Tech Support Guy banner
Cancel

[Solved] HT Log for friends messed up pc

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 21 Posts
BAZZA_UK

· Registered
Joined
·
176 Posts
Discussion Starter · #1 ·
Can someone please check out the highjack this log of my pals pc . He will switch on and after about a min everything will freeze up.....reboot and nine times out of ten the same thing will happen again....reboot again and although slow it will be fine.....i ran housecall for him and found 93 problems 19 of which were uncleanable.....then i downloaded spybot and ran that and cleaned up everything in the way of tracking cookies ect...or so i thought....because i rebooted and ran it again....it finds the same ones again ?.....ive used this many times on my own pc and this has never happened !!!
So i have downloaded highjack this and ran it so heres the log for you clever people to view and tell me whats got to go....i have just enabled his windows xp firewall which he had disabled....yikes....so maybe that will shut one of the doors to his probs appearing again !!!
Logfile of HijackThis v1.97.7
Scan saved at 21:28:11, on 08/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\mstaskm.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\reg33.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Bones\Application Data\otot.exe
C:\WINDOWS\System32\wapisvcc.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Documents and Settings\Bones\Desktop\HIGHJACK THIS\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.cc/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.alfa-search.com/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://tjdjuz.t.rack.cc/sp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.alfa-search.com/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alfa-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-all.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://tjdjuz.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O1 - Hosts: 205.177.124.66 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ueio] C:\Documents and Settings\Bones\Application Data\otot.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00148\gd-dial.exe -remove
O4 - HKCU\..\Run: [WTSC] C:\WINDOWS\System32\wapisvcc.exe
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW Prefix:
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}
O19 - User stylesheet: C:\WINDOWS\system32\readme.txt
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)
 
Flrman1

· Registered
Joined
·
46,465 Posts
#3 ·
Yep it's CWS.

Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.

IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

Come back here and post another Hijack This log. There are more that will need removing with HJT.
 
Save Share
BAZZA_UK

· Registered
Joined
·
176 Posts
Discussion Starter · #4 ·
Thanks very much for your speedy replies FinestRanger and Firman 1, unfortunatly the guy who's pc's been invaded has gone away for a few days for the easter weekend....as soon as he returns i shall run cwshredder for him and post a new HT log back here.......cheers guys
 
BAZZA_UK

· Registered
Joined
·
176 Posts
Discussion Starter · #6 ·
Hi Flrman1, i downloaded cw shredder and ran the fix on his pc then did a restart. next i went to windows update and installed all critical security updates...there was 19 of them......i can't believe he was'nt up to date !!!.....than i ran HJT again and here's the log....cheers
Logfile of HijackThis v1.97.7
Scan saved at 21:52:57, on 15/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\msrexe.exe
C:\PROGRA~1\TRAYGR~1\adminbeep.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Documents and Settings\Bones\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-all.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {788002E5-8767-B60E-3C9B-5596B61C4A8E} - C:\PROGRA~1\SECTCA~1\new mode.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: balm skip - {7D68BC88-0320-D6A3-3798-9E01A6BC1DFE} - C:\PROGRA~1\SECTCA~1\new mode.dll
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [team bags] C:\PROGRA~1\TRAYGR~1\adminbeep.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW Prefix:
O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://serha.ud-dial.biz/1/dexGB617.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.5804861111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Flrman1

· Registered
Joined
·
46,465 Posts
#7 ·
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://netsearchsoft.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://netsearchsoft.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://netsearchsoft.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-all.net/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

O2 - BHO: (no name) - {788002E5-8767-B60E-3C9B-5596B61C4A8E} - C:\PROGRA~1\SECTCA~1\new mode.dll

O3 - Toolbar: balm skip - {7D68BC88-0320-D6A3-3798-9E01A6BC1DFE} - C:\PROGRA~1\SECTCA~1\new mode.dll

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe

O4 - HKLM\..\Run: [team bags] C:\PROGRA~1\TRAYGR~1\adminbeep.exe

O13 - WWW Prefix:

O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://serha.ud-dial.biz/1/dexGB617.exe

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\WINDOWS\System32\msrexe.exe file
The C:\Program Files\TRAYGR~1 folder
The C:\Program Files\SECTCA~1 folder

I have no way of knowing the exact name of those last two folders, but the first six letters of the first will be TRAYGR and the second will be SECTCA.
 
Save Share
BAZZA_UK

· Registered
Joined
·
176 Posts
Discussion Starter · #8 ·
Hi Flrman1, sorry its been a whole week to get back to you.....
I ran hijack this again and fixed all files you mentioned. Then i restarted in safe mode and found C:\WINDOWS\System32\msrexe.exe file and deleted it but i was unable to find the other two files ie: TRAYGR and SECTCA folders.
Have ran highjack this again and noticed that
04-HKLM\..Run:[team bags]C:\PROGRA~1\TRAYGR~1\adminbeeb.exe.........file was present again in the log ?
Heres the latest log and all your help is much appresiated and a donation will be on its way soon.....
Logfile of HijackThis v1.97.7
Scan saved at 21:14:16, on 22/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\TRAYGR~1\adminbeep.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Documents and Settings\Bones\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index.html?http://about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
O4 - HKLM\..\Run: [team bags] C:\PROGRA~1\TRAYGR~1\adminbeep.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.5804861111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Flrman1

· Registered
Joined
·
46,465 Posts
#9 ·
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthroug...p://about:blank

O4 - HKLM\..\Run: [team bags] C:\PROGRA~1\TRAYGR~1\adminbeep.exe

Restart to safe mode and delete the The C:\Program Files\TRAYGR~1 folder. It is vital that you find and delete this folder. Like I said before I do not know the exact name of this folder. Find the folder in C:\Program Files that begins with TRAYGR. This is the folder that contains the executable that is loading the hijacker. You will have to find and delete that folder to get rid of the hijack.
 
Save Share
BAZZA_UK

· Registered
Joined
·
176 Posts
Discussion Starter · #10 ·
when i restarted in safe mode i started a search for all program files and there wer'nt any with TRAYGR in at all.....i also tried typing TRAYGR in a more specialised search and it also came back with nothing......i shall try again hopefully with better luck next time....i hope this time i can gain access to his pc over the next couple of days........thanks Flrman1
 
Flrman1

· Registered
Joined
·
46,465 Posts
#11 ·
Manually navigate to the C:\Program Files folder and look for the TRAYGR~1 folder. Click on My Computer. In My Computer click on Local Disk (C:). Look in Local Disk (C:) for the Program Files folder. Open the Program Files folder and look for the folder that begins with TRAYGR and right click and delete it.
 
Save Share
BAZZA_UK

· Registered
Joined
·
176 Posts
Discussion Starter · #12 ·
ran HJT and removed the two objects as you said...then in safe mode i managed to find the TRAY GREAT folder and also the SECTCA folder which i could'nt find last week.....after a restart i ran spybot search and destroy and it came back with one problem......AbraShyabra.Lolita....whick it says is an executable....C:\WINDOWS\wintt.exe file.......i had a quick look in my computer and looked under local disc (C:) under windows.....i saw wintt but it had no folder by the side of ?......i did'nt attempt to remove it as i wanted your opinion first !!!
Heres the latest HJT Log
Logfile of HijackThis v1.97.7
Scan saved at 21:21:59, on 29/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Documents and Settings\Bones\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
O4 - HKLM\..\Run: [griz] C:\WINDOWS\griz.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.5804861111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Flrman1

· Registered
Joined
·
46,465 Posts
#13 ·
You should let Spybot fix the file...C:\WINDOWS\wintt.exe .. or boot to safe mode and delete it yourself.

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe

O4 - HKLM\..\Run: [griz] C:\WINDOWS\griz.exe

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\WINDOWS\System32\mstaskm.exe file
The C:\WINDOWS\griz.exe file
 
Save Share
BAZZA_UK

· Registered
Joined
·
176 Posts
Discussion Starter · #14 ·
sorry once again for the delay, i ran hijack this again and fixed the two items you told me too. Then in safe mode i deleted the wintt exe (spybot would'nt let me fix this item) then i tried in vain to find the "grix.exe" file or the "mstaskm.exe" file ?
I then restarted out of safe mode and spybot found two minor items which were removed and now is clear for the first time since i downloaded and ran spybot for the first time on my friends pc.
Here is the latest highjack this log
Logfile of HijackThis v1.97.7
Scan saved at 14:55:42, on 09/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Documents and Settings\Bones\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.5804861111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Flrman1

· Registered
Joined
·
46,465 Posts
#15 ·
Fix this one:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Restart.

You should be good to go after that.

One more thing. I notice that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both ASAP! See this thread for some good free ones:

http://forums.techguy.org/t110854/s.html
 
Save Share
BAZZA_UK

· Registered
Joined
·
176 Posts
Discussion Starter · #16 ·
Thanks Flrman1 once again for all your help, i shall fix that last item as soon as i can get to my friends pc again. I did actually enable his XP firewall a couple of weeks ago as it was disabled but as you say he has no antivirus running so i shall probably install avg as that is what i use on my own system.
A donation will be on its way this week and my pal would like you to know that he is very appreciative of all your help in aiding to clean up his operating system so he can once again use it without problems
Cheers Flrman1...........Bazza_Uk
 
Flrman1

· Registered
Joined
·
46,465 Posts
#17 ·
You're Welcome! :up:

I recommend disabling the XP firewall and use a third party firewall like Sygate or Zone Alarm. The XP firewall just is not quite adequate.
 
Save Share
BAZZA_UK

· Registered
Joined
·
176 Posts
Discussion Starter · #18 ·
Hi Flrman1, i ran HJT and fixed the one you posted. I then downloaded the free AVG antivirus and ran that.....wow....32 viruses...jeez.....fixed most of them and put a few in the vault......then downloaded SYGATE personal firewall ( dowloaded it myself too last week...cheers)....then i logged into this site on my friends pc to send a donation via your link but could'nt find this thread at all....but managed to send a donation through the donate link at top of page....cheers once again Flrman1 for all your work...my buddy is delighted at having rid his pc of all the nasties !!!
Heres hopefully the final HJT Log of his pc
Logfile of HijackThis v1.97.7
Scan saved at 21:43:03, on 20/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Documents and Settings\Bones\Local Settings\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\utilities\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.5804861111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
BAZZA_UK

· Registered
Joined
·
176 Posts
Discussion Starter · #20 ·
Cheers Flrman1 thats good to hear, i am only sorry i could'nt have got my friends pc to my home to work on then between us both it could have been sorted in a few hours instead of 6 weeks or so, but its all done now....thanks for being patient....his pc is still tending to freeze up when first started and maybe requires a couple of restarts until warmed up but i am hopefully going to solve that for him....its certainly better now than 2 months back....hope the donation helps keep this brilliant site running !!!
 
1 - 20 of 21 Posts
Status
Not open for further replies.
About this Discussion
20 Replies
3 Participants
Last post:
Flrman1
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top