1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijack this Log

Discussion in 'Virus & Other Malware Removal' started by Boredofu, Sep 25, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    Something is causing any windows opened by clicking a link to immeadiatly close again.

    The brief flash of the window states invalid syntax error in the blue top bar.

    I've run spybot, adaware and AVG.

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\MEDIAPAC\VI_GRM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\BUYPIN SOFTWARE\ADVERTISING KILLER\AKILLER.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CG16EH.EXE
    C:\PROGRAM FILES\PHRS\LIBMAN.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = %START_PAGE_URL%
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.onherown.net/modules.php?name=Forums
    F1 - win.ini: load=C:\MEDIAPAC\vi_grm.exe
    O1 - Hosts: 64.14.40.138 www.searchscout.com
    O1 - Hosts: 64.14.40.138 www.letssearch.com
    O1 - Hosts: 64.14.40.138 www.searchex.com
    O1 - Hosts: 64.14.40.138 srch.lop.com
    O1 - Hosts: 64.14.40.138 www.searchresult.net
    O1 - Hosts: 64.14.40.138 www.xupiter.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [AKiller] "C:\PROGRAM FILES\BUYPIN SOFTWARE\ADVERTISING KILLER\AKILLER.EXE"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - Startup: PHRS - WP Link.lnk = C:\Program Files\PHRS\LibMan.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Downloads (HKCU)
    O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/198.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs4.chat.yahoo.com/v43/yacscom.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://communities.msn.co.uk/scr/MsnPUpld.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.2744212963
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.33/EPlugin.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep

    Is there anything that might be causing my system to fail to read links or could there have been a virus I already removed that has corrupted the systems abolitit to read links?
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Welcome to TSG, boredofu

    You have somehow managed to contract LOP and Xupiter

    Download and run Spybot Search and destroy
    Once installed, start it,
    Click Updates | Search for Updates
    and if necessary Download Updates

    Now Click Search and destroy
    Click Check for Problems

    It may take a bit of time to do the scan, but when done, put a check mark against the red labelled items and click Fix Selected Problems

    Once done, repost a new Hijack this log
     
  3. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    Um I ran search and destroy a few times, including this morning
     
  4. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    i'll try updates though
     
  5. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    I've notied that search and destroy hangs at c lop for a long time but doesn't actually record anything
     
  6. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
  7. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    Ok I see that ..... I tried an update but it still hangs on C2lop

    A new log still reveals lop and xupiter.


    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\MEDIAPAC\VI_GRM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\BUYPIN SOFTWARE\ADVERTISING KILLER\AKILLER.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CG16EH.EXE
    C:\PROGRAM FILES\PHRS\LIBMAN.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youthink.com/forums.asp?action=threads&ct=0
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.onherown.net/modules.php?name=Forums
    F1 - win.ini: load=C:\MEDIAPAC\vi_grm.exe
    O1 - Hosts: 64.14.40.138 www.searchscout.com
    O1 - Hosts: 64.14.40.138 www.letssearch.com
    O1 - Hosts: 64.14.40.138 www.searchex.com
    O1 - Hosts: 64.14.40.138 srch.lop.com
    O1 - Hosts: 64.14.40.138 www.searchresult.net
    O1 - Hosts: 64.14.40.138 www.xupiter.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [AKiller] "C:\PROGRAM FILES\BUYPIN SOFTWARE\ADVERTISING KILLER\AKILLER.EXE"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - Startup: PHRS - WP Link.lnk = C:\Program Files\PHRS\LibMan.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Downloads (HKCU)
    O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/198.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs4.chat.yahoo.com/v43/yacscom.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://communities.msn.co.uk/scr/MsnPUpld.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.2744212963
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.33/EPlugin.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
     
  8. vaat

    vaat

    Joined:
    Sep 25, 2003
    Messages:
    1
    fix these:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.onherown.net/modules.php?name=Forums
    F1 - win.ini: load=C:\MEDIAPAC\vi_grm.exe
    O1 - Hosts: 64.14.40.138 www.searchscout.com
    O1 - Hosts: 64.14.40.138 www.letssearch.com
    O1 - Hosts: 64.14.40.138 www.searchex.com
    O1 - Hosts: 64.14.40.138 srch.lop.com
    O1 - Hosts: 64.14.40.138 www.searchresult.net
    O1 - Hosts: 64.14.40.138 www.xupiter.com
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.33/EPlugin.cab
    O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/198.cab
     
  9. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    Ok I have deleted all that nasty stuff

    Thank you for that....

    but my browser is still diabled in that I cant use my IE start up or open any links without opening a document window and pasting the URL into it.
     
  10. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    There is a possibility that urlmon.dll has been corrupted

    Have a look at this page
     
  11. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    Ok that's interesting, however after rebooting a second or third time since deleting the above files the system seems to be running soundly.

    Thanks for all the hay-elp
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167290

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice