HijackThis log reveiw request

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

shermaine_08

Thread Starter
Joined
Feb 11, 2005
Messages
18
Hello, I have recently received awesome help from this site with my computer. Now I have a Hijackthislog from a friends computer. I ran Adware-Se and spybot and each found numerous errors and corrected most of them. I then ran a Hijack This report and received the following results. Any help is greatly appreciated.

Logfile of HijackThis v1.99.0
Scan saved at 2:26:53 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\explorer.exe
C:\Program Files\HIJACKtHISrUN\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Task manager] taskmngr.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: hhnukk.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
 
Joined
Sep 7, 2004
Messages
49,014
No AV!!!!!!!!!!!!

Do a couple online scans from this list

http://forums.techguy.org/t110854.html

Then get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
-------------------------
http://www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of calsp.dll and aklsp.dll (and nothing else), and move them to
the "Remove" pane.
Then click Finish.

Restart in safe mode

Now delete the C:\windows\system32\ aklsp.dll

And C:\windows\system32\calsp.dll

Reboot.

Download the Hoster from here:
http://members.aol.com/toadbee/hoster.zip
Run Hoster and press Restore Original Hosts, OK, and Exit Program. Reboot.
Post a new log
 

shermaine_08

Thread Starter
Joined
Feb 11, 2005
Messages
18
Hello again.. I think I may have screwed something up. I'm on my own computer now as the internet is not working on my friends computer(the affected one). After I ran the AVG scan, I wasn't able to get back on the internet. I'm getting errors that the IP adress cannot be renewed and "An operation was attempted on something that is not a socket."
I've tried the windows fix(http://support.microsoft.com/default.aspx?scid=kb;en-us;817571) which says to copy, delete, and reinstall the winsock and winsock2 regester values. I also reset my ip address in the command prompt but I'm still getting the errors.

The good news is that the weird XXX and ads that were on the desktop are now gone. I'm afraid that maybe I deleted something I shouldn't have when I ran the AVG scan. I created a backup but I'm not sure how to use the backup without reinstalling the spyware crap. As of right now I'm at my wits end! Please help if you can. I hope I haven't screwed this up completely.
 

shermaine_08

Thread Starter
Joined
Feb 11, 2005
Messages
18
Ok, I looked up a few more searches, ran a winsock fix and the ISPfix and the Hoster. I've ran all of the fixes that I found from searching for solutions on this site. However, I'm still unable to get on the internet. I ran Highjack this and saved it to A:\. Here is the output:

PS...
---------
By the way, I disabled all of the startup items using msconfig. That was the only way I was able to download the anti spyware tools in the beggining. I'm not sure if I should re-enable it or not. I'm afraid that it will cause the computer to become super slow again.

Also, I think I need to do a new system restore when I get the internet fixed, so that the spyware doesn't infect the computer again. Are there any directions you can provide to assist with this.
--------
Logfile of HijackThis v1.99.0
Scan saved at 10:49:51 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\HIJACKtHISrUN\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Task manager] taskmngr.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
 
Joined
Sep 7, 2004
Messages
49,014
Download CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
Close all browser windows,
Open cwshredder.exe then click "Fix" and let it run.


Print this and boot to safe mode
Fix these with HJT

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\RunServices: [Task manager] taskmngr.exe

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx


View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files

taskmngr.exe – prob in C:\WINNT\System32, careful of the spelling


START – RUN – key in %temp% OK - Edit – Select all – File – Delete
Empty the recycle bin
Boot and post a new log

It would be nice to see the disabled msconfig entries
 

shermaine_08

Thread Starter
Joined
Feb 11, 2005
Messages
18
Hello! Sorry, I took so long. Here is a word doc of the MSCONFIG screen shots. I couldn't figure out any other way to get you a 'real' copy, so I had to do 4 screen shots to show you all of the files. I'm working on your other suggestions right now and will post a log when I'm done.
 

Attachments

shermaine_08

Thread Starter
Joined
Feb 11, 2005
Messages
18
Ok, all done! I will try to get on the internet again and let you know what happens. Here is the new logfile.


Logfile of HijackThis v1.99.0
Scan saved at 7:35:40 PM, on 2/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HIJACKtHISrUN\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
 

shermaine_08

Thread Starter
Joined
Feb 11, 2005
Messages
18
OH MY GOODNESS!!! This thing is actually working now!! I'm typing this message online from the (formally) infected machine itself. This is great! Now I just need to figure out what to do to keep the spyware from taking over again. THANK YOU!!!
 
Joined
Sep 7, 2004
Messages
49,014
You have a mess in there, if you really want to get this cleaned up we will need to enable those entries to see clearly what is going on

First add remove programs - remove if there

Web Rebates
Bulls Eye

These look suspect - DO you know if they are valid

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com

Delete these folders
C:\program Files\Csbb
C:\winnt\system32\vmss

START – RUN – key in %temp% OK - Edit – Select all – File – Delete
Empty the recycle bin

Enable those entries and post a log - can't get enough visibility to give you good instructions - but it can be fixed
 

shermaine_08

Thread Starter
Joined
Feb 11, 2005
Messages
18
Hi MFDnSC,

Sorry I'm taking so long with the responses. Trying to organize when I can get to my friends computer when he's not working and when I'm not working is tough. Then I also depend on you guys for help, which I sincerely appreciate. I will be working on his computer again tonight after 7pm.

For some reason everytime I run Hijack This and click fix on that uni--search, it always comes back on the next run.

Do you want me to enable the entries in msconfig before or after I try to clean up the items you mentioned above?

Thanks!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top