Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My HijackThis log


  • Please log in to reply

#1
densomi

densomi

    New Member

  • Member
  • Pip
  • 2 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:43:59, on 13/10/2548
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\taskswitch.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\carpserv.exe
D:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
D:\Program Files\WS_FTP Pro\ftpqueue.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
D:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\AppServ\Apache\Apache.exe
D:\Program Files\WS_FTP Pro\ftpsched.exe
D:\AppServ\mysql\bin\mysqld-nt.exe
D:\AppServ\Apache\Apache.exe
D:\WINDOWS\system32\PDFCreatorMessages.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\ntvdm.exe
D:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - D:\WINDOWS\system32\pmnnk.dll
O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - D:\WINDOWS\system32\qwcxstyi.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PDFCreatorClient] D:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ftpqueue] D:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [VaCtrl] D:\Program Files\VoiceAge\Common\VaCtrl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] "D:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [MPLAB_SVHelper] E:\hi-tech PIC C\SVHelper\SVHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2091EE9-B0BF-4575-A4BE-43A7ECEE7B7B}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: pmnnk - D:\WINDOWS\system32\pmnnk.dll
O23 - Service: Apache - Unknown owner - D:\AppServ\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - D:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - D:\AppServ\mysql\bin\mysqld-nt.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - D:\WINDOWS\system32\PDFCreatorMessages.exe
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome densomi to Geeks to Go!

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

***

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Reverse the process when you’ve carried out the advise.

***

Please print these instructions out for use in Safe Mode.
Please note: your AntiVirus program may prompt you to a malicious program running. Allow the entire script to run.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    This list of forums is provided as an example of where to go to obtain help!!
    <a href="http://www.atribune.org/forums" target="_blank">http://www.atribune.....org/forums</a>
    <a href="http://www.247fixes.com/forums" target="_blank">http://www.247fixes.....com/forums</a>
    <a href="http://www.geekstogo.com/forum" target="_blank">http://www.geekstogo...o.com/forum</a>
    <a href="http://forums.net-in...ntegration.net" target="_blank">http://forums.net-in...gration.net</a>
    <a href="http://castlecops.co...om/forums.html" target="_blank">http://castlecops.co...forums.html</a>
    <a href="http://www.besttechie.net/forums" target="_blank">http://www.besttechi....net/forums</a>
    Press enter to continue....


  • At this point press enter one time.

  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • D:\WINDOWS\system32\pmnnk.dll

  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):D:\WINDOWS\system32\knnmp.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:R3 - Default URLSearchHook is missing

    O1 - Hosts: 69.50.166.12 www.go.com
    O1 - Hosts: 69.50.166.12 go.com
    O1 - Hosts: 69.50.166.13 astalavista.com
    O1 - Hosts: 69.50.166.13 www.astalavista.com
    O1 - Hosts: 69.50.166.13 astalavista.box.sk

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - D:\WINDOWS\system32\pmnnk.dll

    O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - D:\WINDOWS\system32\qwcxstyi.dll

    O20 - Winlogon Notify: pmnnk - D:\WINDOWS\system32\pmnnk.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
***

Download and install Cleanup from here (Alternate site if the above is not working, go Here)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

***

Download the Hoster Here

Unzip Hoster to your desktop

Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
***

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

Edited by g2i2r4, 13 October 2005 - 01:42 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP