|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
May 2nd, 2004, 06:06 PM
|
|||
|
|||
Can someone have a look at this log?
I'm having problems with popup ads coming from nowhere and
I think I've been hijacked. Can someone have a look and help me out? Logfile of HijackThis v1.97.7 Scan saved at 6:04:34 PM, on 5/2/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe C:\Program Files\Common files\updater\wupdater.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\soundman.exe C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Yahoo!\Messenger\ypager.exe C:\WINDOWS\System32\wnscpsv.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Documents and Settings\Pablo\Application Data\aasa.exe C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\LXBRPSWX.EXE C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\LXBRJSWX.EXE C:\Program Files\Trend Micro\PC-cillin 2002\PCCMAIN.EXE C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE C:\WINDOWS\System32\netapi32.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Pablo\LOCALS~1\Temp\Rar$EX00.322\HijackThis.exe N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Pablo\Application Data\Mozilla\Profiles\default\0g4fy0uo.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pablo\Application Data\Mozilla\Profiles\default\0g4fy0uo.slt\prefs.js) O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD> O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY> O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML> O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY> O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe" O4 - HKLM\..\Run: [hdvowcj] "C:\WINDOWS\System32\hdvowcj.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [netapi32] C:\WINDOWS\System32\netapi32.exe O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Sidesearch (HKLM) O9 - Extra button: Create Mobile Favorite (HKLM) O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Research (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab |
|
#2
May 3rd, 2004, 04:48 AM
|
||||
|
||||
|
Re: Can someone have a look at this log?
Hi agentgraves,
Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in. These easily get lost in a Temp folder. Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD> O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY> O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML> O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY> O4 - HKLM\..\Run: [hdvowcj] "C:\WINDOWS\System32\hdvowcj.exe" O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe O4 - HKCU\..\Run: [netapi32] C:\WINDOWS\System32\netapi32.exe O4 - Startup: PowerReg SchedulerV2.exe O9 - Extra button: Sidesearch (HKLM) Reboot into safe mode and delete: C:\Program Files\Common files\updater <= entire folder C:\WINDOWS\System32\hdvowcj.exe C:\WINDOWS\System32\wnscpsv.exe C:\WINDOWS\System32\netapi32.exe Then reboot, run HijackThis again and post a new log. Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
