481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B402E686-438E-44DA-A681-9696470D9CC5}: Domain = rapistan.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F11132D9-3EDC-46F0-815B-C3A830E7E520}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rapistan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rapistan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rapistan.com

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:33 PM

Posted 05 May 2004 - 09:08 PM

I want you to fix some of those entries. Please do the following:

First Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Just fix these
F1 - win.ini: run=C:\WINNT\SYSTEM32\services\y.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\SYSTEM32\services\y.exe

Reboot your computer into Safe Mode and delete the following files:

Then delete these
C:\WINNT\SYSTEM32\services\y.exe

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#3 ginpony

ginpony
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 05 May 2004 - 10:53 PM

I fixed things in Hijack, but insafe I could not find C:\winnt\system32\services\y.exe

Can you check the new Hijack file.

Logfile of HijackThis v1.97.7
Scan saved at 11:52:04 PM, on 5/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan NT\MCSHIELD.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Documents and Settings\chewy\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan NT\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [FcpEXE] "C:\Program Files\Network Associates\VirusScan NT\fcp.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8109.9006481481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B402E686-438E-44DA-A681-9696470D9CC5}: Domain = rapistan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rapistan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rapistan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rapistan.com

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:33 PM

Posted 05 May 2004 - 11:15 PM

Looks good to me. Make sure you run a virus scan on your compute rto see if iit can find that Y.exe

#5 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:04:33 PM

Posted 06 May 2004 - 08:50 AM

This is more of a curiousity, then a change.

I noticed that some of the O4s have the entry in quotes. Would there be a reason behind this?
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#6 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 06 May 2004 - 09:24 AM

The quotes are there because the program that added that registry entry used them. In previous versions of windows you could not specificy a diretory name or file name that had spaces in it without putting it in quotes. By a developer inserting an entry into the registry in quotes they are making sure that this program will work on older versions of windows.

#7 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas

Posted 06 May 2004 - 09:47 AM

That is good to know. Thanks for the information.
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users