1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HijackThis Log file. Help

Discussion in 'Virus & Other Malware Removal' started by xouroborus, Jan 30, 2005.

Thread Status:
Not open for further replies.
  1. xouroborus

    xouroborus Thread Starter

    Joined:
    Jan 30, 2005
    Messages:
    9
    First time user...be gentle. Friend asked me to look at his box. Lots of problems. Booted the computer in safe mode. Ran CWShredder, AdAware, Spybot and a couple other tools. Still can get rid of the Win Min. There might be a couple others that need to go as well.


    Logfile of HijackThis v1.99.0
    Scan saved at 8:19:45 PM, on 1/28/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\MSTASK.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.0\CM_CAMERA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\MSN\MSNIA\MSNIASVC.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\TOOLS\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.find-more.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-more.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-more.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-more.net/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = 69.61.38.52
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-more.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-more.net/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.find-more.net/sp.htm
    O1 - Hosts: 69.61.38.52 ie.search.msn.com
    O1 - Hosts: 69.50.136.245 www.sexape.com sexape.com www.picwarehouse.com picwarehouse.com www.darlina.com darlina.com www.searchgals.com searchgals.com www.madthumbs.com madthumbs.com www.searchbigtits.com searchbigtits.com www.zadina.com zadina.com mature-post.com www.dianapost.com sexocean.com
    O1 - Hosts: 69.50.136.245 www.absolut-series.com absolut-series.com www.bigbreastlovers.com bigbreastlovers.com www.teeniesxxx.com teeniesxxx.com www.candylist.com candylist.com www.freepicseries.com freepicseries.com www.mature-post.com dianapost.com www.sexocean.com www.pornnimbus.com pornnimbus.com
    O1 - Hosts: 69.50.136.245 www.easygals.com easygals.com celebpix.org www.besoindesexe.com besoindesexe.com www.freefoto.cz freefoto.cz
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
    O4 - HKCU\..\Run: [Task Bar] C:\WINDOWS\taskbar.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [mstask] C:\WINDOWS\mstask.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O16 - DPF: ChatSpace JavaLight Client - http://sites.chatspace.com:8058/Java/cslt4.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
    O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Download the Hoster from here:
    http://members.aol.com/toadbee/hoster.zip


    Print this and boot to safe mode

    Run Hoster and press Restore Original Hosts, OK, and Exit Program.


    Fix these with HJT

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.find-more.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-more.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-more.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-more.net/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = 69.61.38.52
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-more.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-more.net/index.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.find-more.net/sp.htm

    O1 - Hosts: 69.61.38.52 ie.search.msn.com

    O1 - Hosts: 69.50.136.245 www.sexape.com sexape.com www.picwarehouse.com picwarehouse.com www.darlina.com darlina.com www.searchgals.com searchgals.com www.madthumbs.com madthumbs.com www.searchbigtits.com searchbigtits.com www.zadina.com zadina.com mature-post.com www.dianapost.com sexocean.com

    O1 - Hosts: 69.50.136.245 www.absolut-series.com absolut-series.com www.bigbreastlovers.com bigbreastlovers.com www.teeniesxxx.com teeniesxxx.com www.candylist.com candylist.com www.freepicseries.com freepicseries.com www.mature-post.com dianapost.com www.sexocean.com www.pornnimbus.com pornnimbus.com

    O1 - Hosts: 69.50.136.245 www.easygals.com easygals.com celebpix.org www.besoindesexe.com besoindesexe.com www.freefoto.cz freefoto.cz

    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

    O4 - HKCU\..\Run: [Task Bar] C:\WINDOWS\taskbar.exe

    Boot and post a new log
     
  3. xouroborus

    xouroborus Thread Starter

    Joined:
    Jan 30, 2005
    Messages:
    9
    Cleared some of the garbage, THANKS! The 'find-more.net' keeps coming back. The Win Min still is causing grief as well. When he goes to shutdown, the dialog box for 'Win Min' appears. He has to end task to continue shutting down.

    Here is the latest logfile.

    Logfile of HijackThis v1.99.0
    Scan saved at 5:24:59 PM, on 2/12/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\DESKTOP\TOOLS\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-more.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-more.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-more.net/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-more.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-more.net/index.htm
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [mstask] C:\WINDOWS\mstask.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O16 - DPF: ChatSpace JavaLight Client - http://sites.chatspace.com:8058/Java/cslt4.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
    O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http*://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/325004

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice