Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please Help Diagnose


  • Please log in to reply
8 replies to this topic

#1 KristinB

KristinB

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 01 December 2004 - 03:44 PM

I'm having trouble with a co-worker's computer, I'm not really IT but we're a small group so in many instances, I am. Can you help diagnose the attached .log?

Attached Files



BC AdBot (Login to Remove)

 


#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:56 AM

Posted 01 December 2004 - 07:02 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\inefn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\inefn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\inefn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\inefn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\inefn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\inefn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\inefn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6FA3C5EA-0398-42CF-8F16-CEAE67A0124D} - C:\WINNT\appdw.dll
O4 - HKLM\..\Run: [ipji.exe] C:\WINNT\system32\ipji.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKCU\..\Run: [Ccus] C:\Documents and Settings\bostonj\Application Data\cotl.exe
O4 - HKCU\..\Run: [Zbk] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...937c6314a45eb37
O17 - HKLM\System\CCS\Services\Tcpip\..\{8006CAEB-E8BC-4560-9C9B-CCCA06028444}: NameServer = 216.41.101.15

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\system32\inefn.dll
C:\WINNT\appdw.dll
C:\WINNT\system32\ipji.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe <-Delete Windows TaskAd Folder
c:\temp\salm.exe
C:\Documents and Settings\bostonj\Application Data\cotl.exe
C:\WINNT\system32\??plorer.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe <-Delete tsa Folder

Reboot your computer to go back to normal mode and post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 KristinB

KristinB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 02 December 2004 - 04:21 PM

I followed the instructions for the original log I sent. Now, when I open IE I no longer get HomeSearch, however, I can't get any other websites, at all. I've attached a new HijackThis log. What do I do now?

Attached Files



#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:56 AM

Posted 03 December 2004 - 06:51 AM

Logfile of HijackThis v1.98.2
Scan saved at 4:15:18 PM, on 12/2/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\slpservice.exe
C:\WINNT\system32\slpmonx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\addzl.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\netcw.exe
C:\Documents and Settings\bostonj\Desktop\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {05DEE624-9067-25BE-4286-CD2C46E0B625} - C:\WINNT\system32\d3ae32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CleanIt] C:\Program Files\CleanIt\cleanit.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [netcw.exe] C:\WINNT\system32\netcw.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab



KristinB when responding to a post from one of our HJT Team members, please reply in the same topic - click the Add Reply button. Do not create a new topic for your reply. This will cause confusion and a delay in the help you are receiving.

I merged your topics.

Please open Internet Explorer. Close it. REBOOT your computer.

Run HijackThis again. Press the Scan button, then Save Log.
Notepad will open.

In Notepad click
Edit menu --> Select All
then
Edit menu --> Copy

Right click in the message area and click on the paste option to paste the log into the post.

Follow this link to download ServiceFilter: ServiceFilter download

Unzip the content to a folder, such as c:\ServiceFilter.

Navigate to c:\ServiceFilter folder and (double)click the ServiceFilter.vbs file.

If you have a script blocking program you will get a warning asking if you want to allow ServiceFilter.vbs to run. Allow the script to run.

Note: The script DOES NOT find bad services, it simply filters out what is known to be ok.

Follow the instructions on the screen and WordPad will open.

In WordPad click
Edit menu --> Select All
then
Edit menu --> Copy


Right click in the message area and click on the paste option to paste the log into the post.

Edited by cryo, 03 December 2004 - 06:53 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 KristinB

KristinB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 03 December 2004 - 08:56 AM

Thanks! Sorry for the confusion.
-----------------------------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 4:15:18 PM, on 12/2/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\slpservice.exe
C:\WINNT\system32\slpmonx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\addzl.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\netcw.exe
C:\Documents and Settings\bostonj\Desktop\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {05DEE624-9067-25BE-4286-CD2C46E0B625} - C:\WINNT\system32\d3ae32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CleanIt] C:\Program Files\CleanIt\cleanit.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [netcw.exe] C:\WINNT\system32\netcw.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

Service Filter......................
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195 Service Pack 3
Dec 3, 2004 8:56:51 AM


===> Begin Service Listing <===

Unknown Service #1
Service Name: DefWatch
Display Name: DefWatch
Start Mode: Auto
Start Name: LocalSystem
Description: DefWatch...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\defwatch.exe
State: Running
Process ID: 492
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: Norton AntiVirus Server
Display Name: Symantec AntiVirus Client
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec AntiVirus ...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\rtvscan.exe
State: Running
Process ID: 536
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: SLPMONX
Display Name: SLPMONX
Start Mode: Auto
Start Name: LocalSystem
Description: SLPMONX...
Service Type: Own Process
Path: c:\winnt\system32\slpservice.exe
State: Running
Process ID: 656
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 4
Service Name: %AF
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: Remote Procedure Call (RPC) ...
Service Type: Share Process
Path: c:\winnt\system32\addzl.exe /s
State: Running
Process ID: 760
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 58 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 1.822266 seconds.

#6 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:56 AM

Posted 03 December 2004 - 11:17 AM

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download About:Buster from here: About:Buster Download. Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this process.

Reboot your computer into Safe Mode and follow these steps:

Step 1:

Click on start, then control panel, then administrative programs, then services. Look for a service called Remote Procedure Call (RPC) Helper. Double click on the that service and click stop and then set the startup to disabled.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

C:\WINNT\system32\addzl.exe
C:\WINNT\system32\netcw.exe

Step 3:
Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {05DEE624-9067-25BE-4286-CD2C46E0B625} - C:\WINNT\system32\d3ae32.dll
O4 - HKLM\..\Run: [netcw.exe] C:\WINNT\system32\netcw.exe
Step 4:

I now need you to delete the following files:

C:\WINNT\system32\addzl.exe
C:\WINNT\system32\netcw.exe
C:\WINNT\system32\d3ae32.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 5:

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_<insertservicename>]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\<insertservicename>]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<insertservicename>]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<insertservicename>]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.


Step 7:
Reboot your computer back to normal mode so that we can restore files that were deleted by this infection:
  • This infection deletes the windows file, shell.dll.

    If you are using XP,2000, or NT please download shell.dll from here: shell-dll.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system32
    %windir%\system

    If you are using Windows 98*Grinler please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system

  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

  • If you have Spybot S&D installed you will also need to replace one file. Go here: SDHelper.zip and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
Step 8:

Run an online antivirus scan at:

http://housecall.antivirus.com/

Reboot and post a last log

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#7 KristinB

KristinB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 03 December 2004 - 02:49 PM

Thanks! However, I still cannot access the internet at all, even after the fixes. (I'm doing this from my computer while working on the problem machine.) Here is the most recent HijackThis log.

Logfile of HijackThis v1.98.2
Scan saved at 2:48:39 PM, on 12/3/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Documents and Settings\bostonj\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CleanIt] C:\Program Files\CleanIt\cleanit.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

#8 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:56 AM

Posted 03 December 2004 - 05:34 PM

Download lspfix. It should fit on a floppy
http://www.bleepingcomputer.com/files/lspfix.php
Run it and check "I know what i'm doing".click finish.

Run HJT and delete these entries:
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

Reboot and verify your internet connection.

Edited by raw, 03 December 2004 - 05:35 PM.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#9 KristinB

KristinB
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 13 December 2004 - 01:40 PM

Thank you so much for your assistance! The non-connection problem ended up being that the DNS entries had disappeared. Once I put them back in everything worked perfectly, AND, no more Hijacking problems! Thanks again!

Kristin
:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users