Hijack This Log Help

Discussion in 'adware, spyware & hijack cleaning' started by glass_saviour, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. glass_saviour

    glass_saviour Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    1
    Hi,

    Our business computer has been hijacked by one of those adware/spyware type programs that redirects your homepage and also brings up lots of pop-up windows. I am no expert in this area, but have been learning about it from http://www.thespykiller.co.uk

    I tried running the CoolWebSearch (CWS) Shredder from this site, which found and removed CWS.Aff.Winshow, but the problem still seems to be there. I have run HijackThis and got my log file as seems to be the standard procedure here (see below). What do we need to do to get rid of this thing?

    Any help would be much appreciated since we are new to the Internet and trying to run a business. Thank you in advance.


    HijackThis Log File
    ==============

    Logfile of HijackThis v1.97.7
    Scan saved at 23:13:52, on 27/06/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WIN\System32\smss.exe
    C:\WIN\system32\winlogon.exe
    C:\WIN\system32\services.exe
    C:\WIN\system32\lsass.exe
    C:\WIN\system32\svchost.exe
    C:\WIN\System32\svchost.exe
    C:\WIN\Explorer.EXE
    C:\WIN\system32\spoolsv.exe
    C:\PROGRA~1\Navnt\defwatch.exe
    C:\PROGRA~1\Navnt\rtvscan.exe
    C:\WIN\System32\svchost.exe
    C:\WIN\ntjl.exe
    C:\PROGRA~1\Navnt\vptray.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\WIN\System32\atiptaxx.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WIN\system32\winna32.exe
    C:\Program Files\Jessops\Picture Suite\InsDetect.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Executables\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN\system32\hetpp.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hetpp.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hetpp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN\system32\hetpp.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hetpp.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WIN\system32\hetpp.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {35C3C678-BB1B-5B7E-E37E-223E5B63207A} - C:\WIN\iegs32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
    O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScan\hpsjbmgr.exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WIN\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MSZTCE] C:\WIN\System32\MSZTCE.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winna32.exe] C:\WIN\system32\winna32.exe
    O4 - HKCU\..\Run: [Jessops Insert Detect] C:\Program Files\Jessops\Picture Suite\InsDetect.exe
    O4 - HKLM\..\RunOnce: [ntjl.exe] C:\WIN\ntjl.exe
    O4 - HKLM\..\RunOnce: [netbw32.exe] C:\WIN\system32\netbw32.exe
    O4 - HKLM\..\RunOnce: [croe.exe] C:\WIN\system32\croe.exe
    O4 - HKLM\..\RunOnce: [winzi32.exe] C:\WIN\system32\winzi32.exe
    O4 - HKLM\..\RunOnce: [sysre.exe] C:\WIN\sysre.exe
    O4 - HKLM\..\RunOnce: [javadp32.exe] C:\WIN\javadp32.exe
    O4 - HKLM\..\RunOnce: [javacf32.exe] C:\WIN\system32\javacf32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19f8be4b5de966b18205/netzip/RdxIE601.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    This is going to take more than one time through I think. Print this page so you can follow it.

    First, do a Ctrl+Alt+Del and find these processes and End Task it:

    C:\WIN\ntjl.exe
    C:\WIN\system32\winna32.exe

    Run HijackThis again with all browsers closed, including this one and place a check beside each of the following items. Once done click the fix checked button.

    O2 - BHO: (no name) - {35C3C678-BB1B-5B7E-E37E-223E5B63207A} - C:\WIN\iegs32.dll

    O4 - HKLM\..\Run: [MSZTCE] C:\WIN\System32\MSZTCE.EXE
    O4 - HKLM\..\Run: [winna32.exe] C:\WIN\system32\winna32.exe
    O4 - HKLM\..\RunOnce: [ntjl.exe] C:\WIN\ntjl.exe
    O4 - HKLM\..\RunOnce: [netbw32.exe] C:\WIN\system32\netbw32.exe
    O4 - HKLM\..\RunOnce: [croe.exe] C:\WIN\system32\croe.exe
    O4 - HKLM\..\RunOnce: [winzi32.exe] C:\WIN\system32\winzi32.exe
    O4 - HKLM\..\RunOnce: [sysre.exe] C:\WIN\sysre.exe
    O4 - HKLM\..\RunOnce: [javadp32.exe] C:\WIN\javadp32.exe
    O4 - HKLM\..\RunOnce: [javacf32.exe] C:\WIN\system32\javacf32.exe


    ***Do not reboot yet.

    Now go online and do this:
    Download About:Buster from either of the following locations.

    http://www.atribune.org/downloads/AboutBuster.zip
    or
    http://tools.zerosrealm.com/AboutBuster.zip

    Close ALL Internet Explorer windows. This is a very important step!! You do not want to be online for this part.

    Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page.

    Reboot and post a new HijackThis log along with the report from About:Buster.
     
Thread Status:
Not open for further replies.