1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] Hijackthis log

Discussion in 'Virus & Other Malware Removal' started by alexdb, Mar 31, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. alexdb

    alexdb Thread Starter

    Joined:
    Mar 31, 2004
    Messages:
    2
    Recently my browser started resetting the homepage to a search engine, I think I cleared this problem with CWShredder, however, there still existed the problem that an untitled pop up window with a search page would appear every few minutes. Examining the source of this page I saw a couple hundred links to some "searchmeup.com" website. I think I fixed that problem by replacing the Hosts file on my computer with the one found on this forum, I'm glad to see that none of the advertisements can load, but I'm not sure if my browser is still hijacked or not. Since replacing the Hosts file, the back button doesn't work anymore. I also ran Ad Aware and SSD before posting this log.

    I don't know what the entries in the log mean, but would it be okay to remove the entries refering to AOL, the Real player system tray, and quicktime?


    Logfile of HijackThis v1.97.7
    Scan saved at 5:09:57 PM, on 3/31/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\tp4serv.exe
    C:\WINNT\System32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
    C:\WINNT\System32\PRPCUI.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\WINNT\loadqm.exe
    C:\WINNT\System32\ltmsg.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINNT\System32\msrexe.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\Avaya_Wireless\Client Manager\CMAVA.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\abardales\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-find.com/sp.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
    O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\RunOnce: [Delete Aroundweb] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\AroundWeb\awtoolb.dll"
    O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CMAVA.EXE
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.nytimes.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38077.5276967593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = soka.edu
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = soka.edu
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = soka.edu
    O19 - User stylesheet: C:\WINNT\color.css
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,331
    Hi alexdb

    Welcome to TSG! :)

    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my-find.com/sp.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-find.com/sp.htm

    O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe

    O4 - HKCU\..\RunOnce: [Delete Aroundweb] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\AroundWeb\awtoolb.dll"

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O19 - User stylesheet: C:\WINNT\color.css


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

    Now find and delete:

    The C:\Program Files\AroundWeb folder
    The C:\WINNT\System32\msrexe.exe file
    The C:\WINNT\color.css file

    Boot back to normal.

    IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

    The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"
     
  3. alexdb

    alexdb Thread Starter

    Joined:
    Mar 31, 2004
    Messages:
    2
    My computer seems to be back to normal, thanks a lot for the information.
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,331
    My Pleasure! :)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/216382

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice