Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack Log


  • This topic is locked This topic is locked
1 reply to this topic

#1 ebsa

ebsa

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 27 September 2004 - 01:13 PM

Logfile of HijackThis v1.98.2
Scan saved at 19:56:11, on 27/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\System32\CTSVCCDA.EXE
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\windows\system32\winlogon.exe
C:\windows\Explorer.EXE
C:\Archivos de programa\Intel\NCS\PROSet\PRONoMgr.exe
C:\windows\SOUNDMAN.EXE
C:\WINDOWS\System32\rmctrl.exe
C:\Archivos de programa\Microsoft Hardware\Keyboard\type32.exe
C:\Archivos de programa\Creative\PC-CAM Center\CAMTRAY.EXE
C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Kazaa Lite K++\KazaaLite.kpp
C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe
C:\ARCHIV~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\archiv~1\intern~1\iexplore.exe
C:\Archivos de programa\Creative\ShareDLL\MediaDet.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\windows\System32\ctfmon.exe
C:\windows\System32\qlmnxaxv.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\windows\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xcdszqvozd.com/HCJOwlX5w_6UOaDR...co6cX4RrKgs.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\windows\nem219.dll (file missing)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\windows\localNRD.dll
O2 - BHO: (no name) - {08A119E1-47F7-1530-3B09-10C996AB7F48} - C:\ARCHIV~1\WIPEGR~1\exit build.exe
O2 - BHO: (no name) - {31AA6B7E-B043-2BE4-D400-12550DAA7744} - C:\windows\System32\vvwixct.dll
O2 - BHO: TrustFourHole - {59243948-8B47-4E8C-2305-289445082F96} - C:\ARCHIV~1\WIPEGR~1\frag bone.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Toolbar\01.01.1629.0\es\msntb.dll (file missing)
O3 - Toolbar: Drive4Face - {2E5E6D3C-044A-BA9A-2240-D673F03037FA} - C:\ARCHIV~1\WIPEGR~1\frag bone.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Archivos de programa\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Archivos de programa\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Archivos de programa\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [PC-CAM 300 STI App Registration] RunDLL32.exe Pd016pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Archivos de programa\Kazaa Lite K++\kpp.exe" "C:\Archivos de programa\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [five warn] C:\ARCHIV~1\COMP2M~1\mp3 beep.exe
O4 - HKLM\..\Run: [hwhpfhw] C:\windows\System32\fzkjekhv.exe
O4 - HKLM\..\Run: [conscorr] C:\windows\conscorr.exe
O4 - HKLM\..\Run: [bkl] C:\WINDOWS\bkl.exe
O4 - HKLM\..\Run: [Body remote web nurb] C:\Documents and Settings\All Users\Datos de programa\CloseLinkBodyRemote\Junk Inter.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Nff] C:\windows\System32\qlmnxaxv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Letras de canciones - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\nge-cadenamusical\index.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for ¸æk: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for ¸æ±: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://espana01.netvenda.com/trithon.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://www.accesoplugin.com/dialercab/IberoDialerHTML.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

thanks :thumbsup:

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:39 PM

Posted 27 September 2004 - 03:14 PM

Hi ebsa

If you have Messenger Plus Sponsor installed remove Messenger Plus from Add/Remove Programs, then reinstall it and choose not to install the Sponsor.

Print these instructions because you are not able to access the Internet in SafeMode.

Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode: Starting your computer in Safe mode, use the F8 method

Run HijackThis!, press "Scan" and tick the boxes next to all these, close all other windows and browsers, then press "Fix Checked" button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xcdszqvozd.com/HCJOwlX5w_6UOaDR...co6cX4RrKgs.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB- 00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\windows\nem219.dll (file missing)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\windows\localNRD.dll
O2 - BHO: (no name) - {08A119E1-47F7-1530-3B09-10C996AB7F48} - C:\ARCHIV~1\WIPEGR~1\exit build.exe
O2 - BHO: (no name) - {31AA6B7E-B043-2BE4-D400-12550DAA7744} - C:\windows\System32\vvwixct.dll
O2 - BHO: TrustFourHole - {59243948-8B47-4E8C-2305-289445082F96} - C:\ARCHIV~1\WIPEGR~1\frag bone.dll (file missing)

O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1- 64B5B4FF55D0} - C:\Archivos de programa\MSN
Toolbar\01.01.1629.0\es\msntb.dll (file missing)
O3 - Toolbar: Drive4Face - {2E5E6D3C-044A-BA9A-2240-D673F03037FA} - C:\ARCHIV~1\WIPEGR~1\frag bone.dll (file missing)

O4 - HKLM\..\Run: [five warn] C:\ARCHIV~1\COMP2M~1\mp3 beep.exe
O4 - HKLM\..\Run: [hwhpfhw] C:\windows\System32\fzkjekhv.exe
O4 - HKLM\..\Run: [conscorr] C:\windows\conscorr.exe
O4 - HKLM\..\Run: [bkl] C:\WINDOWS\bkl.exe
O4 - HKLM\..\Run: [Body remote web nurb] C:\Documents and Settings\All Users\Datos de programa\CloseLinkBodyRemote\Junk Inter.exe
O4 - HKCU\..\Run: [Nff] C:\windows\System32\qlmnxaxv.exe
O4 - Global Startup: GStartup.lnk = C:\Archivos de programa\Archivos comunes\GMT\GMT.exe

O9 - Extra button: Letras de canciones - {AF0828BC-CB46-4C8D-95B6-
8A7C4988F9FF} - c:\nge-cadenamusical\index.html (file missing)

O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://espana01.netvenda.com/trithon.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://www.accesoplugin.com/dialercab/IberoDialerHTML.cab


Search for these files and delete them if found:
C:\windows\nem219.dll <-- this file
C:\windows\localNRD.dll <-- this file
C:\windows\System32\vvwixct.dll <-- this file
C:\windows\System32\fzkjekhv.exe <-- this file
C:\windows\conscorr.exe <-- this file
C:\WINDOWS\bkl.exe <-- this file
C:\windows\System32\qlmnxaxv.exe <-- this file

Delete these folders:
WIPEGR~1 in C:\Archivos de programa\
COMP2M~1 in C:\Archivos de programa\
CloseLinkBody in C:\Documents and Settings\All Users\Datos de programa\
GMT in C:\Archivos de programa\Archivos comunes\
nge-cadenamusical in c:\

Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

Clean out temporary and Temporary Internet Files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin


REBOOT normally.

Perform a full scan here: Trendmicro, tick AutoClean and let him remove anything he finds.

Run HijackThis! again and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users