HIJACK HELP??????

Discussion in 'adware, spyware & hijack cleaning' started by WaterBase, Jul 10, 2004.

Thread Status:
Not open for further replies.
  1. WaterBase

    WaterBase Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    6
    Logfile of HijackThis v1.97.7
    Scan saved at 9:03:30 PM, on 7/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\unzipped\framxpro\FreeRAM XP Pro 1.30.exe
    C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\THE NEW CPU\My Documents\Programs\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {8A3F3A19-8ECA-4D17-88DE-277A4193EB6F} - C:\WINDOWS\System32\iganpf.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: GhostSurf Privacy Center (HKLM)
    O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d38736e0e6fd4d/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello WaterBase,

    I would first like you to download Adaware if you don't already have it (don't run it yet, but I would like you to open it and update the reference file and then close it.)

    Next, Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

    Close all windows except HijackThis and check these lines then click on Fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {8A3F3A19-8ECA-4D17-88DE-277A4193EB6F} - C:\WINDOWS\System32\iganpf.dll

    O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe



    Don't reboot yet.

    Start APM (the program you downloaded second)
    In the upper window select explorer.exe
    In the lower window find and rightclick C:\WINDOWS\System32\iganpf.dll
    Select Unload DLL and click OK on the prompts that follow.

    Reboot and scan with AdAware (the first program you downloaded)

    Reboot. Now, do the following

    Copy the contents of the quote box to Notepad.
    Name the file Appinit.bat
    Save as type All Files
    Save on the Desktop.


    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Copy and paste that log here along with a new HJT log.

    **Also, very important. The reason you are most likely infected is because of Kazaa. Uninstall it. I don't care about why you use Kazaa, I understand, BUT, Kazaa is only going to get you reinfected. If you refuse to uninstall, then we can't help you because it will just be a lost cause. When and if you choose to uninstall, backup all you have downloaded from Kazaa or you will lose all that you have downloaded. I don't mean to sound harsh in any way, I am just trying to help you keep your computer from getting infected like it is now.

    Don't forget to post the two logs that are requested.
     
Thread Status:
Not open for further replies.