Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

hijack log file

807 views 1 reply 2 participants last post by  MFDnNC 
#1 ·
My computer does not shut down after I go onto the internet.

Logfile of HijackThis v1.99.0
Scan saved at 6:15:53 PM, on 2/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\DELFIN\PROMULGATE\PGMONITR.EXE
C:\PROGRAM FILES\DOWNLOADWARE\DW.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\SAVE\SAVE.EXE
C:\WINDOWS\KAZAA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
C:\TEMP\MSBB.EXE
C:\WINDOWS\SDEFGBKT.EXE
C:\PROGRAM FILES\WINDOWS SYNCROAD\WINSYNC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\COMPUSERVE 2000\CSTRAY.EXE
C:\LOTUS\ORGANIZE\EASYCLIP.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\SWTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SE\V11\SE.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FREXT.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchwww.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/p/hp/?http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/p/hp/?http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\PROGRAM FILES\SE\V11\SE.DLL
O1 - Hosts: 65.120.116.172 mini.aimster.com
O1 - Hosts: 65.120.116.173 lite.aimster.com
O1 - Hosts: 65.120.116.174 www.aimster.com
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL
O2 - BHO: WebBho Class - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SE\V11\SE.DLL
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\RECOMMENDED HOTFIX - 421701D\V15\RH.DLL
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [KAZAA] C:\WINDOWS\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Search-Exe] "C:\PROGRAM FILES\SE\V11\SE.EXE" /H
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Windows SyncroAd] C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [sdefgbkt] C:\WINDOWS\sdefgbkt.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: HP Internet Center.lnk = C:\HP Internet\Surfboard\Surfbrd.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Updates from HP.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000\cstray.exe
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Startup: SwTray.lnk = C:\Program Files\Microsoft Hardware\Game Controllers\SWTRAY.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...c4c1b056f368:c05c8ac2b23f939ff11a0351cafa03db
 
See less See more
#2 ·
SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
AdAware SE http://www.majorgeeks.com/download506.html
SpyBot S&D 1.3 http://www.safer-networking.org/en/download/

DL them (they are free), install them, check each for their
definition updates
and then run AdAware and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
SpyBot - After an update run immunize

Do these and reboot before the next step.

Download but don’t run CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html and new.net http://www.newdotnet.com/removal.html and Download the Hoster from here:
http://members.aol.com/toadbee/hoster.zip

Print this and boot to safe mode

Boot to safe mode

Open cwshredder.exe then click "Fix" and let it run.
Run the new.net removal tools
Run Hoster and press Restore Original Hosts, OK, and Exit Program.

Fix these with HJT if still there

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchwww.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/p/hp/?http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-se...look=stmpl1&fw=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/p/hp/?http://hp.my.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=

R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\PROGRAM FILES\SE\V11\SE.DLL

O1 - Hosts: 65.120.116.172 mini.aimster.com
O1 - Hosts: 65.120.116.173 lite.aimster.com
O1 - Hosts: 65.120.116.174 www.aimster.com

O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)

O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL

O2 - BHO: WebBho Class - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SE\V11\SE.DLL

O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\RECOMMENDED HOTFIX - 421701D\V15\RH.DLL

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll

O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"

O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H

O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe

O4 - HKLM\..\Run: [KAZAA] C:\WINDOWS\kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [Search-Exe] "C:\PROGRAM FILES\SE\V11\SE.EXE" /H

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [Windows SyncroAd] C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE

O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe

O4 - HKLM\..\Run: [sdefgbkt] C:\WINDOWS\sdefgbkt.exe

O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE

O4 - Startup: Updates from HP.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...a0 351cafa03db

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files
C:\WINDOWS\sdefgbkt.exe
c:\temp ç===== all files in this folder
C:\WINDOWS\kazaa.exe

Delete these folders

C:\Program Files\BackWeb
C:\PROGRAM FILES\WINDOWS SYNCROAD
C:\PROGRAM FILES\NEWDOTNET
C:\PROGRAM FILES\SE
C:\PROGRAM FILES\SAVE
C:\Program Files\DelFin
C:\PROGRAM FILES\RECOMMENDED HOTFIX - 421701D
C:\PROGRAM FILES\MEDIALOADS ENHANCED

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin
Boot and post a new log
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top