hijacker tool help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Rattler3

Thread Starter
Joined
Apr 25, 2002
Messages
245
Hi all,

Have a friends computer, found some things on it that need removed, per his request.... ran the hijacker tool, I need some help with what files stay and what goes.... I don't know head from tail on most of them. So please someone with some eye for this... HELP! My friends computer has some porn crap stuff on it that he needs off of there, and anything else that doesn't belong.

Thanks, you guys are awesome

:)
here is the log of hijacker

Logfile of HijackThis v1.96.4
Scan saved at 10:38:01 PM, on 9/21/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\PROMon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Date Manager\DateManager.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\WINNT\System32\mrtMngr.EXE
C:\Program Files\Weatherscope\Weatherscope.exe
C:\Program Files\RapidBlaster\rb32.exe
C:\Program Files\WebSiteViewer\108186.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.spidersearch.com/frame_results.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ccountry.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ccountry.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINNT\host.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_1_5_0.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {856D6A8E-A24C-498A-A55A-2B25C606A6B4} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_1_5_0.dll
O3 - Toolbar: Zipclix - {319A68DB-06D0-46DA-9F93-A810D5A70836} - C:\Program Files\Zipclix\zipclix.dll
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [SpyProtection] C:\Program Files\Webroot\SpyProtection\SpyProtection.exe /0
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O4 - Startup: ZIPscript.lnk = C:\NavPress\ZIPscrpt.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Weatherscope.lnk = C:\Program Files\Weatherscope\Weatherscope.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.ccountry.net
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://younghips.com/cam.exe
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8102/turbo.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/PopSwatterInitialSetup1.0.0.5.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/108186.exe
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8102/payload2.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {359F7E49-1EA0-4671-92E9-61E32FE25C5E} - http://69.0.137.190/version3/Netster.dll
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www108.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/13a40575fb8fa35f6905/netzip/RdxIE2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://younghips.com/cam.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37567.4262962963
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://pluginaccess.com/Browser_Plugin.cab
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://php.offshoreclicks.com/dialup_files/99950894.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} (PdpPi Class) - http://webpdp.gator.com/4/download/pdpplugin_5094_bundle18v0p10.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} - http://traffichog.com/toolbar/bmeb.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://xbs.sea.mtree.com/mt/dialers/on/US/NSupd9x.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - http://cnt.rapidblaster.com/install/activeinstaller.dll
 
Joined
Jul 31, 2003
Messages
116
i think ur friend has rapid blaster on his computer. go to the website at the bottom and download rapid blaster killer. It kills rapid blaster or simply tells you that you don't have it on ur computer. other than that i have no clue waht should go or stay.

http://www.wilderssecurity.net/specialinfo/rapidblaster.html#removal

although this could be a legitamit file i couldn't tell you...still a useful tool to have. i didn't take time to look it over cuz its about 2 o'clock over here and i'm tired
 
Joined
Jul 24, 2003
Messages
420
Hi Rattler3 ,

Please do the following ,

Download Rbkiller www.wilderssecurity.net/downloads/rbkiller.exe
Close all browser windows , check your Taskbar for minimized windows as well , Run Rbkiller.


Scan Hijack This , put a check in the following entries and hit ''Fix Checked'' ,

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.spidersearch.com/frame_results.php

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s

O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINNT\host.dll

O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll


O3 - Toolbar: (no name) - {856D6A8E-A24C-498A-A55A-2B25C606A6B4} - (no file)

O3 - Toolbar: Zipclix - {319A68DB-06D0-46DA-9F93-A810D5A70836} - C:\Program Files\Zipclix\zipclix.dll

O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe

O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min

O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O4 - Global Startup: Weatherscope.lnk = C:\Program Files\Weatherscope\Weatherscope.exe

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://younghips.com/cam.exe

O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...B8102/turbo.cab

O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/108186.exe

O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...02/payload2.cab

O16 - DPF: {359F7E49-1EA0-4671-92E9-61E32FE25C5E} - http://69.0.137.190/version3/Netster.dll

O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproact...etwasherpro.cab

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www108.coolsavings.com/download/cscmv5X.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/13a40575fb8fa3...tzip/RdxIE2.cab

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://younghips.com/cam.cab

O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://php.offshoreclicks.com/dialup_files/99950894.cab

O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} (PdpPi Class) - http://webpdp.gator.com/4/download/...ndle18v0p10.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...uditControl.cab

O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB

O16 - DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} - http://traffichog.com/toolbar/bmeb.cab

O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://xbs.sea.mtree.com/mt/dialers/on/US/NSupd9x.cab

O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - http://cnt.rapidblaster.com/install/activeinstaller.dll

Shutdown & Reboot your computer in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Navigate to and Delete the following

C:\Program Files\PrecisionTime > Folder
C:\Program Files\Common Files\GMT > Folder
C:\Program Files\Date Manager > Folder
C:\Program Files\Common Files\CMEII > Folder
C:\Program Files\Weatherscope > Folder
C:\Program Files\WebSiteViewer > Folder
C:\Program Files\RapidBlaster > Folder
C:\Program Files\Zipclix > Folder
C:\Program Files\Httper > Folder
C:\WINNT\host.dll > File

Shutdown & Normal Reboot

Download and install Spybot search & destroy www.security.kolla.de Open Spybot search & destroy , Click Online , Search for updates , Download all available updates , log offline , Close all browser windows , check your taskbar for minimized windows as well , Run Spybot search & destroy , put a check in every entry Spybot search & destroy returns , Click fix problems.

Shutdown & Reboot your computer

Download SpywareBlaster v2.6.1 and SpywareGuard v2.2 for the prevention of both Spyware Active X installation and running , and Browser Hijacking protection in real-time http://www.wilderssecurity.net/index.html

Upgrade Hijack This to Version 1.97 , Config... , Misc Tools , Update Online.

Rescan Hijack This and post a new log for a follow-up review

Good luck
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top