Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack Log

Started by Bud Man , Dec 24 2004 07:05 PM

  • Please log in to reply

#1
Bud Man
Posted 24 December 2004 - 07:05 PM

Bud Man

    New Member

  • Member
  • Pip
  • 2 posts
Hijack Log file as follows: Please help: :tazz:

Logfile of HijackThis v1.99.0
Scan saved at 1301, on 12/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINNT\system32\LEXBCES.EXE
G:\WINNT\system32\spoolsv.exe
G:\WINNT\system32\LEXPPS.EXE
G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
G:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\nvsvc32.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
G:\WINNT\system32\stisvc.exe
G:\WINNT\Explorer.EXE
G:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
G:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\RUNDLL32.EXE
G:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
G:\Program Files\Dell AIO Printer A940\dlbabmon.exe
G:\Program Files\D-Link\Air Utility\AirCFG.exe
G:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
g:\progra~1\intern~1\iexplore.exe
G:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Documents and Settings\Little Vinny\Desktop\HijackThis1990.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.mhyljhijz...hElH_HyNTY.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - G:\WINNT\questmod.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell AIO Printer A940] "G:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] G:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] G:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [base meta 32 pure] G:\Documents and Settings\All Users\Application Data\DEAD UPLOAD BASE META\Jump audio.exe
O4 - HKLM\..\RunServicesOnce: [Copy] command.com /c copy G:\WINNT\Explorer.wb G:\WINNT\Explorer.exe
O4 - HKLM\..\RunServicesOnce: [Delete] command.com /c del G:\WINNT\Explorer.wb
O4 - HKCU\..\Run: [WAITBLEH] G:\DOCUME~1\LITTLE~1\APPLIC~1\FUNKBA~1\fivekeeplive.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://g:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://g:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://g:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://g:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://g:\program files\google\GoogleToolbar2.dll/cmtrans.html
O23 - Service: Symantec Event Manager - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - G:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - G:\WINNT\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - G:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - G:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort - Symantec Corporation - G:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
  • 0

Advertisements

#2
My2Cents
Posted 25 December 2004 - 10:25 AM

My2Cents

    Member

  • Member
  • PipPip
  • 45 posts
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First use Spybot S&D. (Version 1.3)
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware

Then post a new HJT log as a reply to this topic.
  • 0

#3
Bud Man
Posted 25 December 2004 - 10:58 PM

Bud Man

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
As requested:

Logfile of HijackThis v1.99.0
Scan saved at 1907, on 12/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINNT\system32\LEXBCES.EXE
G:\WINNT\system32\spoolsv.exe
G:\WINNT\system32\LEXPPS.EXE
G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
G:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\nvsvc32.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
G:\WINNT\system32\stisvc.exe
G:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
G:\WINNT\Explorer.EXE
G:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\RUNDLL32.EXE
G:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
G:\Program Files\Dell AIO Printer A940\dlbabmon.exe
G:\Program Files\D-Link\Air Utility\AirCFG.exe
G:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
G:\Program Files\Internet Explorer\iexplore.exe
g:\progra~1\intern~1\iexplore.exe
G:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
G:\WINNT\system32\svchost.exe
G:\Program Files\Support.com\bin\tgcmd.exe
G:\Documents and Settings\Little Vinny\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kcaphxsjd...hElH_HyNTY.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - G:\WINNT\questmod.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell AIO Printer A940] "G:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] G:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] G:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [base meta 32 pure] G:\Documents and Settings\All Users\Application Data\DEAD UPLOAD BASE META\Jump audio.exe
O4 - HKLM\..\Run: [tgcmd] "G:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\RunServicesOnce: [Copy] command.com /c copy G:\WINNT\Explorer.wb G:\WINNT\Explorer.exe
O4 - HKLM\..\RunServicesOnce: [Delete] command.com /c del G:\WINNT\Explorer.wb
O4 - HKCU\..\Run: [WAITBLEH] G:\DOCUME~1\LITTLE~1\APPLIC~1\FUNKBA~1\fivekeeplive.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://g:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://g:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://g:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://g:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://g:\program files\google\GoogleToolbar2.dll/cmtrans.html
O23 - Service: Symantec Event Manager - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - G:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - G:\WINNT\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - G:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - G:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort - Symantec Corporation - G:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe




Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First use Spybot S&D. (Version 1.3)
Spybot
Unzip,  and update. Install the updates and run. Delete all that it marks in red.
Reboot

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware

Then post a new HJT log as a reply to this topic.

View Post


  • 0

#4
coachwife6
Posted 27 December 2004 - 11:15 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kcaphxsjd...hElH_HyNTY.html

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - G:\WINNT\questmod.dll

I do not know what the following entries are. Do you? If you know and don't need them, please let me know and we'll get them on the next g-oround.

O4 - HKLM\..\Run: [base meta 32 pure] G:\Documents and Settings\All Users\Application Data\DEAD UPLOAD BASE META\Jump audio.exe
O4 - HKLM\..\RunServicesOnce: [Copy] command.com /c copy G:\WINNT\Explorer.wb G:\WINNT\Explorer.exe
O4 - HKLM\..\RunServicesOnce: [Delete] command.com /c del G:\WINNT\Explorer.wb
O4 - HKCU\..\Run: [WAITBLEH] G:\DOCUME~1\LITTLE~1\APPLIC~1\FUNKBA~1\fivekeeplive.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files (if found):

G:\WINNT\questmod.dll

Clean out your temp. files; reboot and post a new log.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP