1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HijackThis log reveiw request

Discussion in 'Virus & Other Malware Removal' started by shermaine_08, Feb 13, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. shermaine_08

    shermaine_08 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    18
    Hello, I have recently received awesome help from this site with my computer. Now I have a Hijackthislog from a friends computer. I ran Adware-Se and spybot and each found numerous errors and corrected most of them. I then ran a Hijack This report and received the following results. Any help is greatly appreciated.

    Logfile of HijackThis v1.99.0
    Scan saved at 2:26:53 PM, on 2/13/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\explorer.exe
    C:\Program Files\HIJACKtHISrUN\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
    O1 - Hosts: 127.0.0.3 x.full-tgp.net
    O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
    O1 - Hosts: 127.0.0.3 autoescrowpay.com
    O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
    O1 - Hosts: 127.0.0.3 www.awmdabest.com
    O1 - Hosts: 127.0.0.3 www.sexfiles.nu
    O1 - Hosts: 127.0.0.3 awmdabest.com
    O1 - Hosts: 127.0.0.3 sexfiles.nu
    O1 - Hosts: 127.0.0.3 allforadult.com
    O1 - Hosts: 127.0.0.3 www.allforadult.com
    O1 - Hosts: 127.0.0.3 www.iframe.biz
    O1 - Hosts: 127.0.0.3 iframe.biz
    O1 - Hosts: 127.0.0.3 www.newiframe.biz
    O1 - Hosts: 127.0.0.3 newiframe.biz
    O1 - Hosts: 127.0.0.3 www.vesbiz.biz
    O1 - Hosts: 127.0.0.3 vesbiz.biz
    O1 - Hosts: 127.0.0.3 www.pizdato.biz
    O1 - Hosts: 127.0.0.3 pizdato.biz
    O1 - Hosts: 127.0.0.3 www.aaasexypics.com
    O1 - Hosts: 127.0.0.3 aaasexypics.com
    O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [Task manager] taskmngr.exe
    O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Global Startup: hhnukk.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx
    O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    No AV!!!!!!!!!!!!

    Do a couple online scans from this list

    http://forums.techguy.org/t110854.html

    Then get the free AVG 7 install it, check for updates and run a full scan

    AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
    -------------------------
    http://www.cexx.org/lspfix.htm

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of calsp.dll and aklsp.dll (and nothing else), and move them to
    the "Remove" pane.
    Then click Finish.

    Restart in safe mode

    Now delete the C:\windows\system32\ aklsp.dll

    And C:\windows\system32\calsp.dll

    Reboot.

    Download the Hoster from here:
    http://members.aol.com/toadbee/hoster.zip
    Run Hoster and press Restore Original Hosts, OK, and Exit Program. Reboot.
    Post a new log
     
  3. shermaine_08

    shermaine_08 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    18
    Hello again.. I think I may have screwed something up. I'm on my own computer now as the internet is not working on my friends computer(the affected one). After I ran the AVG scan, I wasn't able to get back on the internet. I'm getting errors that the IP adress cannot be renewed and "An operation was attempted on something that is not a socket."
    I've tried the windows fix(http://support.microsoft.com/default.aspx?scid=kb;en-us;817571) which says to copy, delete, and reinstall the winsock and winsock2 regester values. I also reset my ip address in the command prompt but I'm still getting the errors.

    The good news is that the weird XXX and ads that were on the desktop are now gone. I'm afraid that maybe I deleted something I shouldn't have when I ran the AVG scan. I created a backup but I'm not sure how to use the backup without reinstalling the spyware crap. As of right now I'm at my wits end! Please help if you can. I hope I haven't screwed this up completely.
     
  4. shermaine_08

    shermaine_08 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    18
    Ok, I looked up a few more searches, ran a winsock fix and the ISPfix and the Hoster. I've ran all of the fixes that I found from searching for solutions on this site. However, I'm still unable to get on the internet. I ran Highjack this and saved it to A:\. Here is the output:

    PS...
    ---------
    By the way, I disabled all of the startup items using msconfig. That was the only way I was able to download the anti spyware tools in the beggining. I'm not sure if I should re-enable it or not. I'm afraid that it will cause the computer to become super slow again.

    Also, I think I need to do a new system restore when I get the internet fixed, so that the spyware doesn't infect the computer again. Are there any directions you can provide to assist with this.
    --------
    Logfile of HijackThis v1.99.0
    Scan saved at 10:49:51 PM, on 2/13/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\HIJACKtHISrUN\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [Task manager] taskmngr.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Download CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
    Close all browser windows,
    Open cwshredder.exe then click "Fix" and let it run.


    Print this and boot to safe mode
    Fix these with HJT

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

    O4 - HKLM\..\RunServices: [Task manager] taskmngr.exe

    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx


    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files

    taskmngr.exe – prob in C:\WINNT\System32, careful of the spelling


    START – RUN – key in %temp% OK - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log

    It would be nice to see the disabled msconfig entries
     
  6. shermaine_08

    shermaine_08 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    18
    =) Thank you, I will work on this later tonight when I get home.
     
  7. shermaine_08

    shermaine_08 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    18
    Hello! Sorry, I took so long. Here is a word doc of the MSCONFIG screen shots. I couldn't figure out any other way to get you a 'real' copy, so I had to do 4 screen shots to show you all of the files. I'm working on your other suggestions right now and will post a log when I'm done.
     

    Attached Files:

  8. shermaine_08

    shermaine_08 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    18
    Ok, all done! I will try to get on the internet again and let you know what happens. Here is the new logfile.


    Logfile of HijackThis v1.99.0
    Scan saved at 7:35:40 PM, on 2/15/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\HIJACKtHISrUN\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  9. shermaine_08

    shermaine_08 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    18
    OH MY GOODNESS!!! This thing is actually working now!! I'm typing this message online from the (formally) infected machine itself. This is great! Now I just need to figure out what to do to keep the spyware from taking over again. THANK YOU!!!
     
  10. gmbshady

    gmbshady

    Joined:
    Sep 23, 2004
    Messages:
    24
  11. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You have a mess in there, if you really want to get this cleaned up we will need to enable those entries to see clearly what is going on

    First add remove programs - remove if there

    Web Rebates
    Bulls Eye

    These look suspect - DO you know if they are valid

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uni--search.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uni--search.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://uni--search.com

    Delete these folders
    C:\program Files\Csbb
    C:\winnt\system32\vmss

    START – RUN – key in %temp% OK - Edit – Select all – File – Delete
    Empty the recycle bin

    Enable those entries and post a log - can't get enough visibility to give you good instructions - but it can be fixed
     
  12. shermaine_08

    shermaine_08 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    18
    Hi MFDnSC,

    Sorry I'm taking so long with the responses. Trying to organize when I can get to my friends computer when he's not working and when I'm not working is tough. Then I also depend on you guys for help, which I sincerely appreciate. I will be working on his computer again tonight after 7pm.

    For some reason everytime I run Hijack This and click fix on that uni--search, it always comes back on the next run.

    Do you want me to enable the entries in msconfig before or after I try to clean up the items you mentioned above?

    Thanks!
     
  13. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - HijackThis reveiw request
  1. hfrei
    Replies:
    1
    Views:
    460
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330144

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice