1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijackthis help

Discussion in 'Virus & Other Malware Removal' started by BOILER90, Sep 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. BOILER90

    BOILER90 Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    3
    Can you help with my hijackthis log file. I was hit with a form of CWS and it redirects my start page to some trash. I ran CWShredder and Adaware first, then hijackthis. Here is the file:

    Logfile of HijackThis v1.98.2
    Scan saved at 12:17:29 AM, on 9/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\system32\ipzk.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\CTHELPER.EXE
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
    C:\WINNT\system32\mfchi.exe
    C:\Program Files\Greetings Workshop\GWREMIND.EXE
    C:\Anti-SPY_DLOADS\hijackthis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
    O4 - HKLM\..\RunOnce: [netmh.exe] C:\WINNT\netmh.exe
    O4 - HKLM\..\RunOnce: [crsg32.exe] C:\WINNT\system32\crsg32.exe
    O4 - HKLM\..\RunOnce: [apirw32.exe] C:\WINNT\apirw32.exe
    O4 - HKLM\..\RunOnce: [javamb.exe] C:\WINNT\system32\javamb.exe
    O4 - HKLM\..\RunOnce: [winbz.exe] C:\WINNT\system32\winbz.exe
    O4 - HKLM\..\RunOnce: [javapr32.exe] C:\WINNT\javapr32.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Global Startup: Event Reminder.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    Please help!
    Thanks
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Lets start by rescanning once again with hijack then insert a check next to these then close all browser windows and click "fix checked"

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\RunOnce: [netmh.exe] C:\WINNT\netmh.exe

    O4 - HKLM\..\RunOnce: [crsg32.exe] C:\WINNT\system32\crsg32.exe

    O4 - HKLM\..\RunOnce: [apirw32.exe] C:\WINNT\apirw32.exe

    O4 - HKLM\..\RunOnce: [javamb.exe] C:\WINNT\system32\javamb.exe

    O4 - HKLM\..\RunOnce: [winbz.exe] C:\WINNT\system32\winbz.exe

    O4 - HKLM\..\RunOnce: [javapr32.exe] C:\WINNT\javapr32.exe



    Then reboot into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55

    set the system to show hidden files and folders http://dotcomsecurity.org/forums/index.php?showtopic=57


    Open windows explorer, find then delete:
    C:\WINNT\javapr32.exe
    C:\WINNT\netmh.exe
    C:\WINNT\system32\crsg32.exe
    C:\WINNT\apirw32.exe
    C:\WINNT\system32\javamb.exe
    C:\WINNT\system32\winbz.exe
    C:\WINNT\system32\ipzk.exe
    C:\WINNT\system32\mfchi.exe


    Reboot, rescan with hijack then post an updated scanlog.
     
  3. BOILER90

    BOILER90 Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    3
    Still redirects and files repopulated.
    Here is a new log file:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:27:03 PM, on 9/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\javanr.exe
    C:\WINNT\apisp32.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\wuauclt.exe
    C:\WINNT\System32\CTHELPER.EXE
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Greetings Workshop\GWREMIND.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Anti-SPY_DLOADS\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cxnjp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cxnjp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cxnjp.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {F18C41E3-636B-603B-13C6-98698855B7CE} - C:\WINNT\ntgh.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
    O4 - HKLM\..\Run: [mfchi.exe] C:\WINNT\system32\mfchi.exe
    O4 - HKLM\..\Run: [apisp32.exe] C:\WINNT\apisp32.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Global Startup: Event Reminder.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  4. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Printing this may help you

    1. Download this tool called about:Buster http://www.dotcomsecurity.org/downloads/AboutBuster.zip

    Unzip it to your Desktop.

    Start about:Buster. Then hit update. A new screen should pop up. On that screen, hit Check for Updates. If it says it found an update, hit Download Updates. If it doesnt find an update, it will automatically tell you and exit.

    Do nothing more with the program at this time.

    2. Click here http://www.lavasoftusa.com/support/download/ to download Ad-Aware SE and install. Open the program and click on "check for updates now" to make sure you have the latest reference file. If not, click *ok* and let it download and install the updates by clicking on *Finish* after the update download is completed. Exit the program.

    3. Print out these instructions so you have them handy as most of the steps need to be done in Safe Mode and you may not be able to go online.

    4. Make sure your PC is configured to show hidden files and folders....
    http://dotcomsecurity.org/forums/index.php?showtopic=57

    5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok You may not find it, if not go on to step 6

    Scroll down and find the service called "Network Security Service." When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and, under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

    6. Reboot to Safe Mode http://dotcomsecurity.org/forums/index.php?showtopic=55



    7. Scan with Hijack This and put checks next to all the following, then with all other windows closed click "Fix Checked"






    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cxnjp.dll/index.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cxnjp.dll/index.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cxnjp.dll/index.html#37049

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cxnjp.dll/sp.html#37049

    R3 - Default URLSearchHook is missing


    O2 - BHO: (no name) - {F18C41E3-636B-603B-13C6-98698855B7CE} - C:\WINNT\ntgh.dll

    O4 - HKLM\..\Run: [mfchi.exe] C:\WINNT\system32\mfchi.exe

    O4 - HKLM\..\Run: [apisp32.exe] C:\WINNT\apisp32.exe


    Now, search for, and delete if found, (some files may not be present after previous steps) the following files:
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\javanr.exe
    C:\WINNT\apisp32.exe

    8. Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    and highlight Services in the left pane. In the right pane, look for any of these entries:

    __NS_Service
    __NS_Service_2
    __NS_Service_3

    If any are listed, right-click that entry in the right pane and choose Delete.

    Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

    LEGACY___NS_Service
    LEGACY___NS_Service_2
    LEGACY___NS_Service_3

    If you find it, right-click it in the right-pane and choose delete.

    Remain in Safe Mode....

    9. Double click on about:Buster to start the program. Hit Start and then Ok. The program should start scanning. When it's finished, hit Exit and reboot, again in Safe Mode.

    Run about:Buster once more to make sure everything is ok. Reboot into Safe Mode when finished.

    Save the about:Buster report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

    10. Remaining in Safe Mode, Reconfigure Ad-Aware SE for a custom scan:

    Launch the program, and click on the Gear at the top of the start screen.

    Under "General Settings" all available options should be selected.

    Click the "Scanning" button.
    Under "Drives, Folders and Files," select "Scan within Archives".
    Click "Drives and folders to scan" and select your installed hard drives.
    Under "Memory & Registry," select all options.

    Click the "Advanced" button.
    Under "Logfile detail level," select all options.

    Click the "Defaults" button.
    If you want to keep your current settings for your homepage and searchpage,
    select "Read current settings from system." Otherwise, Ad-aware will reset them.

    Click the "Tweak" button.
    Under "Scanning Engine," select the following:
    "Unload recognized processes during scanning."
    Under "Cleaning Engine," select the following:
    "Always try to unload modules before deletion."
    "During removal unload Explorer and IE if necessary."
    "Let Windows remove files in use after reboot."
    Click on "Proceed" to save these Preferences.

    Run the Ad-Aware scan, making sure that the mode selected is "Use custom scanning options."

    When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?"

    11. Clean out temporary and TIF files.....

    Delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

    C:\WINDOWS\Temp\

    C:\Temp\

    C:\Documents and Settings\username\Local Settings\Temp\

    Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

    Empty your Recycle Bin and reboot into normal mode.

    12. Perform online virus scans at Trend Micro and Panda Software (See links below). Allow the programs to delete anything they may find. Reboot after each scan.

    13. Download and install this free anti-Trojan program: http://www.emsisoft.com/en/software/free/

    Perform a scan and allow the program to remove anything it may find.

    14. Go to the Windows Update site (see link below) to download and install ALL critical updates. Reboot when finished.

    15. NOTE: Two possibly three files may have been deleted from your computer by the hijacker and may need to be replaced. Check to see if these are missing.

    a. Control.exe

    b. hosts (with no extension)

    c. SDHelper.dll (if you are using Spybot Search & Destroy)

    If control. exe is missing
    Go here: http://www.spywareinfo.com/~merijn/...es.html#control
    and download the version of control.exe for your operating system. If you are running Windows 95/98/98SE/ME: copy it to C:\WINDOWS
    Windows 2000, copy it to c:\winnt\system32\.
    For Windows XP, copy it to c:\windows\system32\.

    Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
    Press 'Restore Original Hosts' and press 'OK'
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

    If you have Spybot S&D installed and SDHelper.dll is missing, replace it
    Here
    and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    16. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here:
    http://www.spywareinfo.com/articles...ked/prevent.php
    QUOTE
    ActiveX controls and plug-ins

    * Download signed ActiveX controls (Prompt)
    * Download unsigned ActiveX controls (Disable)
    * Initialize and script ActiveX controls not marked as safe (Disable)
    * Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
    * Script ActiveX controls marked safe for scripting (Prompt)


    17. Reboot to Normal Mode, then scan with HijackThis and post a fresh log into this same thread along with your about:Buster log.
     
  5. BOILER90

    BOILER90 Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    3
    Your help seems to have worked.
    It didn't redirect my start page.
    Here are my log files. Also,I couldn't
    find Trend Micro so I ran A squared.

    Logfile of HijackThis v1.98.2
    Scan saved at 2:16:46 AM, on 9/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\alg.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\wuauclt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\CTHELPER.EXE
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\a2\a2guard.exe
    C:\Program Files\Greetings Workshop\GWREMIND.EXE
    C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Global Startup: Event Reminder.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    Scanned at: 11:08:10 PM on: 9/9/2004


    -- Scan 1 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 2 Random Key Entries
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    -- Scan 2 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 2 Random Key Entries
    Attempted Clean Of Temp folder.
    Pages Reset... Done!
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Rescan with hijack now and fix this entry and your good to go.
    R3 - Default URLSearchHook is missing
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272239

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice