Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack Help Please!


  • Please log in to reply
1 reply to this topic

#1 markymark

markymark

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 19 January 2005 - 11:55 AM

Good day to all,
Hopefully you guys can help me out, I've been hijacked!

This is my log:
thanks a bundle



Logfile of HijackThis v1.99.0
Scan saved at 18:44:47, on 19/01/05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\vnxserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\KPMG\Global Desktop\Utilities\SSService.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\RightFax\faxctrl.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\WINNT\Softalkr\Bin\Softalkr.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\system32\MDM.EXE
D:\Documents and Settings\markzeman\My Documents\stuff\this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\MARKZE~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\MARKZE~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KPMG
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {61798BDF-019B-4418-9B76-DB64BFF9E5A9} - C:\WINNT\system32\hhod.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [KPMG Profile Manager] C:\Program Files\KPMG\Global Desktop\Utilities\kpmg profile manager.exe
O4 - HKLM\..\Run: [SSv2] C:\Program Files\KPMG\Global Desktop\Utilities\SSService.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [LiveUpdate Check] C:\Program Files\navnt\vpdn_lu.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SoftTalker] C:\WINNT\Softalkr\Bin\Softalkr.exe
O4 - HKCU\..\Run: [Install BlackICE] "C:\Program Files\KPMG\Global Desktop\Utilities\BlackICE\GDSetup.exe"
O4 - HKCU\..\Run: [Install Inventory Agent] "C:\Program Files\KPMG\Global Desktop\Utilities\InvAgent\GDSetup.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\system32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://abcv.kworld.kpmg.com
O15 - Trusted Zone: http://conf.kworld.kpmg.com
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com
O15 - Trusted Zone: http://maint.kworld.kpmg.com
O15 - Trusted Zone: http://search.kworld.kpmg.com
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com
O15 - Trusted Zone: http://www.kworld.kpmg.com
O15 - Trusted Zone: http://*.kpmgconsulting.com
O15 - Trusted Zone: http://www.kpmgtax.com
O15 - Trusted Zone: http://www.matrixcapitalonline.com
O15 - Trusted Zone: http://*.meomweb14
O15 - Trusted Zone: http://kworld2.newsedge-web.com
O15 - Trusted Zone: http://abcv.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://conf.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://maint.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://search.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://suggestions.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://training1.us.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://www.kworld.kpmg.com (HKLM)
O15 - Trusted Zone: http://*.kpmgconsulting.com (HKLM)
O15 - Trusted Zone: http://www.kpmgtax.com (HKLM)
O15 - Trusted Zone: http://www.matrixcapitalonline.com (HKLM)
O15 - Trusted Zone: http://*.meomweb14 (HKLM)
O15 - Trusted Zone: http://kworld2.newsedge-web.com (HKLM)
O16 - DPF: TIMEnX - http://timenx.us.kworld.kpmg.com/TIMEnX.cab
O16 - DPF: TIMEnX Client Library - http://timenx.us.kworld.kpmg.com/tnxclient.cab
O16 - DPF: TIMEnX Fonts - http://timenx.us.kworld.kpmg.com/TmxFnt.cab
O16 - DPF: TIMEnX JFC Library - http://timenx.us.kworld.kpmg.com/tnxjfc.cab
O16 - DPF: TIMEnX VisiBroker Library - http://timenx.us.kworld.kpmg.com/tnxvb.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A02451EE00} - http://usisweb.us.kworld.kpmg.com/firm/remote/wfica.cab
O16 - DPF: {57875390-EAE5-4408-A5D1-592B642FB900} (Whale Attachment Wiper ) - https://www.virtualpc.ema.kpmg.com/images/w...b?egap=internal
O16 - DPF: {6D59A1DF-87FB-11D4-836D-00805F6FC463} - http://usnssexc31/firm/msg/softdist/gdv2ap...dk/SetupINF.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://www.virtualpc.ema.kworld.kpmg.com/msrdp.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - https://klearnlive.us.kworld.kpmg.com/main/...aDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.us.kworld.kpmg.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{33E4B3C9-6C0D-4173-BF49-D280EA5B9C2A}: NameServer = 212.143.212.143 194.90.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.us.kworld.kpmg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.us.kworld.kpmg.com
O18 - Filter: text/html - {A986695A-0C3C-46E6-8866-986F7EB78B4A} - C:\WINNT\system32\hhod.dll
O18 - Filter: text/plain - {A986695A-0C3C-46E6-8866-986F7EB78B4A} - C:\WINNT\system32\hhod.dll
O23 - Service: Altiris eXpress NS Client - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Vsclient Service - Unknown - C:\WINNT\system32\vnxserv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,400 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:06 PM

Posted 19 January 2005 - 11:22 PM

Please download this tool to your desktop. http://securityresponse.symantec.com/avcenter/FxAgentB.exe

Then run it and let it scan your computer.


Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\MARKZE~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\MARKZE~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {61798BDF-019B-4418-9B76-DB64BFF9E5A9} - C:\WINNT\system32\hhod.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\system32\hhod.dll

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users