Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can some1 check my Hijack logfile


  • This topic is locked This topic is locked
3 replies to this topic

#1 Saikostyle

Saikostyle

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 06 June 2004 - 05:24 AM

Logfile of HijackThis v1.97.7
Scan saved at 12:24:23, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\uidspdr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
E:\aPpZ\NortonAV\navapsvc.exe
E:\aPpZ\NortonAV\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Common Files\Symantec Shared\NMain.exe
E:\aPpZ\NortonAV\navw32.exe
C:\Documents and Settings\Sjoerd1\Desktop\HijackThis1.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\aPpZ\NortonAV\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\aPpZ\NortonAV\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [eac_cnry] C:\DOCUME~1\Sjoerd1\LOCALS~1\Temp\EACDownload\crcr.exe raven.veloz.com /pub/download/defscan_install.exe eanth_setup.exe adsp -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] E:\aPpZ\NortonAV\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [nmcxltxog] C:\WINDOWS\System32\uidspdr.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "E:\aPpZ\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...362/mcfscan.cab

BC AdBot (Login to Remove)

 


#2 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 06 June 2004 - 10:47 AM

Ok the first thing you should consider is uninstalling Messenger Plus. It is know to install Hijackers on your computer. If the use of this program is more important that the fact that it uses hijackers, then feel free to continue using it. If you would like to remove, click on start, control panel, add/remove programs and uninstall it from there.

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please put a checkmark in the box for each of these entries, close all other windows, and click the fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O4 - HKLM\..\Run: [eac_cnry] C:\DOCUME~1\Sjoerd1\LOCALS~1\Temp\EACDownload\crcr.exe raven.veloz.com /pub/download/defscan_install.exe eanth_setup.exe adsp -k
O4 - HKLM\..\Run: [nmcxltxog] C:\WINDOWS\System32\uidspdr.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

Reboot your computer into Safe Mode.

Then delete these files or directories
C:\Windows\System32\wsaupdater.exe
C:\WINDOWS\twaintec.dll
C:\DOCUME~1\Sjoerd1\LOCALS~1\Temp\EACDownload\crcr.exe
C:\WINDOWS\System32\uidspdr.exe
C:\Program Files\WindowsSA\


Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#3 Saikostyle

Saikostyle
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  

Posted 06 June 2004 - 11:56 AM

Ok i did everything what you've sayd

here's my new logfile

Logfile of HijackThis v1.97.7
Scan saved at 18:55:35, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
E:\aPpZ\NortonAV\navapsvc.exe
E:\aPpZ\NortonAV\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Sjoerd1\Desktop\HijackThis1.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\aPpZ\NortonAV\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\aPpZ\NortonAV\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] E:\aPpZ\NortonAV\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\Sjoerd1\LOCALS~1\Temp\MsgPlusUninst.bat"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...362/mcfscan.cab

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:21 AM

Posted 06 June 2004 - 02:20 PM

Fix this items:

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

Reboot your computer into safe mode and delete the following file:

c:\windows\alchem.exe

Reboot back into normal mode and post a new hijackthis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users