Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HiJack This Log[CLOSED]


  • This topic is locked This topic is locked

#1
tkotten

tkotten

    New Member

  • Member
  • Pip
  • 1 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:37:26 PM, on 5/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\BANKS~1.CHR\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rqhxozkxh...cvT2/eZkzLv.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pphdqnhtcsadj...z7nt9cddZQc.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2872254D-133A-99CA-F122-A51E8AF82915} - C:\PROGRA~1\ARMYVC~1\soft bib.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {73B1D0EB-8EE4-9D92-A71B-BEF84E2DB1D9} - C:\DOCUME~1\BANKS~1.CHR\APPLIC~1\ARMYVC~1\soft bib.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Blah extra once bolt] C:\Documents and Settings\All Users\Application Data\Dupe Wave Blah Extra\Joy Settings.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Keep Ante Name Each] C:\Documents and Settings\All Users\Application Data\bytewindowkeepante\locksfork.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [barb dumb] C:\DOCUME~1\BANKS~1.CHR\APPLIC~1\HELPSH~1\Software amen.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094665438933
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ChristyWebber.local
O17 - HKLM\Software\..\Telephony: DomainName = ChristyWebber.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{81C1537C-B1D8-43E4-8D03-BC73B2B8CED8}: NameServer = 192.168.0.240,206.13.28.12,151.164.1.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ChristyWebber.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ChristyWebber.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

* Please set your system to show all files; please see here if you're unsure how to do this.

Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rqhxozkxh...cvT2/eZkzLv.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pphdqnhtcsadj...z7nt9cddZQc.htm
O2 - BHO: (no name) - {2872254D-133A-99CA-F122-A51E8AF82915} - C:\PROGRA~1\ARMYVC~1\soft bib.exe (file missing)
O2 - BHO: (no name) - {73B1D0EB-8EE4-9D92-A71B-BEF84E2DB1D9} - C:\DOCUME~1\BANKS~1.CHR\APPLIC~1\ARMYVC~1\soft bib.exe
O4 - HKLM\..\Run: [Blah extra once bolt] C:\Documents and Settings\All Users\Application Data\Dupe Wave Blah Extra\Joy Settings.exe
O4 - HKLM\..\Run: [Keep Ante Name Each] C:\Documents and Settings\All Users\Application Data\bytewindowkeepante\locksfork.exe
O4 - HKCU\..\Run: [barb dumb] C:\DOCUME~1\BANKS~1.CHR\APPLIC~1\HELPSH~1\Software amen.exe


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


* Using Windows Explorer, locate the following folders, and delete them if still present:

C:\PROGRAM FILES\ARMYVC.. <== (starts with these letters)
C:\DOCUMENTS AND SETTINGS\BANKS~1.CHR\APPLICATION DATA\ARMYVC..
C:\Documents and Settings\All Users\Application Data\Dupe Wave Blah Extra
C:\Documents and Settings\All Users\Application Data\bytewindowkeepante
C:\DOCUMENTS AND SETTINGS\BANKS~1.CHR\APPLICATION DATA\HELPSH..

* Reboot your system back to normal mode.

* Open notepad and copy and paste next in it:

dir %Windir%\tasks /a h > files.txt
notepad files.txt


Save this as findjobs.bat , choose to save it as *all files and place it on your desktop.
Doubleclick on op findjobs.bat and post the content of the txtfile you get in your next reply together with a new hijackthislog.
  • 0

#3
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP