1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] HT Log for friends messed up pc

Discussion in 'Virus & Other Malware Removal' started by BAZZA_UK, Apr 8, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. BAZZA_UK

    BAZZA_UK Thread Starter

    Joined:
    Jul 29, 2003
    Messages:
    154
    Can someone please check out the highjack this log of my pals pc . He will switch on and after about a min everything will freeze up.....reboot and nine times out of ten the same thing will happen again....reboot again and although slow it will be fine.....i ran housecall for him and found 93 problems 19 of which were uncleanable.....then i downloaded spybot and ran that and cleaned up everything in the way of tracking cookies ect...or so i thought....because i rebooted and ran it again....it finds the same ones again ?.....ive used this many times on my own pc and this has never happened !!!
    So i have downloaded highjack this and ran it so heres the log for you clever people to view and tell me whats got to go....i have just enabled his windows xp firewall which he had disabled....yikes....so maybe that will shut one of the doors to his probs appearing again !!!
    Logfile of HijackThis v1.97.7
    Scan saved at 21:28:11, on 08/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\mstaskm.exe
    C:\WINDOWS\System32\msrexe.exe
    C:\WINDOWS\reg33.exe
    C:\WINDOWS\dl.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Bones\Application Data\otot.exe
    C:\WINDOWS\System32\wapisvcc.exe
    C:\Program Files\AOL 7.0\aoltray.exe
    C:\Documents and Settings\Bones\Desktop\HIGHJACK THIS\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.cc/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.alfa-search.com/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alfa-search.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://tjdjuz.t.rack.cc/sp.php (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.alfa-search.com/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alfa-search.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-all.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://tjdjuz.t.rack.cc/hp.php (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
    O1 - Hosts: 205.177.124.66 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
    O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Ueio] C:\Documents and Settings\Bones\Application Data\otot.exe
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00148\gd-dial.exe -remove
    O4 - HKCU\..\Run: [WTSC] C:\WINDOWS\System32\wapisvcc.exe
    O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - WWW Prefix:
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}
    O19 - User stylesheet: C:\WINDOWS\system32\readme.txt
    O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)
     
  2. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Looks like a CoolWebSearch hijacking to me, but I'm no expert. I looked for a link, but I still haven't found one... I don't wanna send you to a site that'll ADD to the problems. I'll bump this up for you.

    Under the "Official Downloads" section...3rd one down...download "CWShredder".

    http://www.spywareinfo.com/~merijn/downloads.html
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Yep it's CWS.

    Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.

    IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

    The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

    Come back here and post another Hijack This log. There are more that will need removing with HJT.
     
  4. BAZZA_UK

    BAZZA_UK Thread Starter

    Joined:
    Jul 29, 2003
    Messages:
    154
    Thanks very much for your speedy replies FinestRanger and Firman 1, unfortunatly the guy who's pc's been invaded has gone away for a few days for the easter weekend....as soon as he returns i shall run cwshredder for him and post a new HT log back here.......cheers guys
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  6. BAZZA_UK

    BAZZA_UK Thread Starter

    Joined:
    Jul 29, 2003
    Messages:
    154
    Hi Flrman1, i downloaded cw shredder and ran the fix on his pc then did a restart. next i went to windows update and installed all critical security updates...there was 19 of them......i can't believe he was'nt up to date !!!.....than i ran HJT again and here's the log....cheers
    Logfile of HijackThis v1.97.7
    Scan saved at 21:52:57, on 15/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\msrexe.exe
    C:\PROGRA~1\TRAYGR~1\adminbeep.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AOL 7.0\aoltray.exe
    C:\Documents and Settings\Bones\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-all.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {788002E5-8767-B60E-3C9B-5596B61C4A8E} - C:\PROGRA~1\SECTCA~1\new mode.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: balm skip - {7D68BC88-0320-D6A3-3798-9E01A6BC1DFE} - C:\PROGRA~1\SECTCA~1\new mode.dll
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKLM\..\Run: [team bags] C:\PROGRA~1\TRAYGR~1\adminbeep.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - WWW Prefix:
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://serha.ud-dial.biz/1/dexGB617.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.5804861111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-all.net/

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

    O2 - BHO: (no name) - {788002E5-8767-B60E-3C9B-5596B61C4A8E} - C:\PROGRA~1\SECTCA~1\new mode.dll

    O3 - Toolbar: balm skip - {7D68BC88-0320-D6A3-3798-9E01A6BC1DFE} - C:\PROGRA~1\SECTCA~1\new mode.dll

    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe

    O4 - HKLM\..\Run: [team bags] C:\PROGRA~1\TRAYGR~1\adminbeep.exe

    O13 - WWW Prefix:

    O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://serha.ud-dial.biz/1/dexGB617.exe


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete:

    The C:\WINDOWS\System32\msrexe.exe file
    The C:\Program Files\TRAYGR~1 folder
    The C:\Program Files\SECTCA~1 folder

    I have no way of knowing the exact name of those last two folders, but the first six letters of the first will be TRAYGR and the second will be SECTCA.
     
  8. BAZZA_UK

    BAZZA_UK Thread Starter

    Joined:
    Jul 29, 2003
    Messages:
    154
    Hi Flrman1, sorry its been a whole week to get back to you.....
    I ran hijack this again and fixed all files you mentioned. Then i restarted in safe mode and found C:\WINDOWS\System32\msrexe.exe file and deleted it but i was unable to find the other two files ie: TRAYGR and SECTCA folders.
    Have ran highjack this again and noticed that
    04-HKLM\..Run:[team bags]C:\PROGRA~1\TRAYGR~1\adminbeeb.exe.........file was present again in the log ?
    Heres the latest log and all your help is much appresiated and a donation will be on its way soon.....
    Logfile of HijackThis v1.97.7
    Scan saved at 21:14:16, on 22/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\PROGRA~1\TRAYGR~1\adminbeep.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AOL 7.0\aoltray.exe
    C:\Documents and Settings\Bones\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index.html?http://about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
    O4 - HKLM\..\Run: [team bags] C:\PROGRA~1\TRAYGR~1\adminbeep.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.5804861111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthroug...p://about:blank

    O4 - HKLM\..\Run: [team bags] C:\PROGRA~1\TRAYGR~1\adminbeep.exe


    Restart to safe mode and delete the The C:\Program Files\TRAYGR~1 folder. It is vital that you find and delete this folder. Like I said before I do not know the exact name of this folder. Find the folder in C:\Program Files that begins with TRAYGR. This is the folder that contains the executable that is loading the hijacker. You will have to find and delete that folder to get rid of the hijack.
     
  10. BAZZA_UK

    BAZZA_UK Thread Starter

    Joined:
    Jul 29, 2003
    Messages:
    154
    when i restarted in safe mode i started a search for all program files and there wer'nt any with TRAYGR in at all.....i also tried typing TRAYGR in a more specialised search and it also came back with nothing......i shall try again hopefully with better luck next time....i hope this time i can gain access to his pc over the next couple of days........thanks Flrman1
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Manually navigate to the C:\Program Files folder and look for the TRAYGR~1 folder. Click on My Computer. In My Computer click on Local Disk (C:). Look in Local Disk (C:) for the Program Files folder. Open the Program Files folder and look for the folder that begins with TRAYGR and right click and delete it.
     
  12. BAZZA_UK

    BAZZA_UK Thread Starter

    Joined:
    Jul 29, 2003
    Messages:
    154
    ran HJT and removed the two objects as you said...then in safe mode i managed to find the TRAY GREAT folder and also the SECTCA folder which i could'nt find last week.....after a restart i ran spybot search and destroy and it came back with one problem......AbraShyabra.Lolita....whick it says is an executable....C:\WINDOWS\wintt.exe file.......i had a quick look in my computer and looked under local disc (C:) under windows.....i saw wintt but it had no folder by the side of ?......i did'nt attempt to remove it as i wanted your opinion first !!!
    Heres the latest HJT Log
    Logfile of HijackThis v1.97.7
    Scan saved at 21:21:59, on 29/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AOL 7.0\aoltray.exe
    C:\Documents and Settings\Bones\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
    O4 - HKLM\..\Run: [griz] C:\WINDOWS\griz.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.5804861111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You should let Spybot fix the file...C:\WINDOWS\wintt.exe .. or boot to safe mode and delete it yourself.

    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe

    O4 - HKLM\..\Run: [griz] C:\WINDOWS\griz.exe


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete:

    The C:\WINDOWS\System32\mstaskm.exe file
    The C:\WINDOWS\griz.exe file
     
  14. BAZZA_UK

    BAZZA_UK Thread Starter

    Joined:
    Jul 29, 2003
    Messages:
    154
    sorry once again for the delay, i ran hijack this again and fixed the two items you told me too. Then in safe mode i deleted the wintt exe (spybot would'nt let me fix this item) then i tried in vain to find the "grix.exe" file or the "mstaskm.exe" file ?
    I then restarted out of safe mode and spybot found two minor items which were removed and now is clear for the first time since i downloaded and ran spybot for the first time on my friends pc.
    Here is the latest highjack this log
    Logfile of HijackThis v1.97.7
    Scan saved at 14:55:42, on 09/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AOL 9.0a\aoltray.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\Documents and Settings\Bones\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.5804861111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Fix this one:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    Restart.

    You should be good to go after that.

    One more thing. I notice that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both ASAP! See this thread for some good free ones:

    http://forums.techguy.org/t110854/s.html
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218559

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice