[Solved] Hijackthis log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

alexdb

Thread Starter
Joined
Mar 31, 2004
Messages
2
Recently my browser started resetting the homepage to a search engine, I think I cleared this problem with CWShredder, however, there still existed the problem that an untitled pop up window with a search page would appear every few minutes. Examining the source of this page I saw a couple hundred links to some "searchmeup.com" website. I think I fixed that problem by replacing the Hosts file on my computer with the one found on this forum, I'm glad to see that none of the advertisements can load, but I'm not sure if my browser is still hijacked or not. Since replacing the Hosts file, the back button doesn't work anymore. I also ran Ad Aware and SSD before posting this log.

I don't know what the entries in the log mean, but would it be okay to remove the entries refering to AOL, the Real player system tray, and quicktime?


Logfile of HijackThis v1.97.7
Scan saved at 5:09:57 PM, on 3/31/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\msrexe.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Avaya_Wireless\Client Manager\CMAVA.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\abardales\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-find.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\RunOnce: [Delete Aroundweb] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\AroundWeb\awtoolb.dll"
O4 - Global Startup: Avaya Wireless Client Manager.lnk = C:\Program Files\Avaya_Wireless\Client Manager\CMAVA.EXE
O4 - Global Startup: America Online 7.0 Tray Icon.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.nytimes.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38077.5276967593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = soka.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = soka.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = soka.edu
O19 - User stylesheet: C:\WINNT\color.css
 
Joined
Jul 26, 2002
Messages
46,349
Hi alexdb

Welcome to TSG! :)

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my-find.com/sp.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-find.com/sp.htm

O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe

O4 - HKCU\..\RunOnce: [Delete Aroundweb] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\AroundWeb\awtoolb.dll"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O19 - User stylesheet: C:\WINNT\color.css


Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

Now find and delete:

The C:\Program Files\AroundWeb folder
The C:\WINNT\System32\msrexe.exe file
The C:\WINNT\color.css file

Boot back to normal.

IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"
 

alexdb

Thread Starter
Joined
Mar 31, 2004
Messages
2
My computer seems to be back to normal, thanks a lot for the information.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top