1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijack this log (please help)

Discussion in 'Virus & Other Malware Removal' started by Live2die, Jan 29, 2005.

Thread Status:
Not open for further replies.
  1. Live2die

    Live2die Thread Starter

    Joined:
    Oct 13, 2004
    Messages:
    33
    hey guys, sorry about this, but im in need of alot of help, recently (about 2 or 3 weeks ago) i started experiencing 100 of pop ups on my pc, they are all the same ones that appear and on average come around every few minutes, even when im not connected to the internet they still try to appear, basically its driving me insane, iv tried every single anti virus known. Then i was told about Hijackthis and heard its what i need.

    if anyone can help on this i will be greatfull, sorry about this and thankyou

    here is my hijack log

    Logfile of HijackThis v1.99.0
    Scan saved at 09:50:39, on 29/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\rwozslc.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\Program Files\Ooeb\Bgja.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\shch.exe
    C:\WINDOWS\msnmsgq.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AOL 9.0a\aoltray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\AOL 9.0a\waol.exe
    C:\Program Files\AOL 9.0a\shellmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\AOL\aoltpspd.exe
    C:\Documents and Settings\Sarah\My Documents\My Received Files\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mfmvzmoccz.com/av6_UiUWqz7PA8jlIhOqn/jrfa5AFBtF_xoQdDr4Ehhy4/uKzv3CQy83BrJv5Lf1.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euwuiufzqznn.org/av6_UiUWqz5QA057fsVM0BqsCnuXzkjLI5kHtPZmWFQ.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [MsnMsgr] C:\WINDOWS\System32\MsnMsgr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [winupdt] RUNDLL32.EXE c:\windows\wrztwain.dll,_mainRD
    O4 - HKLM\..\Run: [w7Fh3tX] atidstr.exe
    O4 - HKLM\..\Run: [rstool] C:\WINDOWS\System32\rstool.exe
    O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [olkgkzjavwmy] C:\WINDOWS\System32\rwozslc.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [] C:\WINDOWS\System32\.exe
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [Foohyqh] C:\Program Files\Ooeb\Bgja.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [Cakeacidflapchin] C:\Documents and Settings\All Users\Application Data\Objstartcakeacid\managerlove.exe
    O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [5mXvLgt] C:\documents and settings\sarah\local settings\temp\5mXvLgt.exe
    O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\shch.exe /i
    O4 - HKLM\..\Run: [msnmsgq32] C:\WINDOWS\msnmsgq.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvvlo32.exe
    O4 - HKLM\..\RunServices: [SystemSAS] system32.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [POPTIME] C:\DOCUME~1\Sarah\APPLIC~1\LINKLI~1\Extra 2.exe
    O4 - HKCU\..\Run: [hwwnRjb7W] amsprop2.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
    O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{23F5C78A-BCD2-47CA-AE84-5906E993D6EF}: NameServer = 195.93.48.134
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A4838E2C-93EC-498C-8C02-53245DFEF345}: NameServer = 152.163.0.26 205.188.64.153
    O17 - HKLM\System\CS1\Services\Tcpip\..\{23F5C78A-BCD2-47CA-AE84-5906E993D6EF}: NameServer = 195.93.48.134
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
    O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    Thanks alot :D
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    In addition to what is directed below, you will need to have unzipped and available:

    lspfix: http://www.cexx.org/lspfix.htm

    Hoster: http://members.aol.com/toadbee/hoster.zip

    >> start by running lspfix.exe and move all instances of winlspak.dll into the "Remove" window. and select "I know what I am doing" and then "Finish"



    [​IMG] Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

    If HijackThis has not been downloaded or copied to a permanent folder, move it there before beginning.

    Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.intermute.com/spysubtract/cwshredder_download.html

    Then:

    1 >> Restart in Safe Mode. Instructions here if you need them:http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    2 >> In Safe Mode run the CoolWebShredder and have it "fix" detected problems. Then run HijackThis and check and "fix" the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mfmvzmoccz.com/av6_UiUWq...83BrJv5Lf1.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euwuiufzqznn.org/av6_UiU...I5kHtPZmWFQ.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch

    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

    ^^ remove from Add/Remove programs, but do not reboot until the rest of these instructions are complete.

    O4 - HKLM\..\Run: [winupdt] RUNDLL32.EXE c:\windows\wrztwain.dll,_mainRD
    O4 - HKLM\..\Run: [w7Fh3tX] atidstr.exe
    O4 - HKLM\..\Run: [rstool] C:\WINDOWS\System32\rstool.exe
    O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe

    O4 - HKLM\..\Run: [olkgkzjavwmy] C:\WINDOWS\System32\rwozslc.exe

    O4 - HKLM\..\Run: [] C:\WINDOWS\System32\.exe

    O4 - HKLM\..\Run: [Foohyqh] C:\Program Files\Ooeb\Bgja.exe

    ^^ delete the "Ooeb" folder in c:\Program Files while still in Safe Mode

    O4 - HKLM\..\Run: [Cakeacidflapchin] C:\Documents and Settings\All Users\Application Data\Objstartcakeacid\managerlove.exe

    ^^ manually delete the "Objstartcakeacid" folder while still in Safe Mode

    O4 - HKLM\..\Run: [5mXvLgt] C:\documents and settings\sarah\local settings\temp\5mXvLgt.exe
    O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\shch.exe /i
    O4 - HKLM\..\Run: [msnmsgq32] C:\WINDOWS\msnmsgq.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvvlo32.exe
    O4 - HKLM\..\RunServices: [SystemSAS] system32.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

    O4 - HKCU\..\Run: [POPTIME] C:\DOCUME~1\Sarah\APPLIC~1\LINKLI~1\Extra 2.exe
    O4 - HKCU\..\Run: [hwwnRjb7W] amsprop2.exe

    O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
    O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
    O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab

    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

    3 >> Go to Start > Run and enter cmd and a command shell will open. At the prompt carefully type and enter each line:

    del C:\WINDOWS\System32\rwozslc.exe
    del C:\WINDOWS\shch.exe
    del C:\WINDOWS\msnmsgq.exe
    del C:\windows\system32\kalvvlo32.exe
    del c:\windows\wrztwain.dll
    del C:\WINDOWS\System32\rstool.exe


    Manually search for the following files:

    system32.exe

    wmplayer.exe >> delete any instance of this that is NOT in the Windows Media Player Programs File folder. And for that one, right click on it and verify the properties to have a Microsoft Copyright.

    amsprop2.exe
    atidstr.exe
    RemoveCpl.exe



    Additional cleanup instructions: Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

    Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them

    >> run Hoster.exe and have it restore your original Hosts File.

    >> Reboot and post a new scanlog.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324553

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice