1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Yet another Hijack This log, whoo hoo!

Discussion in 'Virus & Other Malware Removal' started by Jesus McBeef, Apr 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Jesus McBeef

    Jesus McBeef Thread Starter

    Joined:
    Feb 4, 2004
    Messages:
    18
    I was having a bit of trouble a while ago with having a hijacked homepage, lots of spyware and some other problems.

    So far I have ran CWshredder, re-scanned with Hijack This, rebooted in Safe Mode, deleted a few files, scan with Adaware, and scanned Spyboy Search & Destroy. Now I have re-scanned with Highjack This and I just wanted to post this to make sure there isn't anything I missed. Any help would be appreciated!

    I'm running Windows XP if it matters...


    Logfile of HijackThis v1.97.7
    Scan saved at 10:50:36 PM, on 4/7/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Cyberpwr\PanPlus.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\hwaydecv.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Eddie\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centurytel.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freshvideogals.com/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
    O4 - HKLM\..\Run: [Power Panel plus] C:\Cyberpwr\PanPlus.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Eddie\My Documents\My Pictures\Nikki's Junk\My Received Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [lkvxnyxu] C:\WINDOWS\System32\hwaydecv.exe
    O4 - HKLM\..\Run: [puncd] C:\WINDOWS\puncd.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0C2BE5FF-B503-4F62-98CB-7374F397E9C8}: NameServer = 207.230.192.251 209.142.152.253
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0C2BE5FF-B503-4F62-98CB-7374F397E9C8}: NameServer = 207.230.192.251 209.142.152.253
     
  2. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Download and run CWShredder from here. Before running the program, make sure that all windows besides CWShredder are closed. Open the program, and click on Fix Now and not Scan only.

    Remove these items with HJT:

    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll

    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
     
  3. Jesus McBeef

    Jesus McBeef Thread Starter

    Joined:
    Feb 4, 2004
    Messages:
    18
    Thanks. I did all the required tasks and hopefully my computer will be back and running smoothly. I appreciate the help. :)
     
  4. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Please follow up with another HJT log because there is some other items which we should get rid of.
     
  5. Jesus McBeef

    Jesus McBeef Thread Starter

    Joined:
    Feb 4, 2004
    Messages:
    18
    Here's another one for ya...


    Logfile of HijackThis v1.97.7
    Scan saved at 8:37:48 PM, on 4/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Cyberpwr\PanPlus.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Eddie\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centurytel.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freshvideogals.com/search/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
    O4 - HKLM\..\Run: [Power Panel plus] C:\Cyberpwr\PanPlus.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Eddie\My Documents\My Pictures\Nikki's Junk\My Received Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab
    O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} (HDPluginCtrl Class) - http://webpdp.gator.com/4/download/hdplugin_1015_bundle33v1d12.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0C2BE5FF-B503-4F62-98CB-7374F397E9C8}: NameServer = 207.230.192.251 209.142.152.253
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0C2BE5FF-B503-4F62-98CB-7374F397E9C8}: NameServer = 207.230.192.251 209.142.152.253
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213

    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

    O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} (HDPluginCtrl Class) - http://webpdp.gator.com/4/download/...ndle33v1d12.cab


    Restart to safe mode and delete:

    The C:\WINDOWS\Belt.exe file

    How to start your computer in safe mode
     
  7. Jesus McBeef

    Jesus McBeef Thread Starter

    Joined:
    Feb 4, 2004
    Messages:
    18
    Thanks for the help!

    I've done all of this, is there anything else you'd like me to do?

    I'll have to do it when I get home from class though.
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Is everything OK now?
     
  9. Jesus McBeef

    Jesus McBeef Thread Starter

    Joined:
    Feb 4, 2004
    Messages:
    18
    Yeah, everything appears to be back to normal. I'll give it a few days to see if anything else comes up.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218253

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice