1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

can someone plz hijack this

Discussion in 'Virus & Other Malware Removal' started by weaponsx, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. weaponsx

    weaponsx Thread Starter

    Joined:
    Feb 12, 2004
    Messages:
    100
    Logfile of HijackThis v1.97.7
    Scan saved at 9:01:18 AM, on 7/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\mfcwu32.exe
    C:\WINDOWS\system32\addtw32.exe
    C:\WINDOWS\System32\wonxuh.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Documents and Settings\Weaponsx\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jipdb.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jipdb.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jipdb.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jipdb.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jipdb.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jipdb.dll/sp.html#96676
    O2 - BHO: (no name) - {6E0B6255-FB2C-DFA1-E742-F2910FA50150} - C:\WINDOWS\crou.dll
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [addtw32.exe] C:\WINDOWS\system32\addtw32.exe
    O4 - HKLM\..\Run: [siglgzucgv] C:\WINDOWS\System32\wonxuh.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\RunOnce: [apitg32.exe] C:\WINDOWS\apitg32.exe
    O4 - HKLM\..\RunOnce: [ntnc.exe] C:\WINDOWS\ntnc.exe
    O4 - HKLM\..\RunOnce: [mfcwu32.exe] C:\WINDOWS\mfcwu32.exe
    O4 - HKLM\..\RunOnce: [apilx.exe] C:\WINDOWS\apilx.exe
    O4 - HKLM\..\RunOnce: [ntma.exe] C:\WINDOWS\system32\ntma.exe
    O4 - HKLM\..\RunOnce: [atlpl32.exe] C:\WINDOWS\system32\atlpl32.exe
    O4 - HKLM\..\RunOnce: [d3xp32.exe] C:\WINDOWS\d3xp32.exe
    O4 - HKLM\..\RunOnce: [d3qu32.exe] C:\WINDOWS\d3qu32.exe
    O4 - HKLM\..\RunOnce: [ntna.exe] C:\WINDOWS\system32\ntna.exe
    O4 - HKLM\..\RunOnce: [sdkrb.exe] C:\WINDOWS\sdkrb.exe
    O4 - HKLM\..\RunOnce: [atlwv.exe] C:\WINDOWS\atlwv.exe
    O4 - HKLM\..\RunOnce: [msvz32.exe] C:\WINDOWS\msvz32.exe
    O4 - HKLM\..\RunOnce: [mstq32.exe] C:\WINDOWS\system32\mstq32.exe
    O4 - HKLM\..\RunOnce: [winbh32.exe] C:\WINDOWS\winbh32.exe
    O4 - HKLM\..\RunOnce: [d3go.exe] C:\WINDOWS\d3go.exe
    O4 - HKLM\..\RunOnce: [apinb32.exe] C:\WINDOWS\system32\apinb32.exe
    O4 - HKLM\..\RunOnce: [appov.exe] C:\WINDOWS\system32\appov.exe
    O4 - HKLM\..\RunOnce: [crao.exe] C:\WINDOWS\crao.exe
    O4 - HKLM\..\RunOnce: [sdkts32.exe] C:\WINDOWS\sdkts32.exe
    O4 - HKLM\..\RunOnce: [addan.exe] C:\WINDOWS\addan.exe
    O4 - HKLM\..\RunOnce: [appfi32.exe] C:\WINDOWS\system32\appfi32.exe
    O4 - HKLM\..\RunOnce: [d3ke32.exe] C:\WINDOWS\d3ke32.exe
    O4 - HKLM\..\RunOnce: [atlcy32.exe] C:\WINDOWS\atlcy32.exe
    O4 - HKLM\..\RunOnce: [d3zl.exe] C:\WINDOWS\d3zl.exe
    O4 - HKLM\..\RunOnce: [appzn.exe] C:\WINDOWS\appzn.exe
    O4 - HKLM\..\RunOnce: [addpe.exe] C:\WINDOWS\system32\addpe.exe
    O4 - HKLM\..\RunOnce: [msgl32.exe] C:\WINDOWS\system32\msgl32.exe
    O4 - HKLM\..\RunOnce: [msgn32.exe] C:\WINDOWS\system32\msgn32.exe
    O4 - HKLM\..\RunOnce: [mfcbw.exe] C:\WINDOWS\system32\mfcbw.exe
    O4 - HKLM\..\RunOnce: [atlvm32.exe] C:\WINDOWS\system32\atlvm32.exe
    O4 - HKLM\..\RunOnce: [javawf32.exe] C:\WINDOWS\javawf32.exe
    O4 - HKLM\..\RunOnce: [ipzr.exe] C:\WINDOWS\system32\ipzr.exe
    O4 - HKLM\..\RunOnce: [appne32.exe] C:\WINDOWS\appne32.exe
    O4 - HKLM\..\RunOnce: [cryk32.exe] C:\WINDOWS\cryk32.exe
    O4 - HKLM\..\RunOnce: [sysxf.exe] C:\WINDOWS\sysxf.exe
    O4 - HKLM\..\RunOnce: [atlxw.exe] C:\WINDOWS\system32\atlxw.exe
    O4 - HKLM\..\RunOnce: [ntcy.exe] C:\WINDOWS\system32\ntcy.exe
    O4 - HKLM\..\RunOnce: [winvc.exe] C:\WINDOWS\winvc.exe
    O4 - HKLM\..\RunOnce: [crpl.exe] C:\WINDOWS\crpl.exe
    O4 - HKLM\..\RunOnce: [winlq32.exe] C:\WINDOWS\system32\winlq32.exe
    O4 - HKLM\..\RunOnce: [javama.exe] C:\WINDOWS\javama.exe
    O4 - HKLM\..\RunOnce: [mfcnr.exe] C:\WINDOWS\system32\mfcnr.exe
    O4 - HKLM\..\RunOnce: [msuv32.exe] C:\WINDOWS\msuv32.exe
    O4 - HKLM\..\RunOnce: [neths32.exe] C:\WINDOWS\system32\neths32.exe
    O4 - HKLM\..\RunOnce: [msez32.exe] C:\WINDOWS\system32\msez32.exe
    O4 - HKLM\..\RunOnce: [netoc.exe] C:\WINDOWS\netoc.exe
    O4 - HKLM\..\RunOnce: [crte.exe] C:\WINDOWS\system32\crte.exe
    O4 - HKLM\..\RunOnce: [javaht32.exe] C:\WINDOWS\system32\javaht32.exe
    O4 - HKLM\..\RunOnce: [cryb32.exe] C:\WINDOWS\system32\cryb32.exe
    O4 - HKLM\..\RunOnce: [winfe32.exe] C:\WINDOWS\winfe32.exe
    O4 - HKLM\..\RunOnce: [sdkoi32.exe] C:\WINDOWS\system32\sdkoi32.exe
    O4 - HKLM\..\RunOnce: [ieyd32.exe] C:\WINDOWS\ieyd32.exe
    O4 - HKLM\..\RunOnce: [ieqf.exe] C:\WINDOWS\ieqf.exe
    O4 - HKLM\..\RunOnce: [javazs32.exe] C:\WINDOWS\javazs32.exe
    O4 - HKLM\..\RunOnce: [sdkmj32.exe] C:\WINDOWS\sdkmj32.exe
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
    O9 - Extra button: ICQ 4.0 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Preliminaries: Put HijackThis in a separate, permanent folder (and not directly on the desktop). It will store backups there. Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

    Download and unzip to a convenient location the CoolWebShredder, available here: http://www.computercops.biz/downloads-file-349.html


    1 >> Before restarting, ctrl-alt-del and terminate these processes:

    C:\WINDOWS\mfcwu32.exe
    C:\WINDOWS\system32\addtw32.exe
    C:\WINDOWS\System32\wonxuh.exe

    2 >> restart to Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    3 >> In Safe Mode run HijackThis and check and "fix" the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jipdb.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jipdb.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jipdb.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jipdb.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jipdb.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jipdb.dll/sp.html#96676
    O2 - BHO: (no name) - {6E0B6255-FB2C-DFA1-E742-F2910FA50150} - C:\WINDOWS\crou.dll

    O4 - HKLM\..\Run: [addtw32.exe] C:\WINDOWS\system32\addtw32.exe
    O4 - HKLM\..\Run: [siglgzucgv] C:\WINDOWS\System32\wonxuh.exe

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

    ALL the 04 RunOnce entries !!! (except lavasoft)

    3 >> While still in Safe Mode go to both the Windows and the System32 directory and ensure the bolded files above are deleted.

    4 >> find and right click on some of these files and select Properties and determine their file size. Search the Windows and System32 folders for ALL files with the SAME file size and send them to the recycle bin.

    5 >> run the coolwebshredder, have it "fix" problems and reboot.

    6 >> do an online scan here HouseCall
    , then reboot and post a new Scanlog using this version of HijackThis.

    http://www.computercops.biz/downloads-file-328.html
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/245270

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice