Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hjt log danredwing...please help!


  • Please log in to reply
1 reply to this topic

#1 danredwing

danredwing

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 27 December 2004 - 10:07 PM

here is my log and I'll describe the basics of what has been going on. IE always goes directly to find4u.com and won't let me go to google. Also, often when I'm away from the machine, IE will open and try to dial in to load a site www.mrdrocher.com. It also does this in the MSN browser while I'm online....almost like a pop up, but it uses the window that I'm currently in.

I've "fixed" all the r0 and r1s and other stuff before, but it always reappears when I reboot.

thanks!

dan

Logfile of HijackThis v1.99.0
Scan saved at 6:59:34 PM, on 12/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell\Support\Alert\bin\AlertView.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find4u.net/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find4u.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find4u.net/sp.htm
O1 - Hosts: 66.250.130.132 thehun.net
O1 - Hosts: 66.250.130.132 www.thehun.net
O1 - Hosts: 66.250.130.132 thehun.com
O1 - Hosts: 66.250.130.132 www.thehun.com
O1 - Hosts: 66.250.130.132 worldsex.com
O1 - Hosts: 66.250.130.132 www.worldsex.com
O1 - Hosts: 66.250.130.132 sexocean.com
O1 - Hosts: 66.250.130.132 www.sexocean.com
O1 - Hosts: 66.250.130.132 easypic.com
O1 - Hosts: 66.250.130.132 www.easypic.com
O1 - Hosts: 66.250.130.132 free6.com
O1 - Hosts: 66.250.130.132 www.free6.com
O1 - Hosts: 66.250.130.132 al4a.com
O1 - Hosts: 66.250.130.132 www.al4a.com
O1 - Hosts: 66.250.130.132 thumbnailpost.com
O1 - Hosts: 66.250.130.132 www.thumbnailpost.com
O1 - Hosts: 66.250.130.132 drbizzaro.com
O1 - Hosts: 66.250.130.132 www.drbizzaro.com
O1 - Hosts: 66.250.130.132 hoes.com
O1 - Hosts: 66.250.130.132 www.hoes.com
O1 - Hosts: 66.250.130.132 absolut-series.com
O1 - Hosts: 66.250.130.132 www.absolut-series.com
O1 - Hosts: 66.250.130.132 elephantlist.com
O1 - Hosts: 66.250.130.132 www.elephantlist.com
O1 - Hosts: 66.250.130.132 ah-me.com
O1 - Hosts: 66.250.130.132 www.ah-me.com
O1 - Hosts: 66.250.130.131 msn.com
O1 - Hosts: 66.250.130.131 www.msn.com
O1 - Hosts: 66.250.130.131 search.msn.com
O1 - Hosts: 66.250.130.131 auto.search.msn.com
O1 - Hosts: 66.250.130.133 google.com
O1 - Hosts: 66.250.130.133 www.google.com
O1 - Hosts: 66.250.130.133 google.de
O1 - Hosts: 66.250.130.133 www.google.de
O1 - Hosts: 66.250.130.133 google.co.in
O1 - Hosts: 66.250.130.133 www.google.co.in
O1 - Hosts: 66.250.130.133 google.ca
O1 - Hosts: 66.250.130.133 www.google.ca
O1 - Hosts: 66.250.130.133 google.fr
O1 - Hosts: 66.250.130.133 www.google.fr
O1 - Hosts: 66.250.130.133 google.it
O1 - Hosts: 66.250.130.133 www.google.it
O1 - Hosts: 66.250.130.133 google.com.au
O1 - Hosts: 66.250.130.133 www.google.com.au
O1 - Hosts: 66.250.130.133 google.co.uk
O1 - Hosts: 66.250.130.133 www.google.co.uk
O1 - Hosts: 66.250.130.133 google.be
O1 - Hosts: 66.250.130.133 www.google.be
O1 - Hosts: 66.250.130.130 find4u.net
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SysTray] C:\WINDOWS\System32\ugqyl.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogon.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF946D06-DDBB-4BD2-B778-69754BD726F6}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:35 PM

Posted 29 December 2004 - 05:45 AM

Hi :thumbsup:

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find4u.net/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find4u.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find4u.net/sp.htm
O1 - Hosts: 66.250.130.132 thehun.net
O1 - Hosts: 66.250.130.132 www.thehun.net
O1 - Hosts: 66.250.130.132 thehun.com
O1 - Hosts: 66.250.130.132 www.thehun.com
O1 - Hosts: 66.250.130.132 worldsex.com
O1 - Hosts: 66.250.130.132 www.worldsex.com
O1 - Hosts: 66.250.130.132 sexocean.com
O1 - Hosts: 66.250.130.132 www.sexocean.com
O1 - Hosts: 66.250.130.132 easypic.com
O1 - Hosts: 66.250.130.132 www.easypic.com
O1 - Hosts: 66.250.130.132 free6.com
O1 - Hosts: 66.250.130.132 www.free6.com
O1 - Hosts: 66.250.130.132 al4a.com
O1 - Hosts: 66.250.130.132 www.al4a.com
O1 - Hosts: 66.250.130.132 thumbnailpost.com
O1 - Hosts: 66.250.130.132 www.thumbnailpost.com
O1 - Hosts: 66.250.130.132 drbizzaro.com
O1 - Hosts: 66.250.130.132 www.drbizzaro.com
O1 - Hosts: 66.250.130.132 hoes.com
O1 - Hosts: 66.250.130.132 www.hoes.com
O1 - Hosts: 66.250.130.132 absolut-series.com
O1 - Hosts: 66.250.130.132 www.absolut-series.com
O1 - Hosts: 66.250.130.132 elephantlist.com
O1 - Hosts: 66.250.130.132 www.elephantlist.com
O1 - Hosts: 66.250.130.132 ah-me.com
O1 - Hosts: 66.250.130.132 www.ah-me.com
O1 - Hosts: 66.250.130.131 msn.com
O1 - Hosts: 66.250.130.131 www.msn.com
O1 - Hosts: 66.250.130.131 search.msn.com
O1 - Hosts: 66.250.130.131 auto.search.msn.com
O1 - Hosts: 66.250.130.133 google.com
O1 - Hosts: 66.250.130.133 www.google.com
O1 - Hosts: 66.250.130.133 google.de
O1 - Hosts: 66.250.130.133 www.google.de
O1 - Hosts: 66.250.130.133 google.co.in
O1 - Hosts: 66.250.130.133 www.google.co.in
O1 - Hosts: 66.250.130.133 google.ca
O1 - Hosts: 66.250.130.133 www.google.ca
O1 - Hosts: 66.250.130.133 google.fr
O1 - Hosts: 66.250.130.133 www.google.fr
O1 - Hosts: 66.250.130.133 google.it
O1 - Hosts: 66.250.130.133 www.google.it
O1 - Hosts: 66.250.130.133 google.com.au
O1 - Hosts: 66.250.130.133 www.google.com.au
O1 - Hosts: 66.250.130.133 google.co.uk
O1 - Hosts: 66.250.130.133 www.google.co.uk
O1 - Hosts: 66.250.130.133 google.be
O1 - Hosts: 66.250.130.133 www.google.be
O1 - Hosts: 66.250.130.130 find4u.net

O4 - HKLM\..\Run: [SysTray] C:\WINDOWS\System32\ugqyl.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - Global Startup: winlogon.exe



This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it...
O4 - Startup: PowerReg Scheduler.exe

Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINDOWS\System32\ugqyl.exe <-- this file
smsc.exe <-- this file
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe <-- this file


REBOOT normally.

Perform a full scan here: Trendmicro, check AutoClean and let him remove anything he finds.

Perform a full scan here: Panda Online, follow the instructions on the screed, make sure these are checked:
- Disinfect automatically
- Scan compressed files
- Scan e-mail files
- Neutralize Trojans
and let him remove anything he finds.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users