Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My Hijack This Log


  • Please log in to reply

#1
melcheck

melcheck

    Member

  • Member
  • PipPip
  • 18 posts
Here you go. Thanks for the help, and good luck!

Link from:
http://www.geekstogo...437


Logfile of HijackThis v1.99.1
Scan saved at 3:54:50 PM, on 4/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\TASKMGRU.EXE
C:\WINDOWS\system32\MSIMN32.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TASKMGRU.EXE
C:\WINDOWS\system32\MSIMN32.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\Palm\HOTSYNC.EXE
C:\Palm\AlarmApp.exe
C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Mel\Desktop\HIJACKTH.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\default\ar3p8vgn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\default\ar3p8vgn.slt\prefs.js)
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 10
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitetnw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\system32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\system32\MSIMN32.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Document Assistant.lnk = C:
\HPDESK\hppddir.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Linksys\Configuration Utility\Config.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Global Startup: Network Device Switch.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.char...oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108345801621
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,346 posts
  • MVP
Under Review
  • 0

#3
melcheck

melcheck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ron-
Here's the latest. I hope this shows improvement.
Thanks for the help.
Mel

Logfile of HijackThis v1.99.1
Scan saved at 9:07:51 PM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\TASKMGRU.EXE
C:\WINDOWS\system32\MSIMN32.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\TASKMGRU.EXE
C:\WINDOWS\system32\MSIMN32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Linksys\Configuration Utility\Config.exe
C:\Palm\AlarmApp.exe
C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mel\Desktop\HIJACKTH.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\default\ar3p8vgn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\default\ar3p8vgn.slt\prefs.js)
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 10
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\system32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\system32\MSIMN32.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Linksys\Configuration Utility\Config.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Global Startup: Network Device Switch.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Microsoft AntiSpyware helper - {DE0CB1E3-0A53-460D-A368-74A53BE5B597} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DE0CB1E3-0A53-460D-A368-74A53BE5B597} - (no file) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.char...oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108345801621
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,346 posts
  • MVP
Under Review
  • 0

#5
melcheck

melcheck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ron-
Did the killbox. Now when I reboot into safe mode it doesn't show anything but a black screen with "Safe Mode" in a couple of spots. Should I reboot into normal mode and see what happens?
Mel
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,346 posts
  • MVP
Under Review
  • 0

#7
melcheck

melcheck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
It's taken some creative work, but I was able to run sfc and hijack this. A new log follows. I no longer have a desktop - when I boot up I get a lovely pale blue screen - no icons, no start button, nothing. Starting to look like a re-format is in order!

Logfile of HijackThis v1.99.1
Scan saved at 2:30:38 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Mel\Desktop\HIJACKTH.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\default\ar3p8vgn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\default\ar3p8vgn.slt\prefs.js)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 10
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Linksys\Configuration Utility\Config.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Global Startup: Network Device Switch.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Microsoft AntiSpyware helper - {DE0CB1E3-0A53-460D-A368-74A53BE5B597} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DE0CB1E3-0A53-460D-A368-74A53BE5B597} - (no file) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.char...oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108345801621
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,346 posts
  • MVP
Under Review
  • 0

#9
melcheck

melcheck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
it can't find explorer.exe. Browsing shows it in the windows directory, but it won't open.
  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,346 posts
  • MVP
Under Review
  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,346 posts
  • MVP
*Edited by a GeeksToGo Global Moderator to remove offensive post.
  • 0

#12
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello there, melcheck! I apologize for the inconvenience. Someone else will be taking over your thread from here, and will be along very shortly to post new instructions to you!
  • 0

#13
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
I did receive your email just now. I am very sorry for the delay. The posts that were removed belonged to RKinner, who had been helping you. He posted incomplete advice, and has since been banned from our forums. I sincerely apologize for any confusion. Please rest assured that the advice you were given will NOT harm your system, it just is incomplete.
I have just pm'd one of our Experts here who is online at the moment to come help you out. Don is very very thorough and good, and will be along to help you as soon as he's free from what he's working on now!
  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi melcheck
Lets see if we can't do a system Restore, If successful we will have to clean your system again,

See Here

Post back a fresh log after you have done that please
  • 0

#15
melcheck

melcheck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
System restore was turned off in response to previous instructions from one of the removal programs. Although it is now turned back on, it doesn't seem to be doing anything.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP