Tech Support Guy banner
Cancel

Help with Hijack This log

3545 Views 13 Replies 2 Participants Last post by  ZanY
Z
I had the same problem with startium but after looking at your forum and getting spybot (i had ad-aware but it didn't help) its gone! I just had to sign up and say a BIG THANK YOU! :up: It was driving me bonkers! :confused: I can't think properly when I know my compy is buggy! :( So now i can go back to studying for my 100% physiology final exam :rolleyes: !!! I got hijackthis and I thought maybe i would post the current log so maybe someone can tell me if anything is still lurking around! :eek: again, thank you so much :D *sighs of relief* :p

Logfile of HijackThis v1.97.7
Scan saved at 2:24:15 AM, on 4/13/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\PROMon.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Handspring\HotSync.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\UwsI.exe
C:\WINDOWS\System32\Sxzsc.exe
C:\Documents and Settings\zany\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [gwxgzfn] rundll32 C:\WINDOWS\System32:gwxgzfn.dll,Init 1
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [cwphbki] C:\WINDOWS\System32\cwphbki.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [wunk_32t] C:\WINDOWS\System32\wunk_32t.exe
O4 - HKLM\..\Run: [2G8J54X2C8HJYK] C:\WINDOWS\System32\Tarv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [*gwxgzfn] rundll32 C:\WINDOWS\System32:gwxgzfn.dll,Init 1
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Handspring\HotSync.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
See less See more
Save
Like
Status
Not open for further replies.
1 - 6 of 14 Posts
Flrman1
Hi ZanY

Welcome to TSG! :)

I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It get's too confusing trying to address two different people's problem in the same thread and you may get overlooked.

You still have several problems. You have AFlooder, the peper trojan and more.

First Go to Start > Run and copy and paste the following line in the Run box and click OK or hit Enter:

rundll32 C:\WINDOWS\System32:gwxgzfn.dll,Uninstall

Click OK.

This will remove AFlooder.

Now run run this uninstaller to get rid of the peper.a trojan:

http://www.zerosrealm.com/downloads/uninst.exe

*Note: Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

Then click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.

IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

Come back here and post another Hijack This log and we'll get rid of what's left.
See less See more
Save
Like
Flrman1
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O4 - HKLM\..\Run: [cwphbki] C:\WINDOWS\System32\cwphbki.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [wunk_32t] C:\WINDOWS\System32\wunk_32t.exe

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\Program Files\AutoUpdate\AutoUpdate.exe folder
The C:\WINDOWS\System32\cwphbki.exe file
The C:\WINDOWS\System32\wunk_32t.exe file
See less See more
Save
Like
Flrman1
That log is identical to the last one. Did you fix those entries and then restart to safe mode and delete those files?
Save
Like
Flrman1
Click here to download KillBox. Unzip to your desktop.

Now run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O4 - HKLM\..\Run: [cwphbki] C:\WINDOWS\System32\cwphbki.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [wunk_32t] C:\WINDOWS\System32\wunk_32t.exe

Open KillBox and copy & paste each of these lines one at a time in the box under Paste full path of File to delete and click Kill File after each one and wait for success/fail message.

C:\Program Files\AutoUpdate\AutoUpdate.exe

Click Kill File

C:\WINDOWS\System32\cwphbki.exe

Click Kill File

C:\WINDOWS\System32\wunk_32t.exe

Click Kill File

Restart your computer.
See less See more
Save
Like
Flrman1
Restart your computer and scan again with Hijack This and post another log.
Save
Like
Flrman1
Well there is no doubt that those files are there. How are those files getting past Adwatch? Don't you block them? They can't add those RUN entries back into the registry if you block them.
Save
Like
1 - 6 of 14 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top