1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cool Web Search

Discussion in 'Virus & Other Malware Removal' started by luteplayers, Jul 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. luteplayers

    luteplayers Thread Starter

    Joined:
    Jul 7, 2004
    Messages:
    41
    I am trying to get a friends computer running right again. There seems to be a persistent hijacker that I can not get rid of. Spybot S&D has been run, Spywareblaster allows me to change the IE homepages but they return to the hijack pages upon rebooting. I have run CWshredder and it finds no CWS instances, but I understand that it is no longer being updated (sniff). Below is the HT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:20:09 AM, on 7/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Applications\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\ntnz32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\APPLIC~1\NORTON~1\navapw32.exe
    C:\WINDOWS\apixg.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    G:\Hp Printer\Digital Imaging\bin\hpqtra08.exe
    G:\CalCheck.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    G:\downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gpxup.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gpxup.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gpxup.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gpxup.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gpxup.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gpxup.dll/sp.html#37049
    O2 - BHO: (no name) - {150875DE-94E1-E8C9-27DC-1267DD628704} - C:\WINDOWS\apixg.dll
    O4 - HKLM\..\Run: [apixg.exe] C:\WINDOWS\apixg.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Hp Printer\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Photo Explosion Calendar Checker.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\APPLIC~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42033/sb026.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37786.6071990741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    any help would be much appreciated,
    Thanks,
    Jim
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Download FindnFix at the following link and extract it
    (it should autoextract to C:\FindnFix when you double click it)
    http://www3.ns.sympatico.ca/c.bennett03/FINDnFIX.exe

    Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run.
    It will generate a log.txt file. Copy and paste log.txt back here in your next reply.
     
  3. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    You should start by copy and pasting this response to a text file on your desktop for review..

    Lets start again by bringing up task manager and ent tasking each of these:
    ntnz32.exe
    HPZipm12.exe

    please make sure to have your system set to show hidden files and folders as per http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Then recan once again with hijack and put a check next to each of the following and close all browser windows and click "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gpxup.dll/sp.html#37049

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gpxup.dll/index.html#37049

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gpxup.dll/index.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gpxup.dll/sp.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gpxup.dll/index.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gpxup.dll/sp.html#37049

    O2 - BHO: (no name) - {150875DE-94E1-E8C9-27DC-1267DD628704} - C:\WINDOWS\apixg.dll

    O4 - HKLM\..\Run: [apixg.exe] C:\WINDOWS\apixg.exe




    then without rebooting , Download the tool about:Buster created by Rubber Ducky. http://www.downloads.subratam.org/AboutBuster.zip

    Then physically disconnect your internet hookup plug so internet access is discontinued :
    run aboutbuster. Again remain offline. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    Once the tool is done scanning, copy the log and save it to paste back here in your thread.

    Restart your computer and post the report from AboutBuster and a new Hijack this log.
     
  4. luteplayers

    luteplayers Thread Starter

    Joined:
    Jul 7, 2004
    Messages:
    41
    Wow, that was quick, here is the FindNFix log file:


    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    Wed 07/07/2004
    8:37am up 0 days, 0:23

    »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...


    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    C:\WINDOWS\SYSTEM32\
    jcrlu.dll Sun Jun 20 2004 3:22:32p A.SH. 71,168 69.50 K
    mfsvm.dll Thu Jul 1 2004 7:22:38p A.SH. 71,168 69.50 K
    oxqci.dll Sat Jun 19 2004 6:09:24p A.SH. 67,584 66.00 K

    3 items found: 3 files, 0 directories.
    Total of file sizes: 209,920 bytes 205.00 K

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\JCRLU.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\MFSVM.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\OXQCI.DLL
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group BIG-G\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName SUCCESS
    Name = __NS_Service_3
    [SC] GetServiceDisplayName SUCCESS
    Name = Network Security Service

    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu Aug 23 2001 8:00:00a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    C:\WINDOWS\SYSTEM32\
    notepad.exe Thu Aug 23 2001 8:00:00a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Thu Aug 23 2001 8:00:00a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-1148)
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BIG-G\Alice
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: BIG-G\Alice

    Primary Group: BIG-G\None



    »»»»»»Backups created...»»»»»»
    8:40am up 0 days, 0:25
    Wed 07/07/2004

    A C:\FINDnFIX\winBack.hiv
    --a-- - - - - - 8,192 07-07-2004 winback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 268 07-07-2004 winkey.reg

    »»Performing 16bit string scan....
    00001150: ?
    00001190: P E vk UDeviceNo
    000011D0:tSelectedTimeout 1 5 ( W vk ' z
    00001210:GDIProcessHandleQuota" 9 0 ! vk X
    00001250:Spooler2 y e s vk =pswapdisk
    00001290: 8 h vk ( R TransmissionRetryTimeout
    000012D0: vk ' \ USERProcessHandleQuotae 8
    00001310:h E LJ M M ;M r ] [email protected] q9] ] 9]
    00001350: E P E U Y M DA Q . u @ Yv E M AP E U
    00001390:Y M DA M J; r } P ' ; F0 ; M ~( M ] vi }
    000013D0: u P H q u @ qY D P & N0 D F0 D ; u P H
    00001410: q F0 U YY 8 E LJ M M ;M r } u ; ] u N 9]
    00001450: 9] } W E @ q3 Y M B+ * E W @ q |G W @
    00001490: qY3 Y M B+ +E  } P & ; F< ; M ~4
    000014D0:M ] vf } u P H q u @ qY D P % N< D F< D ;
    00001510: u P H q F< U YY 8 E LJ M M ;M r u 9] ] u N
    00001550:

    ---------- WIN.TXT
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    Windows
    UDeviceNotSelectedTimeout
    zGDIProcessHandleQuota"
    Spooler2
    =pswapdisk
    TransmissionRetryTimeout
    USERProcessHandleQuotae
    ul9utt
    ;
    **File C:\FINDnFIX\WIN.TXT
    
     
  5. luteplayers

    luteplayers Thread Starter

    Joined:
    Jul 7, 2004
    Messages:
    41
    And here is the about buster log.

    About:Buster Version 1.25
    Removed! : C:\WINDOWS\apini.exe
    Removed! : C:\WINDOWS\apisl32.exe
    Error Removing! : C:\WINDOWS\apixg.dll
    Removed! : C:\WINDOWS\apixg.exe
    Removed! : C:\WINDOWS\atlcd32.dll
    Removed! : C:\WINDOWS\avcmpx.dat
    Removed! : C:\WINDOWS\bagfbn.dat
    Removed! : C:\WINDOWS\byktqd.dat
    Removed! : C:\WINDOWS\cbvpdk.dat
    Removed! : C:\WINDOWS\clqbnu.dat
    Removed! : C:\WINDOWS\cpoia.dat
    Removed! : C:\WINDOWS\crfv32.exe
    Removed! : C:\WINDOWS\diukc.dat
    Removed! : C:\WINDOWS\fygtvs.dat
    Removed! : C:\WINDOWS\gpxup.dat
    Removed! : C:\WINDOWS\gpxup.dll
    Removed! : C:\WINDOWS\gzensn.dat
    Removed! : C:\WINDOWS\hblqsd.dat
    Removed! : C:\WINDOWS\ipzh.exe
    Removed! : C:\WINDOWS\jmwmfk.dat
    Removed! : C:\WINDOWS\kermni.dat
    Removed! : C:\WINDOWS\kmctr.dat
    Removed! : C:\WINDOWS\knsohx.dat
    Removed! : C:\WINDOWS\mbntpl.dat
    Removed! : C:\WINDOWS\mcslk.dat
    Removed! : C:\WINDOWS\mfcqc.exe
    Removed! : C:\WINDOWS\mhkjao.dat
    Removed! : C:\WINDOWS\mjiffh.dat
    Removed! : C:\WINDOWS\mpmpe.dll
    Removed! : C:\WINDOWS\mvveil.dat
    Removed! : C:\WINDOWS\ntuo32.exe
    Removed! : C:\WINDOWS\n_nyfxxs.dat
    Removed! : C:\WINDOWS\ofcix.dat
    Removed! : C:\WINDOWS\omhdfw.dat
    Removed! : C:\WINDOWS\oooav.dat
    Removed! : C:\WINDOWS\qpazzc.dat
    Removed! : C:\WINDOWS\szklqe.dat
    Removed! : C:\WINDOWS\tqcxce.dat
    Removed! : C:\WINDOWS\ucuhdk.dat
    Removed! : C:\WINDOWS\System32\atlbw.exe
    Removed! : C:\WINDOWS\System32\d3xm32.exe
    Removed! : C:\WINDOWS\System32\fwsam.dat
    Removed! : C:\WINDOWS\System32\jcrlu.dll
    Removed! : C:\WINDOWS\System32\lwhvt.dat
    Removed! : C:\WINDOWS\System32\mfsvm.dll
    Removed! : C:\WINDOWS\System32\ndiyk.dat
    Removed! : C:\WINDOWS\System32\ntfu.exe
    Removed! : C:\WINDOWS\System32\ntnz32.exe
    Removed! : C:\WINDOWS\System32\sysdd32.exe
    Removed! : C:\WINDOWS\System32\winle.exe
    Attempted Clean Of Temp folder.
    Removed LEGACY___NS_Service_3 Key
    Removed __NS_Service_3 Key
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!
     
  6. luteplayers

    luteplayers Thread Starter

    Joined:
    Jul 7, 2004
    Messages:
    41
    and finally the new HT Log

    Logfile of HijackThis v1.97.7
    Scan saved at 8:57:41 AM, on 7/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Applications\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\APPLIC~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\PROGRA~1\AIM\aim.exe
    G:\Hp Printer\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    G:\CalCheck.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    G:\downloads\HijackThis.exe

    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Hp Printer\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Photo Explosion Calendar Checker.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\APPLIC~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42033/sb026.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37786.6071990741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  7. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Thats clean so now reset your homepage then..
     
  8. luteplayers

    luteplayers Thread Starter

    Joined:
    Jul 7, 2004
    Messages:
    41
    Thanks Mobo, I will put those programs on a CD, amazing how many friends I have with hijack problems. I am posting the final HT log, I had put some items on the ignore list when I started. Not 100% sure they were innocent, so here it is.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:01:40 AM, on 7/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Applications\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\APPLIC~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\PROGRA~1\AIM\aim.exe
    G:\Hp Printer\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    G:\CalCheck.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    G:\downloads\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HP\hpcoretech\comp\hpdarc.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Applications\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Applications\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\APPLIC~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Hp Printer\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Photo Explosion Calendar Checker.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\APPLIC~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42033/sb026.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37786.6071990741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Thats clean ;)
     
  10. luteplayers

    luteplayers Thread Starter

    Joined:
    Jul 7, 2004
    Messages:
    41
    Thanks a Billion, I will be making a donation when I get back home. This is the best site I have ever visited for help.
     
  11. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Your welcome and much appreciated..
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/247430

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice