1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

need someone to look at a logfile to fix hijacked browser

Discussion in 'Virus & Other Malware Removal' started by tarheels, Feb 7, 2005.

Thread Status:
Not open for further replies.
  1. tarheels

    tarheels Thread Starter

    Feb 7, 2005
    I have a logfile that I need help with so that I can unhijack my browser.

    Attached Files:

  2. Dust Sailor

    Dust Sailor

    Mar 17, 2004
    I'll open your log here so others can see it

    Logfile of HijackThis v1.99.0
    Scan saved at 5:12:27 PM, on 2/7/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\EE\ee.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Peter & Kelli Kniss\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {E29B1729-1A0F-FD3D-2C3A-FC336BAEA1D9} - C:\WINDOWS\Umdifyhp.dll (file missing)
    R3 - URLSearchHook: (no name) - {D63C6F8E-1462-81F0-7056-49DB0177E676} - DCC_send.dll (file missing)
    O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
    O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: cdmodym - {2EB18AD0-E01B-EADA-AD76-AA580D5A4E43} - C:\WINDOWS\System32\CDMODYM.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {E269032A-0211-4C6C-9985-FA469FDF3BD7} - C:\WINDOWS\System32\protect32.dll
    O2 - BHO: (no name) - {ED450C14-C881-1FFB-AEF4-10DC078137D8} - C:\WINDOWS\Umdifyhp.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Search - {6F9BA8EE-728F-BFBB-A10B-3A8CF8D4BDDE} - C:\WINDOWS\Umdifyhp.dll (file missing)
    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe
    O4 - HKLM\..\Run: [aiambs] C:\WINDOWS\System32\hiasxat.exe
    O4 - HKLM\..\Run: [ffdzobak] C:\WINDOWS\System32\xhwjq.exe
    O4 - HKLM\..\Run: [obyeva] C:\WINDOWS\System32\azchunr.exe
    O4 - HKLM\..\Run: [rjwimxyq] C:\WINDOWS\System32\nwukvyuk.exe
    O4 - HKLM\..\Run: [yiush] C:\WINDOWS\System32\lwvronch.exe
    O4 - HKLM\..\Run: [egaycvf] C:\WINDOWS\System32\wyakpgn.exe
    O4 - HKLM\..\Run: [kmayyoa] C:\WINDOWS\System32\niaitqa.exe
    O4 - HKLM\..\Run: [zgotui] C:\WINDOWS\System32\vtdww.exe
    O4 - HKLM\..\Run: [ehzoxoj] C:\WINDOWS\System32\hnvgdza.exe
    O4 - HKLM\..\Run: [uegfyrfi] C:\WINDOWS\System32\azvtuu.exe
    O4 - HKLM\..\Run: [bmdauqjv] C:\WINDOWS\System32\qehqhbk.exe
    O4 - HKLM\..\Run: [apowd] C:\WINDOWS\System32\ayqxdpmw.exe
    O4 - HKLM\..\Run: [ycld] C:\WINDOWS\System32\kujsgk.exe
    O4 - HKLM\..\Run: [pwth] C:\WINDOWS\System32\ownqgxa.exe
    O4 - HKLM\..\Run: [yfvquw] C:\WINDOWS\System32\krzfi.exe
    O4 - HKLM\..\Run: [ymbnowa] C:\WINDOWS\System32\uuexjmjg.exe
    O4 - HKLM\..\Run: [bruyepm] C:\WINDOWS\System32\babbdct.exe
    O4 - HKLM\..\Run: [rpwusq] C:\WINDOWS\System32\yqzxxgz.exe
    O4 - HKLM\..\Run: [yhogqj] C:\WINDOWS\System32\qgfcgyvg.exe
    O4 - HKLM\..\Run: [wjlvqhy] C:\WINDOWS\System32\nfdyibku.exe
    O4 - HKLM\..\Run: [fomqs] C:\WINDOWS\System32\dcmrl.exe
    O4 - HKLM\..\Run: [szzmw] C:\WINDOWS\System32\yraii.exe
    O4 - HKLM\..\Run: [oatlny] C:\WINDOWS\System32\yxqyjrn.exe
    O4 - HKLM\..\Run: [sbqe] C:\WINDOWS\System32\vgjig.exe
    O4 - HKLM\..\Run: [uyrbdd] C:\WINDOWS\System32\aroab.exe
    O4 - HKLM\..\Run: [ojfyiwxi] C:\WINDOWS\System32\ugksx.exe
    O4 - HKLM\..\Run: [egibsmg] C:\WINDOWS\System32\lmua.exe
    O4 - HKLM\..\Run: [bwlb] C:\WINDOWS\System32\hbqucxd.exe
    O4 - HKLM\..\Run: [runxftgb] C:\WINDOWS\System32\froqeaj.exe
    O4 - HKLM\..\Run: [zagb] C:\WINDOWS\System32\rrfbkak.exe
    O4 - HKLM\..\Run: [hukypt] C:\WINDOWS\System32\jewa.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [pxrjmd] C:\WINDOWS\System32\bdupaj.exe
    O4 - HKLM\..\Run: [pjwjuvy] C:\WINDOWS\System32\nxcbv.exe
    O4 - HKLM\..\Run: [xavsqpww] C:\WINDOWS\System32\hrewo.exe
    O4 - HKLM\..\Run: [suhcdfjz] C:\WINDOWS\System32\renvjy.exe
    O4 - HKLM\..\Run: [asthgde] C:\WINDOWS\System32\bpsu.exe
    O4 - HKLM\..\Run: [tlhu] C:\WINDOWS\System32\lcjss.exe
    O4 - HKLM\..\Run: [ruqcrf] C:\WINDOWS\System32\xlhyw.exe
    O4 - HKLM\..\Run: [ifrobtce] C:\WINDOWS\System32\ujxt.exe
    O4 - HKLM\..\Run: [iubhxwu] C:\WINDOWS\System32\aahtfa.exe
    O4 - HKLM\..\Run: [hmzblo] C:\WINDOWS\System32\bvinvdai.exe
    O4 - HKLM\..\Run: [ugxux] C:\WINDOWS\System32\csbi.exe
    O4 - HKLM\..\Run: [dbidwsx] C:\WINDOWS\System32\wjcuxm.exe
    O4 - HKLM\..\Run: [ysczr] C:\WINDOWS\System32\xdia.exe
    O4 - HKLM\..\Run: [buctwckp] C:\WINDOWS\System32\zvbnbkc.exe
    O4 - HKLM\..\Run: [wodqvb] C:\WINDOWS\System32\lvoid.exe
    O4 - HKLM\..\Run: [zvjsht] C:\WINDOWS\System32\rqwemgpt.exe
    O4 - HKLM\..\Run: [aoozcpal] C:\WINDOWS\System32\qoosoaqd.exe
    O4 - HKLM\..\Run: [hgjguuv] C:\WINDOWS\System32\nxfej.exe
    O4 - HKLM\..\Run: [ebahuzub] c:\windows\system32\ebahuzub.exe
    O4 - HKLM\..\Run: [ovwg] C:\WINDOWS\System32\edro.exe
    O4 - HKLM\..\Run: [ltpe] C:\WINDOWS\System32\yifc.exe
    O4 - HKLM\..\Run: [jjsma] C:\WINDOWS\System32\rbqeirfb.exe
    O4 - HKLM\..\Run: [oaaer] C:\WINDOWS\System32\blwtmzt.exe
    O4 - HKLM\..\Run: [umfubp] C:\WINDOWS\System32\iqgcahrj.exe
    O4 - HKLM\..\Run: [viasnq] C:\WINDOWS\System32\taxrul.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [newbreed] Trayz.exe
    O4 - HKLM\..\Run: [Serviceprocess] sysconf16.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [SurfSecret] C:\Program Files\SurfSecret\Privacy Protector\SS2-TRIAL.exe /min
    O4 - HKCU\..\Run: [dhcpsapi] C:\WINDOWS\System32\dhcpsapi.exe
    O4 - HKCU\..\Run: [crtdll] C:\WINDOWS\System32\crtdll.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
    O4 - HKCU\..\Run: [SpyElim] sysmon12.exe
    O4 - HKCU\..\Run: [slamm] Kargo.exe
    O4 - HKCU\..\Run: [MsNetHelper] pizda.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm168XXUS
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O15 - Trusted Zone: http://*.
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097509091763
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE624C57-5C3E-48C9-A34F-83F4B32E0631}: NameServer =,
    O18 - Filter: text/html - {D90E0631-F4C6-4446-B7AA-AC1A83584824} - C:\WINDOWS\System32\protect32.dll
    O18 - Filter: text/plain - {D90E0631-F4C6-4446-B7AA-AC1A83584824} - C:\WINDOWS\System32\protect32.dll
    O19 - User stylesheet: (file missing)
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  3. Dust Sailor

    Dust Sailor

    Mar 17, 2004

    Go here and download Spybot Search and Destroy and Ad-Aware SE
    UPDATE them both and do a scan getting rid of all they find

    Do a scan with Housecall and Panda

    After doing all of the above post another log here please
  4. Dust Sailor

    Dust Sailor

    Mar 17, 2004
    Go to Windows Updates and download all critical updates except SP2

    Get the lates definitions for your anti virus program or follow the above link and get AVG 7 and install it
  5. tarheels

    tarheels Thread Starter

    Feb 7, 2005
    what is avg 7
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/327879

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice