Tech Support Guy banner
Cancel

hijack this log

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 5 of 5 Posts
P

· Registered
Joined
·
19 Posts
Discussion Starter · #1 ·
can somLogfile of HijackThis v1.97.7
Scan saved at 9:25:30 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\WINDOWS\System32\shpc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\MSNGAM~1\ZPROXY.EXE
C:\PROGRA~1\MSNGAM~1\zone.exe
C:\PROGRA~1\MSNGAM~1\lobby.exe
C:\PROGRAM FILES\ENZIP\ENZIP.EXE
C:\DOCUME~1\VANAND~1\LOCALS~1\Temp\_ENZTMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.scanthenet.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.scanthenet.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.scanthenet.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.scanthenet.com/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:85
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.home.bellsouth.net"); (\prefs.js)
O1 - Hosts: 69.93.33.159 msn.com
O1 - Hosts: 69.93.33.159 search.msn.com
O1 - Hosts: 69.93.33.159 www.msn.com
O1 - Hosts: 69.93.33.159 www.google.com
O1 - Hosts: 69.93.33.159 google.com
O1 - Hosts: 69.93.33.159 altavista.com
O1 - Hosts: 69.93.33.159 www.altavista.com
O1 - Hosts: 69.93.33.159 yahoo.com
O1 - Hosts: 69.93.33.159 www.yahoo.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xkstartup] RunDll32 InstZ82.dll,SetUsbPrinterPort
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [GW Port Controller] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SmarThru Engine.lnk = C:\Program Files\Samsung\SmarThru\QS.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

e oen read this and help if i need it
 
N

· Registered
Joined
·
826 Posts
#2 ·
Download and run CWShredder from here. Before running the program, make sure that all windows besides CWShredder are closed. Open the program, and click on Fix Now and not Scan only.

Then

  1. Download Ad-Aware 6.181 from http://www.lavasoftusa.com/
  2. Install the program, open it check to make sure you have the latest reference file by clicking on webupdate. Make sure that your reference file reads 01R280 07.04.2004 (or higher number/date). If it does not, then click here and install the file manually.
  3. Make sure the following settings are turned to ON
    -From the main window click on Start then Activate in-depth scan.
    -Click on Use custom scanning options>Customize and make sure the following options are turned on:
    Scan within archives
    Scan active processes
    Scan registry
    Scan my IE Favorites for banned URL
    Scan my host-files
  4. Click on Settings and make sure the following are enabled:
    Unload recognized processes during scanning
  5. Click on Cleaning engine and make sure that Let windows remove files in use at next reboot is on.
  6. Finally Click Proceed to save your settings.
  7. Click on Scan Now from the main window and select Use Custom Scanning options and click scan.
  8. When scan completes, remove all items, then run another scan but this time select the Perform Smart-System Scan option and then also remove all items it finds.

then
  1. Download Spyboy S&D from this page
  2. Open and install the program then click here and follow the instructions for updating the program. Download all available updates.
  3. Run a scan by clicking on Spybot S&D and then clicking Search & Destroy and then Check for problems
  4. When scan completes, remove all items in red by making sure that they are checked and then click Fix selected problems

Then post another HJT log
 
P

· Registered
Joined
·
19 Posts
Discussion Starter · #3 ·
Logfile of HijackThis v1.97.7
Scan saved at 1:05:00 AM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\WINDOWS\System32\shpc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRAM FILES\ENZIP\ENZIP.EXE
C:\DOCUME~1\VANAND~1\LOCALS~1\Temp\_ENZTMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:85
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.home.bellsouth.net"); (\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xkstartup] RunDll32 InstZ82.dll,SetUsbPrinterPort
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [GW Port Controller] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\PORTCTRL.EXE
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SmarThru Engine.lnk = C:\Program Files\Samsung\SmarThru\QS.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
 
1 - 5 of 5 Posts
Status
Not open for further replies.
About this Discussion
4 Replies
3 Participants
Last post:
Nok1
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top