Help with HijackThis log pls

Discussion in 'adware, spyware & hijack cleaning' started by cameronst, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. cameronst

    cameronst Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    6
    I'm having problems with a browser hijacker and am posting my hijack this log in hopes of getting some help.

    I've run Adaware and Spybot previously as well as cwshredder but haven't been able to get rid of the hijacker.

    many thanks for your help,

    Cam

    Logfile of HijackThis v1.97.7

    Scan saved at 10:46:23 AM, on 06/19/2004

    Platform: Windows XP SP1 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINNT\System32\smss.exe

    C:\WINNT\system32\winlogon.exe

    C:\WINNT\system32\services.exe

    C:\WINNT\system32\lsass.exe

    C:\WINNT\system32\svchost.exe

    C:\WINNT\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\WINNT\Explorer.EXE

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINNT\system32\spoolsv.exe

    C:\WINNT\GWMDMMSG.exe

    C:\WINNT\System32\igfxtray.exe

    C:\WINNT\System32\hkcmd.exe

    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

    C:\Program Files\PopUp Killer\PopUpKiller.EXE

    C:\Program Files\Messenger\msmsgs.exe

    C:\WINNT\System32\wnsintsu.exe

    C:\WINNT\System32\NDrv.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

    C:\Program Files\Norton AntiVirus\navapsvc.exe

    C:\WINNT\System32\NMSSvc.exe

    C:\WINNT\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

    C:\WINNT\System32\HPZipm12.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

    C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

    C:\hijackthis\HijackThis.exe


    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\dowc8zgb.slt\prefs.js)

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

    O2 - BHO: (no name) - {E205C796-4DC2-40DB-B2AC-029BD95A32E0} - C:\WINNT\System32\lkel.dll

    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe

    O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE

    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [window.exe] C:\WINNT\System32\window.exe

    O4 - HKCU\..\Run: [WNSC] C:\WINNT\System32\wnsintsu.exe

    O4 - HKCU\..\Run: [NDrv] C:\WINNT\System32\NDrv.exe

    O4 - Startup: PowerReg Scheduler V3.exe

    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

    O4 - Global Startup: officejet 6100.lnk = ?

    O16 - DPF: emfctrl cab file - https://secure.emailfiltering.co.uk/cab/emfctrl.cab

    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    O2 - BHO: (no name) - {E205C796-4DC2-40DB-B2AC-029BD95A32E0} - C:\WINNT\System32\lkel.dll

    O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
    O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe
    O4 - HKCU\..\Run: [window.exe] C:\WINNT\System32\window.exe
    O4 - HKCU\..\Run: [WNSC] C:\WINNT\System32\wnsintsu.exe
    O4 - HKCU\..\Run: [NDrv] C:\WINNT\System32\NDrv.exe

    Reboot and delete

    files
    C:\WINNT\sysupd.exe
    C:\WINNT\System32\idctup20.exe
    C:\WINNT\System32\window.exe
    C:\WINNT\System32\wnsintsu.exe
    C:\WINNT\System32\NDrv.exe

    These may be hidden files. See HERE for how to show hidden files.

    Please post a followup Hijack this log, and say if your problems persist.
     
  3. cameronst

    cameronst Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    6
    Things appear to be running smoothly now. Thanks for the help!

    Cam

    ______________________________

    Here is a new hijack this log:

    Logfile of HijackThis v1.97.7

    Scan saved at 2:51:55 PM, on 06/19/2004

    Platform: Windows XP SP1 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINNT\System32\smss.exe

    C:\WINNT\system32\winlogon.exe

    C:\WINNT\system32\services.exe

    C:\WINNT\system32\lsass.exe

    C:\WINNT\system32\svchost.exe

    C:\WINNT\System32\svchost.exe

    C:\WINNT\Explorer.EXE

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINNT\system32\spoolsv.exe

    C:\WINNT\GWMDMMSG.exe

    C:\WINNT\System32\igfxtray.exe

    C:\WINNT\System32\hkcmd.exe

    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

    C:\Program Files\PopUp Killer\PopUpKiller.EXE

    C:\Program Files\Messenger\msmsgs.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

    C:\Program Files\Norton AntiVirus\navapsvc.exe

    C:\WINNT\System32\NMSSvc.exe

    C:\WINNT\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

    C:\WINNT\System32\HPZipm12.exe

    C:\hijackthis\HijackThis.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\dowc8zgb.slt\prefs.js)

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE

    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - Startup: PowerReg Scheduler V3.exe

    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

    O4 - Global Startup: officejet 6100.lnk = ?

    O16 - DPF: emfctrl cab file - https://secure.emailfiltering.co.uk/cab/emfctrl.cab

    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
     
Thread Status:
Not open for further replies.