Solved: Yet another HiJack-This Log for the experts.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

yarnperson

Thread Starter
Joined
Jan 6, 2006
Messages
25
Hello,
I've been trying to work on my computer as of lat, and I'm being assulted by Ad, and spy ware.
Asking my more, Kack-savy friends, they sujested I Down load Ad-Aware, and Spy bot. This didn't not solve the problem. One friend recomended I download something called Xoft-spy, because it worked for him.
My system's admin friend said I should try Hijack this. Only problem is that I don't know how to tell what's spyware/hijacks/whatever else is bad and not wanted on my box.
You seemed to be the go to guys, so, please, help. Here is my log file. I ran it while everything else was closed, to the best of my knowleg.

Now, in addition to helping, I'd like some info as to what this stuff is. I'm keen to learn so that I might be about to do this my self, and maybe even help some other people... someday.

Logfile of HijackThis v1.99.1
Scan saved at 2:07:26 PM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crnz.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Owner\My Documents\My Music\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\E.tmp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\F.tmp.exe
C:\WINDOWS\ipmo32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bntca.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bntca.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bntca.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bntca.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bntca.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bntca.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bntca.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k31kuuua.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k31kuuua.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {64E44984-9E4F-F9AA-CBE1-470DCEC340E0} - C:\WINDOWS\system32\sysfn.dll
O2 - BHO: Class - {79096202-C8BF-3015-7CE9-2404D6BD6D1A} - C:\WINDOWS\ipmd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Owner\My Documents\My Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [addgw32.exe] C:\WINDOWS\addgw32.exe
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [F.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\F.tmp.exe
O4 - HKLM\..\Run: [addxf32.exe] C:\WINDOWS\system32\addxf32.exe
O4 - HKLM\..\Run: [msnz32.exe] C:\WINDOWS\system32\msnz32.exe
O4 - HKLM\..\Run: [netkk.exe] C:\WINDOWS\system32\netkk.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [F.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\F.tmp.exe
O4 - HKLM\..\Run: [ipmo32.exe] C:\WINDOWS\ipmo32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6210848B-8149-4156-9611-3843CBCC2EC3}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{6210848B-8149-4156-9611-3843CBCC2EC3}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{6210848B-8149-4156-9611-3843CBCC2EC3}: NameServer = 192.168.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\q253187.dll (file missing)
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crnz.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
 
Joined
Sep 7, 2004
Messages
49,014
HiJackThis is runing from a temp directory and must be moved to run correctly

Get HiJack This V1.99.1 http://thespykiller.co.uk/files/hijackthis_sfx.exe - double click the DL file and click UNZIP letting it extract to its default folder C:\Program FIles\HiJackThis, run it from there, DO NOT fix anything, post the log here
===========

You have no active AntiVirus!

Get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
=================

DownLoad http://www.intermute.com/spysubtract/cwshredder_download.html
Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix"


Download About:Buster from:
http://www.majorgeeks.com/download4289.html
Double click aboutbuster.exe, Click begin removal, click yes to shutdown IE, click Start, then click OK.
========

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
 
Joined
Sep 7, 2004
Messages
49,014
That a lot of problems!!!!!!!! Take your time - Ewido will run for a while

Make sure you save the log
 

yarnperson

Thread Starter
Joined
Jan 6, 2006
Messages
25
Um... I'm in safe mode right now. My computer restarted and tells me that my WININET.dll was not found. I can't see my desk top. I'm worse off than I thought eh? Any sujestions. I'd like to keep running things, if I only knoew how to get to them.
More info, I was only on the AVG step. It said it found 5 viruses, and then restarted.
 
Joined
Sep 7, 2004
Messages
49,014
I'm confused as to what, when, and where you are

Safe mode only or normal mode works
 

yarnperson

Thread Starter
Joined
Jan 6, 2006
Messages
25
Safe mode works. I think normal mode works. But I still don't have a desk top either way. I have to open up programs form the task manager. I've started the AVG again. And it's pounding away. But I don't think that's going to help my lack of a WININET.dll. So... I'm not sure how to proceed.
Um... would it be faster to IM? Or even call on the phone? I'm kinda lost right now, if you couldn't tell.
 
Joined
Sep 7, 2004
Messages
49,014
go to the Run box on the Start Menu and type/copy in:

sfc /scannow

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.

Reboot
 

yarnperson

Thread Starter
Joined
Jan 6, 2006
Messages
25
I don't have a start menu, as I don't have a desk top. I'll try to do that from the Task manager. I think the function I'm useing is more or less the Run box. So... Hopefuly, I'll be right back.
 

yarnperson

Thread Starter
Joined
Jan 6, 2006
Messages
25
No can do. It just gives me the same message about my WININET.dll being missing, then I see the dos shell pop up and close right away. I can't see if it did anythign or not. I'll try restarting anyway.
 

yarnperson

Thread Starter
Joined
Jan 6, 2006
Messages
25
This would be so funny if it wasn't really happening. And I am trying to see the humor in all this, other wise, I'd have to fix my computer as Bubs did Strong bad's.
Guess what file windows needs to open up a compressed folder. That's right Wininet.dll.
"This application had failed to start because WINNET.dll was not found." and here's the funny part. "Re-installing the application may fix this problem." But to do anything, out need the file that's missing. Ha.... not that funny actualy. But I think that scan now thing if finaly working! I don't know how, it just started now, a half an hour later.
 

yarnperson

Thread Starter
Joined
Jan 6, 2006
Messages
25
Well, that thing ran. it took a while. Once it was done, nothing happened. I waited for a few minuets, and still nothing, so I went a head and restarted, and no improvement.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Would you be able to download a program from another computer to run on the infected one? I'm considering having you run a fix, which in turn replaces the Wininet.dll file.
 

yarnperson

Thread Starter
Joined
Jan 6, 2006
Messages
25
O.k. I'm back,
I work nights so I had to get some sleep before work. I'm back, I'll probable be here until 4:00pm, California time. Thanks again for all your help.
What I'm doing now:
I was able to use my thumb drive and another computer to get Wininet.dll from the link above. So now I have my desktop back. Only problem is that now my browser won't stay open for more than a second. So I was not able to post any links for help.
I got another comeputer set up over here now, so I'll be able to post and download from it.
I'm going to download the rest of the files to the thumb drive and run them as instructed. I'll post again once that's all done.
If you have any sujestions in the mean time, I'd love to hear them.
Once more,thanks for all your understanding with my noobie-ness.
Running the stuff now.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top