Bigfysh's hijack this list

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Bigfysh

Thread Starter
Joined
May 17, 2003
Messages
152
Here goes nothing

Logfile of HijackThis v1.97.2
Scan saved at 11:52:25 AM, on 9/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\NT40\KMaestro\KMaestro.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\winmgt.exe
C:\Program Files\NoAds\NoAds.exe
C:\Documents and Settings\Josh\Application Data\rclw.exe
C:\WINDOWS\System32\winservn.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Blurty\Blurty.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\NT40\KMaestro\WTS_KEY.EXE
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Josh\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.ewebsearch.net/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KeyMaestro] C:\NT40\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LWBMOUSE] D:\WINDOWS\lwbwheel.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [aseye] C:\windows\system\aseye.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [winmgt32] winmgt.exe
O4 - HKLM\..\RunServices: [winmgt32] winmgt.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Cepa] C:\Documents and Settings\Josh\Application Data\rclw.exe
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - Startup: Blurty.lnk = C:\Program Files\Blurty\Blurty.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1DB3B8DD-5801-443F-B2D5-9BF8912B980E} (dmgrax2Ctrl Class) - http://www.lxsystems.com/downloads/Install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05a50abe73417d1ce414/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.5707638889
O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/EGHTMLDialerXP.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/4/download/pdpplugin_5094_bundle7v1p10.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks for any help offered.
 

Bigfysh

Thread Starter
Joined
May 17, 2003
Messages
152
So like I posted this and before I could even see it at the top of the list it was already 4 or 5 messages down. So this is my feeble attempt to keep it near the top.
 
Joined
Jun 19, 2003
Messages
1,241
Hi Bigfysh,

I'm looking through it at the moment, but my PC jsut kicked me out, give me 10 minutes and I'll let you know.. :)

Cheers

Liam
 
Joined
Jun 19, 2003
Messages
1,241
Hi Bigfysh,

Could you please close all browser windows, check to fix the following entries, then click Fix.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.ewebsearch.net/sp.htm

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [aseye] C:\windows\system\aseye.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [Cepa] C:\Documents and Settings\Josh\Application Data\rclw.exe

O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05a50abe73417d...ip/RdxIE601.cab

O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.co...TMLDialerXP.cab

O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab

O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/4/download/...undle7v1p10.cab


Then could you go to Start | Settings | Control Panel | Add/Remove Programs and find and remove..

Gator (This may well be listed as Gain).

Then if you could find and delete the followingbolded files/folders...

C:\WINDOWS\System32\winservn.exe

C:\WINDOWS\System32\aseye.exe


Then if you could reboot... again :) and download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.
Then post a new log, for a final once over..

Cheers

Liam
 
Joined
Jul 26, 2002
Messages
46,331
Hey guys!

This one has me stumped;

O4 - Startup: Blurty.lnk = C:\Program Files\Blurty\Blurty.exe

Did you find anything on this one e-liam?

Do you know what it is Bigfysh?
 
Joined
Jun 19, 2003
Messages
1,241
Hi flrman1,

As far as I could see, it's a program whereby you can upload to your own grownup :) online journal. Looked harmless enough. Stick 3 ws and a com on it, for a look. Hope you don't blush easily. :D hence no direct link.. :eek:

Cheers

Liam
 

Bigfysh

Thread Starter
Joined
May 17, 2003
Messages
152
yes it is the start up for a Web Journal. And I've had it for a while so I don't expect that it would be causeing me any problems.
 

Bigfysh

Thread Starter
Joined
May 17, 2003
Messages
152
I went and serched ofr this one:

C:\WINDOWS\System32\winservn.exe

And the computer won't let me delete it. So that is a pain in the butt. It says that it is write protected or something. So any suggestions?
 
Joined
Jun 19, 2003
Messages
1,241
Morning Bigfysh,

Delete it in safe mode.

Go here for information on this how to do this.

Then boot back into normal mode afterwards.

Cheers

Liam
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top