Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Desktop Hijack


  • Please log in to reply

#1
gmachado

gmachado

    New Member

  • Member
  • Pip
  • 1 posts
Hey

I have hijack problems with my machine..

I read some foruns and tried to fixed it by myself, but can´t. In Display->Customize Desktop->Web Tab, there is no any security checkbox to set..So, what can I do?


Some can help me?

Thanks in advance

My Hijack log is the following:
Logfile of HijackThis v1.99.1
Scan saved at 23:06:57, on 18/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Arquivos de programas\McAfee\McAfee VirusScan\alogserv.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\AutoDetector\monitor.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\WINDOWS\Arg.exe
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\nmmst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\WINDOWS\System32\paytime.exe
C:\ARQUIV~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Arquivos de programas\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\Arquivos de programas\McAfee\McAfee VirusScan\VsStat.exe
C:\Arquivos de programas\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe
C:\DOCUME~1\Gustavo\CONFIG~1\Temp\RegClean.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
C:\Arquivos de programas\GIANT Company Software\GIANT AntiSpyware\GIANTAntiSpywareMain.exe
C:\Arquivos de programas\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Gustavo\Configurações locais\Temp\Diretório temporário 3 para hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Arquivos de programas\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Messenger\ycomp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Acrobat 6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Arquivos de programas\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IbestBHO Class - {7E6CDC1C-3B90-47D7-B2A8-24438CA96075} - C:\Arquivos de programas\Icon\bho.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: (no name) - {F4256CF7-9194-4239-A771-1FC89C68E020} - C:\WINDOWS\System32\egde.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Discador iBest - {4F869C58-D71D-4850-8BDD-7B5CDF8EC911} - C:\Arquivos de programas\Icon\ibestbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Arquivos de programas\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Alogserv] C:\Arquivos de programas\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Arquivos de programas\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Arquivos de programas\Arquivos comuns\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [bwnov] C:\WINDOWS\bwnov.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [Csp] C:\WINDOWS\Arg.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Pbs] C:\WINDOWS\Auo.exe
O4 - HKLM\..\Run: [Pio] C:\WINDOWS\System32\Keo.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Gustavo\CONFIG~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [gcasServ] C:\Arquivos de programas\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
O4 - HKLM\..\Run: [Qcv] C:\WINDOWS\Ofe.exe
O4 - HKLM\..\Run: [_Cat1] C:\WINDOWS\nmmst.exe
O4 - HKLM\..\Run: [Hau] C:\WINDOWS\Hfu.exe
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKLM\..\Run: [Njm] C:\WINDOWS\System32\Sru.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\USURIO~1\CONFIG~1\Temp\DELDIR0.EXE" "C:\Arquivos de programas\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\ARQUIV~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Thei] C:\Documents and Settings\Gustavo\Dados de aplicativos\uuua.exe
O4 - HKCU\..\Run: [Csp] C:\WINDOWS\Arg.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Pbs] C:\WINDOWS\Auo.exe
O4 - HKCU\..\Run: [Pio] C:\WINDOWS\System32\Keo.exe
O4 - HKCU\..\Run: [Qcv] C:\WINDOWS\Ofe.exe
O4 - HKCU\..\Run: [Hau] C:\WINDOWS\Hfu.exe
O4 - HKCU\..\Run: [Njm] C:\WINDOWS\System32\Sru.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Arquivos de programas\ICQLite\ICQLite.exe -trayboot
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Arquivos de programas\MyWebSearch\barD\1.binX\MWSOEMONXLIUXO.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Arquivos de programas\MyWebSearch\barD\1.binX\MWSOEMONXLIUXO.EXE
O4 - Global Startup: Service Manager.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk13487BR
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www.cpm.com.br/qp2.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Arquivos de programas\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=2732
O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} (ValidaUsuario Class) - https://bradesconete...j/certifexp.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Arquivos de programas\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Arquivos de programas\AutoCAD 2002\InstFred.ocx
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancob.../GbPluginBb.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Arquivos de programas\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {4EE140BC-CEAD-418D-A7B5-62E376B8E668} - C:\WINDOWS\System32\egde.dll
O18 - Filter: text/plain - {4EE140BC-CEAD-418D-A7B5-62E376B8E668} - C:\WINDOWS\System32\egde.dll
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McShield - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
  • 0

Advertisements


#2
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
gmachado,
Welcome to the GTG forums.
I will be reviewing your HJT log.

We are going to need to remove a few things, but first I would like you do to the following.

Please download hoster from the link below.

http://members.aol.c...dbee/hoster.zip

Open Hoster.exe.

Then click on "Restore Original Hosts"

Close program when complete.


I have outlined some preliminary steps that we need to address. You may want to print out these intructions for reference. This process will take a few steps so please be patient and follow the provided directions.


[1.]
First Download CWShredder
And save it to your desktop.
Close all open browser windows and any other open windows.

Install CWShredder, then:

Open CWS and click Check for Updates
Then click "FIX"

I suggest doing an online scan just as a secondary check.

[2.]
Please run at least one of these online scans, allow it to delete anything it finds:
You may have to select the auto-fix option prior to scanning, it should be a selection box on the screen. If you are a dial-up user just do one, this can take some time.
If you are a broadband user, I would suggest at least 2 of the 3. One extra scan is most often times enough.TrendMicro HouseCall
Panda ActiveScan
eTrust AntiVirus Web Scanner
Please make a note of anything that wasn't or couldn't be fixed.
Reboot your machine when finished.

[3.]
You may have run these programs already, make sure they are up to date and run per provided instructions.
Current Versions are:
Spybot S&D Ver: 1.3 Download Here
Ad-Aware SE Build 1.05 Download Here

Download and install both Spybot S&D and Ad-Aware SE.

Instructions:

Spybot S&D:
Go to your Start Menu >> Programs >> Spybot S&D >> then choose Spybot S&D.

*Close ALL windows except Spybot S&D
*Click the button to "Search for Updates" and download and install the Updates.
*Close Spybot then launch it again
*Click the button "Check for Problems"
*When Spybot is done scanning, it will be showing "RED" (RED) entries, "BLACK" entries and "GREEN" (GREEN) entries in the window
*Put a check mark beside the RED (RED) entries ONLY.
*Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.


Ad-Aware SE FULL SCAN:
Go to your Start Menu >> Programs >> Lavasoft Ad-Aware SE >> then choose Ad-Aware SE Personal.

When the main window opens look in the bottom right corner and click on Check For Updates Now then click Connect and download the latest reference files.

From main window:
*Click Start then under Select a scan Mode check Perform Full System Scan.
*Next deselect Search for negligible risk entries.
*To scan just click the Next button.

When the scan has finished mark everything for removal and get rid of it.
(Right-click the window and choose select all from the drop down menu and click Next)
The program will ask if you want to fix/delete selected items, choose yes/fix.

[4.]
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

[5.]
Update your current Virus Scan Definitions:

[6.]
Reboot into Safe Mode and Scan with Spybot S&D and Ad-Aware SE

Scan your drive(s) with your updated Anti-Virus Program.

Empty Your Recycle Bin.

[7.]

Reboot normally and post a new HJT log by using Add Reply:


Thanks,
rstones12
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP