Hijack This Log - please help (merged)

Discussion in 'adware, spyware & hijack cleaning' started by Rich Roach, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. Rich Roach

    Rich Roach Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Hijack This Log - please help

    Note to Mods - member has posted a more up-to-date log which is now merged with this thread. See second post - snap



    I thank you in advance for any help.

    I have a Toshiba laptop using Windows XP. We have been hijacked, as we get pop-ups (the Google toolbar doesn't seem to stop them) and our homepage keeps getting switched to "Home Search" no matter what I do. I've used CWShredder, Spybot and Adaware, but it won't go away. Please help.

    Here is the log file from Hijack This.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ntxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\systi.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Richard Roach\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    O2 - BHO: (no name) - {5E5BCC20-3714-13E6-A800-5A0B8A51992C} - C:\WINDOWS\system32\javazu32.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [systi.exe] C:\WINDOWS\system32\systi.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [addlx32.exe] C:\WINDOWS\addlx32.exe
    O4 - HKLM\..\RunOnce: [winvt.exe] C:\WINDOWS\system32\winvt.exe
    O4 - HKLM\..\RunOnce: [ietm32.exe] C:\WINDOWS\system32\ietm32.exe
    O4 - HKLM\..\RunOnce: [ntxx.exe] C:\WINDOWS\system32\ntxx.exe
    O4 - HKLM\..\RunOnce: [crvr32.exe] C:\WINDOWS\crvr32.exe
    O4 - HKLM\..\RunOnce: [appsn32.exe] C:\WINDOWS\appsn32.exe
    O4 - HKLM\..\RunOnce: [sdkjd.exe] C:\WINDOWS\system32\sdkjd.exe
    O4 - HKLM\..\RunOnce: [iete.exe] C:\WINDOWS\system32\iete.exe
    O4 - HKLM\..\RunOnce: [msfd.exe] C:\WINDOWS\system32\msfd.exe
    O4 - HKLM\..\RunOnce: [appub32.exe] C:\WINDOWS\appub32.exe
    O4 - HKLM\..\RunOnce: [mfcjb32.exe] C:\WINDOWS\mfcjb32.exe
    O4 - HKLM\..\RunOnce: [atlcr.exe] C:\WINDOWS\system32\atlcr.exe
    O4 - HKLM\..\RunOnce: [javakl.exe] C:\WINDOWS\javakl.exe
    O4 - HKLM\..\RunOnce: [sysbi32.exe] C:\WINDOWS\sysbi32.exe
    O4 - HKLM\..\RunOnce: [addiz32.exe] C:\WINDOWS\system32\addiz32.exe
    O4 - HKLM\..\RunOnce: [winzv.exe] C:\WINDOWS\winzv.exe
    O4 - HKLM\..\RunOnce: [appxp.exe] C:\WINDOWS\appxp.exe
    O4 - HKLM\..\RunOnce: [sysmi.exe] C:\WINDOWS\sysmi.exe
    O4 - HKLM\..\RunOnce: [winds.exe] C:\WINDOWS\winds.exe
    O4 - HKLM\..\RunOnce: [nettl.exe] C:\WINDOWS\system32\nettl.exe
    O4 - HKLM\..\RunOnce: [sdklb32.exe] C:\WINDOWS\system32\sdklb32.exe
    O4 - HKLM\..\RunOnce: [javavi32.exe] C:\WINDOWS\system32\javavi32.exe
    O4 - HKLM\..\RunOnce: [addnk32.exe] C:\WINDOWS\system32\addnk32.exe
    O4 - HKLM\..\RunOnce: [appov.exe] C:\WINDOWS\system32\appov.exe
    O4 - HKLM\..\RunOnce: [winpx.exe] C:\WINDOWS\winpx.exe
    O4 - HKLM\..\RunOnce: [mfcln.exe] C:\WINDOWS\system32\mfcln.exe
    O4 - HKLM\..\RunOnce: [ipmc32.exe] C:\WINDOWS\system32\ipmc32.exe
    O4 - HKLM\..\RunOnce: [netgi32.exe] C:\WINDOWS\system32\netgi32.exe
    O4 - HKLM\..\RunOnce: [ntmc32.exe] C:\WINDOWS\system32\ntmc32.exe
    O4 - HKLM\..\RunOnce: [msqh32.exe] C:\WINDOWS\msqh32.exe
    O4 - HKLM\..\RunOnce: [ieyp.exe] C:\WINDOWS\ieyp.exe
    O4 - HKLM\..\RunOnce: [mfcee.exe] C:\WINDOWS\mfcee.exe
    O4 - HKLM\..\RunOnce: [iefr32.exe] C:\WINDOWS\system32\iefr32.exe
    O4 - HKLM\..\RunOnce: [mfcad32.exe] C:\WINDOWS\mfcad32.exe
    O4 - HKLM\..\RunOnce: [wincq.exe] C:\WINDOWS\system32\wincq.exe
    O4 - HKLM\..\RunOnce: [ieyr.exe] C:\WINDOWS\ieyr.exe
    O4 - HKLM\..\RunOnce: [appqi32.exe] C:\WINDOWS\system32\appqi32.exe
    O4 - HKLM\..\RunOnce: [atlci.exe] C:\WINDOWS\system32\atlci.exe
    O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\sdkal.exe
    O4 - HKLM\..\RunOnce: [javahj.exe] C:\WINDOWS\system32\javahj.exe
    O4 - HKLM\..\RunOnce: [addrx32.exe] C:\WINDOWS\addrx32.exe
    O4 - HKLM\..\RunOnce: [sdklj32.exe] C:\WINDOWS\sdklj32.exe
    O4 - HKLM\..\RunOnce: [javaha32.exe] C:\WINDOWS\javaha32.exe
    O4 - HKLM\..\RunOnce: [winhi.exe] C:\WINDOWS\system32\winhi.exe
    O4 - HKLM\..\RunOnce: [iptw.exe] C:\WINDOWS\iptw.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087411641547
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1682722ea85e2593b002/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38010.9193981482
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thank you,

    Rich
     
    Last edited by a moderator: Jun 18, 2004
  2. Rich Roach

    Rich Roach Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Hijack This Log - new version

    I'm sorry, but I posted once before this without reading your detailed instructions. I have followed every step using all the tools, Spybot, Ad-aware, CWShredder. I would really appreciate any help you could give.

    Here are the problems I am experiencing:

    popups
    my homepage is always hijacked
    someone is trying to change my HBO

    Here is the copy of my HijackThis log.


    Logfile of HijackThis v1.97.7
    Scan saved at 9:08:56 PM, on 17/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ntxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\systi.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Documents and Settings\Richard Roach\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    O2 - BHO: (no name) - {5E5BCC20-3714-13E6-A800-5A0B8A51992C} - C:\WINDOWS\system32\javazu32.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [systi.exe] C:\WINDOWS\system32\systi.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [addlx32.exe] C:\WINDOWS\addlx32.exe
    O4 - HKLM\..\RunOnce: [winvt.exe] C:\WINDOWS\system32\winvt.exe
    O4 - HKLM\..\RunOnce: [ietm32.exe] C:\WINDOWS\system32\ietm32.exe
    O4 - HKLM\..\RunOnce: [ntxx.exe] C:\WINDOWS\system32\ntxx.exe
    O4 - HKLM\..\RunOnce: [crvr32.exe] C:\WINDOWS\crvr32.exe
    O4 - HKLM\..\RunOnce: [appsn32.exe] C:\WINDOWS\appsn32.exe
    O4 - HKLM\..\RunOnce: [sdkjd.exe] C:\WINDOWS\system32\sdkjd.exe
    O4 - HKLM\..\RunOnce: [iete.exe] C:\WINDOWS\system32\iete.exe
    O4 - HKLM\..\RunOnce: [msfd.exe] C:\WINDOWS\system32\msfd.exe
    O4 - HKLM\..\RunOnce: [appub32.exe] C:\WINDOWS\appub32.exe
    O4 - HKLM\..\RunOnce: [mfcjb32.exe] C:\WINDOWS\mfcjb32.exe
    O4 - HKLM\..\RunOnce: [atlcr.exe] C:\WINDOWS\system32\atlcr.exe
    O4 - HKLM\..\RunOnce: [javakl.exe] C:\WINDOWS\javakl.exe
    O4 - HKLM\..\RunOnce: [sysbi32.exe] C:\WINDOWS\sysbi32.exe
    O4 - HKLM\..\RunOnce: [addiz32.exe] C:\WINDOWS\system32\addiz32.exe
    O4 - HKLM\..\RunOnce: [winzv.exe] C:\WINDOWS\winzv.exe
    O4 - HKLM\..\RunOnce: [appxp.exe] C:\WINDOWS\appxp.exe
    O4 - HKLM\..\RunOnce: [sysmi.exe] C:\WINDOWS\sysmi.exe
    O4 - HKLM\..\RunOnce: [winds.exe] C:\WINDOWS\winds.exe
    O4 - HKLM\..\RunOnce: [nettl.exe] C:\WINDOWS\system32\nettl.exe
    O4 - HKLM\..\RunOnce: [sdklb32.exe] C:\WINDOWS\system32\sdklb32.exe
    O4 - HKLM\..\RunOnce: [javavi32.exe] C:\WINDOWS\system32\javavi32.exe
    O4 - HKLM\..\RunOnce: [addnk32.exe] C:\WINDOWS\system32\addnk32.exe
    O4 - HKLM\..\RunOnce: [appov.exe] C:\WINDOWS\system32\appov.exe
    O4 - HKLM\..\RunOnce: [winpx.exe] C:\WINDOWS\winpx.exe
    O4 - HKLM\..\RunOnce: [mfcln.exe] C:\WINDOWS\system32\mfcln.exe
    O4 - HKLM\..\RunOnce: [ipmc32.exe] C:\WINDOWS\system32\ipmc32.exe
    O4 - HKLM\..\RunOnce: [netgi32.exe] C:\WINDOWS\system32\netgi32.exe
    O4 - HKLM\..\RunOnce: [ntmc32.exe] C:\WINDOWS\system32\ntmc32.exe
    O4 - HKLM\..\RunOnce: [msqh32.exe] C:\WINDOWS\msqh32.exe
    O4 - HKLM\..\RunOnce: [ieyp.exe] C:\WINDOWS\ieyp.exe
    O4 - HKLM\..\RunOnce: [mfcee.exe] C:\WINDOWS\mfcee.exe
    O4 - HKLM\..\RunOnce: [iefr32.exe] C:\WINDOWS\system32\iefr32.exe
    O4 - HKLM\..\RunOnce: [mfcad32.exe] C:\WINDOWS\mfcad32.exe
    O4 - HKLM\..\RunOnce: [wincq.exe] C:\WINDOWS\system32\wincq.exe
    O4 - HKLM\..\RunOnce: [ieyr.exe] C:\WINDOWS\ieyr.exe
    O4 - HKLM\..\RunOnce: [appqi32.exe] C:\WINDOWS\system32\appqi32.exe
    O4 - HKLM\..\RunOnce: [atlci.exe] C:\WINDOWS\system32\atlci.exe
    O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\sdkal.exe
    O4 - HKLM\..\RunOnce: [javahj.exe] C:\WINDOWS\system32\javahj.exe
    O4 - HKLM\..\RunOnce: [addrx32.exe] C:\WINDOWS\addrx32.exe
    O4 - HKLM\..\RunOnce: [sdklj32.exe] C:\WINDOWS\sdklj32.exe
    O4 - HKLM\..\RunOnce: [javaha32.exe] C:\WINDOWS\javaha32.exe
    O4 - HKLM\..\RunOnce: [winhi.exe] C:\WINDOWS\system32\winhi.exe
    O4 - HKLM\..\RunOnce: [iptw.exe] C:\WINDOWS\iptw.exe
    O4 - HKLM\..\RunOnce: [sdknj.exe] C:\WINDOWS\sdknj.exe
    O4 - HKLM\..\RunOnce: [sdkdp.exe] C:\WINDOWS\sdkdp.exe
    O4 - HKLM\..\RunOnce: [msdg.exe] C:\WINDOWS\system32\msdg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087411641547
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1682722ea85e2593b002/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38010.9193981482
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thank you,

    Rich
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re: Hijack This Log - new version

    Hi Rich Roach,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will now end up on your desktop.

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\system32\ntxx.exe
    C:\WINDOWS\system32\systi.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    O2 - BHO: (no name) - {5E5BCC20-3714-13E6-A800-5A0B8A51992C} - C:\WINDOWS\system32\javazu32.dll

    O4 - HKLM\..\Run: [systi.exe] C:\WINDOWS\system32\systi.exe

    O4 - HKLM\..\RunOnce: [addlx32.exe] C:\WINDOWS\addlx32.exe
    O4 - HKLM\..\RunOnce: [winvt.exe] C:\WINDOWS\system32\winvt.exe
    O4 - HKLM\..\RunOnce: [ietm32.exe] C:\WINDOWS\system32\ietm32.exe
    O4 - HKLM\..\RunOnce: [ntxx.exe] C:\WINDOWS\system32\ntxx.exe
    O4 - HKLM\..\RunOnce: [crvr32.exe] C:\WINDOWS\crvr32.exe
    O4 - HKLM\..\RunOnce: [appsn32.exe] C:\WINDOWS\appsn32.exe
    O4 - HKLM\..\RunOnce: [sdkjd.exe] C:\WINDOWS\system32\sdkjd.exe
    O4 - HKLM\..\RunOnce: [iete.exe] C:\WINDOWS\system32\iete.exe
    O4 - HKLM\..\RunOnce: [msfd.exe] C:\WINDOWS\system32\msfd.exe
    O4 - HKLM\..\RunOnce: [appub32.exe] C:\WINDOWS\appub32.exe
    O4 - HKLM\..\RunOnce: [mfcjb32.exe] C:\WINDOWS\mfcjb32.exe
    O4 - HKLM\..\RunOnce: [atlcr.exe] C:\WINDOWS\system32\atlcr.exe
    O4 - HKLM\..\RunOnce: [javakl.exe] C:\WINDOWS\javakl.exe
    O4 - HKLM\..\RunOnce: [sysbi32.exe] C:\WINDOWS\sysbi32.exe
    O4 - HKLM\..\RunOnce: [addiz32.exe] C:\WINDOWS\system32\addiz32.exe
    O4 - HKLM\..\RunOnce: [winzv.exe] C:\WINDOWS\winzv.exe
    O4 - HKLM\..\RunOnce: [appxp.exe] C:\WINDOWS\appxp.exe
    O4 - HKLM\..\RunOnce: [sysmi.exe] C:\WINDOWS\sysmi.exe
    O4 - HKLM\..\RunOnce: [winds.exe] C:\WINDOWS\winds.exe
    O4 - HKLM\..\RunOnce: [nettl.exe] C:\WINDOWS\system32\nettl.exe
    O4 - HKLM\..\RunOnce: [sdklb32.exe] C:\WINDOWS\system32\sdklb32.exe
    O4 - HKLM\..\RunOnce: [javavi32.exe] C:\WINDOWS\system32\javavi32.exe
    O4 - HKLM\..\RunOnce: [addnk32.exe] C:\WINDOWS\system32\addnk32.exe
    O4 - HKLM\..\RunOnce: [appov.exe] C:\WINDOWS\system32\appov.exe
    O4 - HKLM\..\RunOnce: [winpx.exe] C:\WINDOWS\winpx.exe
    O4 - HKLM\..\RunOnce: [mfcln.exe] C:\WINDOWS\system32\mfcln.exe
    O4 - HKLM\..\RunOnce: [ipmc32.exe] C:\WINDOWS\system32\ipmc32.exe
    O4 - HKLM\..\RunOnce: [netgi32.exe] C:\WINDOWS\system32\netgi32.exe
    O4 - HKLM\..\RunOnce: [ntmc32.exe] C:\WINDOWS\system32\ntmc32.exe
    O4 - HKLM\..\RunOnce: [msqh32.exe] C:\WINDOWS\msqh32.exe
    O4 - HKLM\..\RunOnce: [ieyp.exe] C:\WINDOWS\ieyp.exe
    O4 - HKLM\..\RunOnce: [mfcee.exe] C:\WINDOWS\mfcee.exe
    O4 - HKLM\..\RunOnce: [iefr32.exe] C:\WINDOWS\system32\iefr32.exe
    O4 - HKLM\..\RunOnce: [mfcad32.exe] C:\WINDOWS\mfcad32.exe
    O4 - HKLM\..\RunOnce: [wincq.exe] C:\WINDOWS\system32\wincq.exe
    O4 - HKLM\..\RunOnce: [ieyr.exe] C:\WINDOWS\ieyr.exe
    O4 - HKLM\..\RunOnce: [appqi32.exe] C:\WINDOWS\system32\appqi32.exe
    O4 - HKLM\..\RunOnce: [atlci.exe] C:\WINDOWS\system32\atlci.exe
    O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\sdkal.exe
    O4 - HKLM\..\RunOnce: [javahj.exe] C:\WINDOWS\system32\javahj.exe
    O4 - HKLM\..\RunOnce: [addrx32.exe] C:\WINDOWS\addrx32.exe
    O4 - HKLM\..\RunOnce: [sdklj32.exe] C:\WINDOWS\sdklj32.exe
    O4 - HKLM\..\RunOnce: [javaha32.exe] C:\WINDOWS\javaha32.exe
    O4 - HKLM\..\RunOnce: [winhi.exe] C:\WINDOWS\system32\winhi.exe
    O4 - HKLM\..\RunOnce: [iptw.exe] C:\WINDOWS\iptw.exe
    O4 - HKLM\..\RunOnce: [sdknj.exe] C:\WINDOWS\sdknj.exe
    O4 - HKLM\..\RunOnce: [sdkdp.exe] C:\WINDOWS\sdkdp.exe
    O4 - HKLM\..\RunOnce: [msdg.exe] C:\WINDOWS\system32\msdg.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1682722ea85e2593b002/netzip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\systi.exe
    C:\WINDOWS\system32\javazu32.dat
    C:\WINDOWS\xkyhc.dll
    + the file the servive is pointing at. You can find that on the tab where you disabled it above the Startup Type box

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  4. Rich Roach

    Rich Roach Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    I followed your instructions, but forgot how to start up in Safe Mode, so I had to go onto the Internet in the middle of things. I think it messed things up. I still have all the same problems. Here is my latest HiJack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:35:25 AM, on 18/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\sdkpm.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\apibs.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\All Users\Documents\HiJack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kamkk.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kamkk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kamkk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {AA78CB81-818D-E958-0B35-5F4AA7956452} - C:\WINDOWS\appyi.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [apibs.exe] C:\WINDOWS\system32\apibs.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [sdkpm.exe] C:\WINDOWS\sdkpm.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087411641547
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38010.9193981482
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks,
    Rich
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Check if it is still disabled.
    If not rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\sdkpm.exe
    C:\WINDOWS\system32\apibs.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kamkk.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kamkk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kamkk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049

    O2 - BHO: (no name) - {AA78CB81-818D-E958-0B35-5F4AA7956452} - C:\WINDOWS\appyi.dll

    O4 - HKLM\..\Run: [apibs.exe] C:\WINDOWS\system32\apibs.exe

    O4 - HKLM\..\RunOnce: [sdkpm.exe] C:\WINDOWS\sdkpm.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\sdkpm.exe
    C:\WINDOWS\system32\apibs.exe
    C:\WINDOWS\appyi.dat
    C:\WINDOWS\system32\kamkk.dll

    Regards,

    Pieter
     
  6. Rich Roach

    Rich Roach Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Peter,

    I've been away for a few weeks, but I really want to THANK you for your help with my Toshiba laptop. Everything is running clean now.

    THANK YOU!

    Rich
     
Thread Status:
Not open for further replies.