Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Question about hijackthis

Started by terryall , Feb 07 2005 09:26 PM

  • Please log in to reply

#1
terryall
Posted 07 February 2005 - 09:26 PM

terryall

    New Member

  • Member
  • Pip
  • 2 posts
Hi. I have been working on my computer problems for several weeks now and it is just getting worse. My usual routine is as follows:

1. Run ad-aware and delete critical objects.
2. Run Spy Bot and fix the problems.
3. Run CWS shredder and fix.
4. Look at hijackthis log and remove any unwanted items.
5. Delete cookies and temp files
6. Go through windows explorer and delete any new unwanted files like elitetoolbar etc.
7. Empty recycle bin

I do all of this while disconnected from my DSL line. After I do this I can post a really clean hijackthis log. As soon as I connect my modem back to the internet, windows start popping up, p*** sites get added to my fav places, p*** icons start appearing, my homepage gets hijacked, pop up windows start opening....all within the first 15 minutes I am online. I then go through the ritual of disconnecting from the internet and starting all over again. It's an endless cycle.

I will go through the ritual right now...and post the clean log...then I will wait a few minutes and post a second log to show how messed up it gets within minutes.

I will be back to post in this thread...
  • 0

Advertisements

#2
terryall
Posted 07 February 2005 - 10:54 PM

terryall

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I am going to post two hijack logs. The first one was after I ran ad-aware, spybot, deleted files from hijackthis, CWS shredder, edited any known bad files in windows explorer and emptied my cache. Note the time is 11:07 pm.

Logfile of HijackThis v1.97.7
Scan saved at 11:07:16 PM, on 2/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Terry\dddd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Terry\dddd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\boln.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvgdp32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: PowerReg Scheduler.exe
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: LaunchExeApplet - http://myfpl.fplu.fp...chexeapplet.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fpl.com,fplu.fpl.com,fple.fpl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = fpl.com,fplu.fpl.com,fple.fpl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fpl.com,fplu.fpl.com,fple.fpl.com


I then shut all windows down but left the computer on and walked away from the computer for about 20 minutes. When I came back there were several p*** site windows open along with random search engine windows open. I reran hijackthis and got this log.

Logfile of HijackThis v1.97.7
Scan saved at 11:47:05 PM, on 2/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\boln.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvgdp32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: PowerReg Scheduler.exe
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: LaunchExeApplet - http://myfpl.fplu.fp...chexeapplet.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fpl.com,fplu.fpl.com,fple.fpl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = fpl.com,fplu.fpl.com,fple.fpl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fpl.com,fplu.fpl.com,fple.fpl.com

As you can imagine the p*** sites opening and not as much an inconvenience as they are extremely disturbing since my young boys need to use the internet to do their homework. I have to sit at the computer while they are doing it to intercept any p*** windows that fly open. I wish I could find an end to this but I have tried everything.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP