hijack cleaning log file

Discussion in 'adware, spyware & hijack cleaning' started by TonyR, Feb 9, 2004.

Thread Status:
Not open for further replies.
  1. TonyR

    TonyR Guest

    Cannot seen to get my hompage back after a start-up only a porno homepage, and a bunch of Porno links keep showing up in my favorites. I used the SPYBOT S&D tool with the three steps you requested, hope you guys can help. Hope I did it right it all new to me.

    Thanks,

    Tony

    Logfile of HijackThis v1.97.7
    Scan saved at 5:40:01 PM, on 2/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\WINDOWS\hh.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Reid Family\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.008i.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://teen-biz.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://teen-biz.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://teen-biz.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.008i.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://teen-biz.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://teen-biz.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html
    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: winlogon.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.7463425926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6FC05DF1-EDF2-4DC8-BA24-9C0D5F2E39C8}: NameServer = 206.47.244.43 198.235.216.111
    O17 - HKLM\System\CS1\Services\Tcpip\..\{6FC05DF1-EDF2-4DC8-BA24-9C0D5F2E39C8}: NameServer = 206.47.244.43 198.235.216.111
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi TonyR :)

    Welcome to Wilders.

    Please download and run CWShredder at this link,

    http://www.merijn.org/files/CWShredder.exe

    then post a fresh HJT log.

    Thanks.


    snowbound
     
  3. TonyR

    TonyR Guest

    NEW LOG FILE AFTER SHREDDING

    Here is the new log after I used the shredding link you provided. Hope it worked.

    Tony

    Logfile of HijackThis v1.97.7
    Scan saved at 7:50:43 PM, on 2/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\WINDOWS\hh.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Reid Family\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.7463425926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6FC05DF1-EDF2-4DC8-BA24-9C0D5F2E39C8}: NameServer = 206.47.244.43 198.235.216.111
    O17 - HKLM\System\CS1\Services\Tcpip\..\{6FC05DF1-EDF2-4DC8-BA24-9C0D5F2E39C8}: NameServer = 206.47.244.43 198.235.216.111
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Your log is looking better :)

    This is as far as i can advise u as my HJT experience is minimal.

    Most of the experts live in different time zones so please be patient and one of them will be along to give u further recommendations.


    Thanks. :)



    snowbound
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi TonyR,

    Snowbound helped you get rid of most of it. :cool:

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)

    Then reboot and read this on how to minimize the risk of infection: http://boards.cexx.org/viewtopic.php?t=957.

    Regards,

    Pieter
     
  6. TonyR

    TonyR Guest

    Thank you Pieter & Snowbound (go Bruins go!) I seem to be back in business. Great support and some good links. Goodbye from the great white north.

    TonyR
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Glad we could help. :)

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.