1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Bigfysh's hijack this list

Discussion in 'Virus & Other Malware Removal' started by Bigfysh, Sep 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Bigfysh

    Bigfysh Thread Starter

    Joined:
    May 17, 2003
    Messages:
    152
    Here goes nothing

    Logfile of HijackThis v1.97.2
    Scan saved at 11:52:25 AM, on 9/18/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\NT40\KMaestro\KMaestro.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\X3watch\x3watch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINDOWS\System32\winmgt.exe
    C:\Program Files\NoAds\NoAds.exe
    C:\Documents and Settings\Josh\Application Data\rclw.exe
    C:\WINDOWS\System32\winservn.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Blurty\Blurty.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\NT40\KMaestro\WTS_KEY.EXE
    C:\Program Files\Trillian\trillian.exe
    C:\WINDOWS\System32\wisptis.exe
    C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Josh\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.ewebsearch.net/sp.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [KeyMaestro] C:\NT40\KMaestro\KMaestro.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [LWBMOUSE] D:\WINDOWS\lwbwheel.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
    O4 - HKLM\..\Run: [aseye] C:\windows\system\aseye.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [winmgt32] winmgt.exe
    O4 - HKLM\..\RunServices: [winmgt32] winmgt.exe
    O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
    O4 - HKCU\..\Run: [Cepa] C:\Documents and Settings\Josh\Application Data\rclw.exe
    O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
    O4 - Startup: Blurty.lnk = C:\Program Files\Blurty\Blurty.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1DB3B8DD-5801-443F-B2D5-9BF8912B980E} (dmgrax2Ctrl Class) - http://www.lxsystems.com/downloads/Install.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05a50abe73417d1ce414/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.5707638889
    O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/EGHTMLDialerXP.cab
    O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/4/download/pdpplugin_5094_bundle7v1p10.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks for any help offered.
     
  2. Bigfysh

    Bigfysh Thread Starter

    Joined:
    May 17, 2003
    Messages:
    152
    So like I posted this and before I could even see it at the top of the list it was already 4 or 5 messages down. So this is my feeble attempt to keep it near the top.
     
  3. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Bigfysh,

    I'm looking through it at the moment, but my PC jsut kicked me out, give me 10 minutes and I'll let you know.. :)

    Cheers

    Liam
     
  4. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Bigfysh,

    Could you please close all browser windows, check to fix the following entries, then click Fix.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.ewebsearch.net/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.ewebsearch.net/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.ewebsearch.net/sp.htm

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [aseye] C:\windows\system\aseye.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKCU\..\Run: [Cepa] C:\Documents and Settings\Josh\Application Data\rclw.exe

    O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05a50abe73417d...ip/RdxIE601.cab

    O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.co...TMLDialerXP.cab

    O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab

    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/4/download/...undle7v1p10.cab


    Then could you go to Start | Settings | Control Panel | Add/Remove Programs and find and remove..

    Gator (This may well be listed as Gain).

    Then if you could find and delete the followingbolded files/folders...

    C:\WINDOWS\System32\winservn.exe

    C:\WINDOWS\System32\aseye.exe


    Then if you could reboot... again :) and download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

    Now press Settings, and Settings again.
    Go to the Webupdate section, and check "Display also available beta versions".

    Now press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.
    Then post a new log, for a final once over..

    Cheers

    Liam
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hey guys!

    This one has me stumped;

    O4 - Startup: Blurty.lnk = C:\Program Files\Blurty\Blurty.exe

    Did you find anything on this one e-liam?

    Do you know what it is Bigfysh?
     
  6. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi flrman1,

    As far as I could see, it's a program whereby you can upload to your own grownup :) online journal. Looked harmless enough. Stick 3 ws and a com on it, for a look. Hope you don't blush easily. :D hence no direct link.. :eek:

    Cheers

    Liam
     
  7. Bigfysh

    Bigfysh Thread Starter

    Joined:
    May 17, 2003
    Messages:
    152
    yes it is the start up for a Web Journal. And I've had it for a while so I don't expect that it would be causeing me any problems.
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  9. Bigfysh

    Bigfysh Thread Starter

    Joined:
    May 17, 2003
    Messages:
    152
    I went and serched ofr this one:

    C:\WINDOWS\System32\winservn.exe

    And the computer won't let me delete it. So that is a pain in the butt. It says that it is write protected or something. So any suggestions?
     
  10. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Morning Bigfysh,

    Delete it in safe mode.

    Go here for information on this how to do this.

    Then boot back into normal mode afterwards.

    Cheers

    Liam
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165694

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice