could someone please take a peak...

Discussion in 'adware, spyware & hijack cleaning' started by Will44, Dec 3, 2003.

Thread Status:
Not open for further replies.
  1. Will44

    Will44 Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    7
    hello,

    could someone please take a peak at the following log and let me know what you think

    thanks in advance,
    /will
     
  2. Will44

    Will44 Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    7
    oops...

    Logfile of HijackThis v1.97.7
    Scan saved at 4:34:26 PM, on 12/3/03
    Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\RpcSs.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolss.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\mgasc.exe
    C:\WINNT\System32\mgactrl.exe
    c:\PROGRA~1\Symantec\LIVEUP~1\NAVRoam.exe
    C:\Apps\NETFINITY\NFNTSVC.EXE
    C:\Program Files\NavNT\rtvscan.exe
    C:\Apps\NETFINITY\netfbase.exe
    C:\NAgent\NSCAGENT.EXE
    C:\Apps\NETFINITY\pfab.exe
    c:\winnt\system32\pstores.exe
    C:\WINNT\system32\MSTask.exe
    C:\DTG\BIN\SUSS.EXE
    C:\Apps\NETFINITY\alertmgr.exe
    C:\Apps\NETFINITY\monbase.exe
    C:\Apps\NETFINITY\CMBASE.EXE
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\System32\nddeagnt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\CWB3DSnd.exe
    C:\WINNT\System32\SysTray.exe
    C:\WINNT\System32\MGAHOOK.EXE
    C:\WINNT\System32\loadwc.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\Profiles\lanadmin\Desktop\My Doc's\Wilders.org\HijackThis.exe
    C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eweb.verizon.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.verizon.com/cgi-bin/getproxy
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CW3DSound] CWB3DSnd.exe
    O4 - HKLM\..\Run: [System Tray] SysTray.exe
    O4 - HKLM\..\Run: [MGA Hook] "C:\WINNT\System32\MGAHOOK.EXE"
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Srng] C:\Program Files\Srng\Srng.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) - http://cmisweb.tel.gte.com:8080/plugin/1.4/j2re-1_4_1_02-windows-i586.exe
    O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = verizon.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = verizon.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 161.128.136.111 161.128.8.111
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 161.128.136.111 161.128.8.111
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Will44,

    Check this item in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Srng] C:\Program Files\Srng\Srng.exe

    Then reboot and delete:
    C:\Program Files\Srng <= the entire folder (if still present)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.