Hijack This Log - please help (merged)

Discussion in 'adware, spyware & hijack cleaning' started by Rich Roach, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. Rich Roach

    Rich Roach Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Hijack This Log - please help

    Note to Mods - member has posted a more up-to-date log which is now merged with this thread. See second post - snap



    I thank you in advance for any help.

    I have a Toshiba laptop using Windows XP. We have been hijacked, as we get pop-ups (the Google toolbar doesn't seem to stop them) and our homepage keeps getting switched to "Home Search" no matter what I do. I've used CWShredder, Spybot and Adaware, but it won't go away. Please help.

    Here is the log file from Hijack This.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ntxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\systi.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Richard Roach\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    O2 - BHO: (no name) - {5E5BCC20-3714-13E6-A800-5A0B8A51992C} - C:\WINDOWS\system32\javazu32.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [systi.exe] C:\WINDOWS\system32\systi.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [addlx32.exe] C:\WINDOWS\addlx32.exe
    O4 - HKLM\..\RunOnce: [winvt.exe] C:\WINDOWS\system32\winvt.exe
    O4 - HKLM\..\RunOnce: [ietm32.exe] C:\WINDOWS\system32\ietm32.exe
    O4 - HKLM\..\RunOnce: [ntxx.exe] C:\WINDOWS\system32\ntxx.exe
    O4 - HKLM\..\RunOnce: [crvr32.exe] C:\WINDOWS\crvr32.exe
    O4 - HKLM\..\RunOnce: [appsn32.exe] C:\WINDOWS\appsn32.exe
    O4 - HKLM\..\RunOnce: [sdkjd.exe] C:\WINDOWS\system32\sdkjd.exe
    O4 - HKLM\..\RunOnce: [iete.exe] C:\WINDOWS\system32\iete.exe
    O4 - HKLM\..\RunOnce: [msfd.exe] C:\WINDOWS\system32\msfd.exe
    O4 - HKLM\..\RunOnce: [appub32.exe] C:\WINDOWS\appub32.exe
    O4 - HKLM\..\RunOnce: [mfcjb32.exe] C:\WINDOWS\mfcjb32.exe
    O4 - HKLM\..\RunOnce: [atlcr.exe] C:\WINDOWS\system32\atlcr.exe
    O4 - HKLM\..\RunOnce: [javakl.exe] C:\WINDOWS\javakl.exe
    O4 - HKLM\..\RunOnce: [sysbi32.exe] C:\WINDOWS\sysbi32.exe
    O4 - HKLM\..\RunOnce: [addiz32.exe] C:\WINDOWS\system32\addiz32.exe
    O4 - HKLM\..\RunOnce: [winzv.exe] C:\WINDOWS\winzv.exe
    O4 - HKLM\..\RunOnce: [appxp.exe] C:\WINDOWS\appxp.exe
    O4 - HKLM\..\RunOnce: [sysmi.exe] C:\WINDOWS\sysmi.exe
    O4 - HKLM\..\RunOnce: [winds.exe] C:\WINDOWS\winds.exe
    O4 - HKLM\..\RunOnce: [nettl.exe] C:\WINDOWS\system32\nettl.exe
    O4 - HKLM\..\RunOnce: [sdklb32.exe] C:\WINDOWS\system32\sdklb32.exe
    O4 - HKLM\..\RunOnce: [javavi32.exe] C:\WINDOWS\system32\javavi32.exe
    O4 - HKLM\..\RunOnce: [addnk32.exe] C:\WINDOWS\system32\addnk32.exe
    O4 - HKLM\..\RunOnce: [appov.exe] C:\WINDOWS\system32\appov.exe
    O4 - HKLM\..\RunOnce: [winpx.exe] C:\WINDOWS\winpx.exe
    O4 - HKLM\..\RunOnce: [mfcln.exe] C:\WINDOWS\system32\mfcln.exe
    O4 - HKLM\..\RunOnce: [ipmc32.exe] C:\WINDOWS\system32\ipmc32.exe
    O4 - HKLM\..\RunOnce: [netgi32.exe] C:\WINDOWS\system32\netgi32.exe
    O4 - HKLM\..\RunOnce: [ntmc32.exe] C:\WINDOWS\system32\ntmc32.exe
    O4 - HKLM\..\RunOnce: [msqh32.exe] C:\WINDOWS\msqh32.exe
    O4 - HKLM\..\RunOnce: [ieyp.exe] C:\WINDOWS\ieyp.exe
    O4 - HKLM\..\RunOnce: [mfcee.exe] C:\WINDOWS\mfcee.exe
    O4 - HKLM\..\RunOnce: [iefr32.exe] C:\WINDOWS\system32\iefr32.exe
    O4 - HKLM\..\RunOnce: [mfcad32.exe] C:\WINDOWS\mfcad32.exe
    O4 - HKLM\..\RunOnce: [wincq.exe] C:\WINDOWS\system32\wincq.exe
    O4 - HKLM\..\RunOnce: [ieyr.exe] C:\WINDOWS\ieyr.exe
    O4 - HKLM\..\RunOnce: [appqi32.exe] C:\WINDOWS\system32\appqi32.exe
    O4 - HKLM\..\RunOnce: [atlci.exe] C:\WINDOWS\system32\atlci.exe
    O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\sdkal.exe
    O4 - HKLM\..\RunOnce: [javahj.exe] C:\WINDOWS\system32\javahj.exe
    O4 - HKLM\..\RunOnce: [addrx32.exe] C:\WINDOWS\addrx32.exe
    O4 - HKLM\..\RunOnce: [sdklj32.exe] C:\WINDOWS\sdklj32.exe
    O4 - HKLM\..\RunOnce: [javaha32.exe] C:\WINDOWS\javaha32.exe
    O4 - HKLM\..\RunOnce: [winhi.exe] C:\WINDOWS\system32\winhi.exe
    O4 - HKLM\..\RunOnce: [iptw.exe] C:\WINDOWS\iptw.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087411641547
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1682722ea85e2593b002/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38010.9193981482
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thank you,

    Rich
     
    Last edited by a moderator: Jun 18, 2004
  2. Rich Roach

    Rich Roach Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Hijack This Log - new version

    I'm sorry, but I posted once before this without reading your detailed instructions. I have followed every step using all the tools, Spybot, Ad-aware, CWShredder. I would really appreciate any help you could give.

    Here are the problems I am experiencing:

    popups
    my homepage is always hijacked
    someone is trying to change my HBO

    Here is the copy of my HijackThis log.


    Logfile of HijackThis v1.97.7
    Scan saved at 9:08:56 PM, on 17/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ntxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\systi.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Documents and Settings\Richard Roach\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    O2 - BHO: (no name) - {5E5BCC20-3714-13E6-A800-5A0B8A51992C} - C:\WINDOWS\system32\javazu32.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [systi.exe] C:\WINDOWS\system32\systi.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [addlx32.exe] C:\WINDOWS\addlx32.exe
    O4 - HKLM\..\RunOnce: [winvt.exe] C:\WINDOWS\system32\winvt.exe
    O4 - HKLM\..\RunOnce: [ietm32.exe] C:\WINDOWS\system32\ietm32.exe
    O4 - HKLM\..\RunOnce: [ntxx.exe] C:\WINDOWS\system32\ntxx.exe
    O4 - HKLM\..\RunOnce: [crvr32.exe] C:\WINDOWS\crvr32.exe
    O4 - HKLM\..\RunOnce: [appsn32.exe] C:\WINDOWS\appsn32.exe
    O4 - HKLM\..\RunOnce: [sdkjd.exe] C:\WINDOWS\system32\sdkjd.exe
    O4 - HKLM\..\RunOnce: [iete.exe] C:\WINDOWS\system32\iete.exe
    O4 - HKLM\..\RunOnce: [msfd.exe] C:\WINDOWS\system32\msfd.exe
    O4 - HKLM\..\RunOnce: [appub32.exe] C:\WINDOWS\appub32.exe
    O4 - HKLM\..\RunOnce: [mfcjb32.exe] C:\WINDOWS\mfcjb32.exe
    O4 - HKLM\..\RunOnce: [atlcr.exe] C:\WINDOWS\system32\atlcr.exe
    O4 - HKLM\..\RunOnce: [javakl.exe] C:\WINDOWS\javakl.exe
    O4 - HKLM\..\RunOnce: [sysbi32.exe] C:\WINDOWS\sysbi32.exe
    O4 - HKLM\..\RunOnce: [addiz32.exe] C:\WINDOWS\system32\addiz32.exe
    O4 - HKLM\..\RunOnce: [winzv.exe] C:\WINDOWS\winzv.exe
    O4 - HKLM\..\RunOnce: [appxp.exe] C:\WINDOWS\appxp.exe
    O4 - HKLM\..\RunOnce: [sysmi.exe] C:\WINDOWS\sysmi.exe
    O4 - HKLM\..\RunOnce: [winds.exe] C:\WINDOWS\winds.exe
    O4 - HKLM\..\RunOnce: [nettl.exe] C:\WINDOWS\system32\nettl.exe
    O4 - HKLM\..\RunOnce: [sdklb32.exe] C:\WINDOWS\system32\sdklb32.exe
    O4 - HKLM\..\RunOnce: [javavi32.exe] C:\WINDOWS\system32\javavi32.exe
    O4 - HKLM\..\RunOnce: [addnk32.exe] C:\WINDOWS\system32\addnk32.exe
    O4 - HKLM\..\RunOnce: [appov.exe] C:\WINDOWS\system32\appov.exe
    O4 - HKLM\..\RunOnce: [winpx.exe] C:\WINDOWS\winpx.exe
    O4 - HKLM\..\RunOnce: [mfcln.exe] C:\WINDOWS\system32\mfcln.exe
    O4 - HKLM\..\RunOnce: [ipmc32.exe] C:\WINDOWS\system32\ipmc32.exe
    O4 - HKLM\..\RunOnce: [netgi32.exe] C:\WINDOWS\system32\netgi32.exe
    O4 - HKLM\..\RunOnce: [ntmc32.exe] C:\WINDOWS\system32\ntmc32.exe
    O4 - HKLM\..\RunOnce: [msqh32.exe] C:\WINDOWS\msqh32.exe
    O4 - HKLM\..\RunOnce: [ieyp.exe] C:\WINDOWS\ieyp.exe
    O4 - HKLM\..\RunOnce: [mfcee.exe] C:\WINDOWS\mfcee.exe
    O4 - HKLM\..\RunOnce: [iefr32.exe] C:\WINDOWS\system32\iefr32.exe
    O4 - HKLM\..\RunOnce: [mfcad32.exe] C:\WINDOWS\mfcad32.exe
    O4 - HKLM\..\RunOnce: [wincq.exe] C:\WINDOWS\system32\wincq.exe
    O4 - HKLM\..\RunOnce: [ieyr.exe] C:\WINDOWS\ieyr.exe
    O4 - HKLM\..\RunOnce: [appqi32.exe] C:\WINDOWS\system32\appqi32.exe
    O4 - HKLM\..\RunOnce: [atlci.exe] C:\WINDOWS\system32\atlci.exe
    O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\sdkal.exe
    O4 - HKLM\..\RunOnce: [javahj.exe] C:\WINDOWS\system32\javahj.exe
    O4 - HKLM\..\RunOnce: [addrx32.exe] C:\WINDOWS\addrx32.exe
    O4 - HKLM\..\RunOnce: [sdklj32.exe] C:\WINDOWS\sdklj32.exe
    O4 - HKLM\..\RunOnce: [javaha32.exe] C:\WINDOWS\javaha32.exe
    O4 - HKLM\..\RunOnce: [winhi.exe] C:\WINDOWS\system32\winhi.exe
    O4 - HKLM\..\RunOnce: [iptw.exe] C:\WINDOWS\iptw.exe
    O4 - HKLM\..\RunOnce: [sdknj.exe] C:\WINDOWS\sdknj.exe
    O4 - HKLM\..\RunOnce: [sdkdp.exe] C:\WINDOWS\sdkdp.exe
    O4 - HKLM\..\RunOnce: [msdg.exe] C:\WINDOWS\system32\msdg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087411641547
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1682722ea85e2593b002/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38010.9193981482
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thank you,

    Rich
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Re: Hijack This Log - new version

    Hi Rich Roach,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will now end up on your desktop.

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\system32\ntxx.exe
    C:\WINDOWS\system32\systi.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xkyhc.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xkyhc.dll/sp.html#37049
    O2 - BHO: (no name) - {5E5BCC20-3714-13E6-A800-5A0B8A51992C} - C:\WINDOWS\system32\javazu32.dll

    O4 - HKLM\..\Run: [systi.exe] C:\WINDOWS\system32\systi.exe

    O4 - HKLM\..\RunOnce: [addlx32.exe] C:\WINDOWS\addlx32.exe
    O4 - HKLM\..\RunOnce: [winvt.exe] C:\WINDOWS\system32\winvt.exe
    O4 - HKLM\..\RunOnce: [ietm32.exe] C:\WINDOWS\system32\ietm32.exe
    O4 - HKLM\..\RunOnce: [ntxx.exe] C:\WINDOWS\system32\ntxx.exe
    O4 - HKLM\..\RunOnce: [crvr32.exe] C:\WINDOWS\crvr32.exe
    O4 - HKLM\..\RunOnce: [appsn32.exe] C:\WINDOWS\appsn32.exe
    O4 - HKLM\..\RunOnce: [sdkjd.exe] C:\WINDOWS\system32\sdkjd.exe
    O4 - HKLM\..\RunOnce: [iete.exe] C:\WINDOWS\system32\iete.exe
    O4 - HKLM\..\RunOnce: [msfd.exe] C:\WINDOWS\system32\msfd.exe
    O4 - HKLM\..\RunOnce: [appub32.exe] C:\WINDOWS\appub32.exe
    O4 - HKLM\..\RunOnce: [mfcjb32.exe] C:\WINDOWS\mfcjb32.exe
    O4 - HKLM\..\RunOnce: [atlcr.exe] C:\WINDOWS\system32\atlcr.exe
    O4 - HKLM\..\RunOnce: [javakl.exe] C:\WINDOWS\javakl.exe
    O4 - HKLM\..\RunOnce: [sysbi32.exe] C:\WINDOWS\sysbi32.exe
    O4 - HKLM\..\RunOnce: [addiz32.exe] C:\WINDOWS\system32\addiz32.exe
    O4 - HKLM\..\RunOnce: [winzv.exe] C:\WINDOWS\winzv.exe
    O4 - HKLM\..\RunOnce: [appxp.exe] C:\WINDOWS\appxp.exe
    O4 - HKLM\..\RunOnce: [sysmi.exe] C:\WINDOWS\sysmi.exe
    O4 - HKLM\..\RunOnce: [winds.exe] C:\WINDOWS\winds.exe
    O4 - HKLM\..\RunOnce: [nettl.exe] C:\WINDOWS\system32\nettl.exe
    O4 - HKLM\..\RunOnce: [sdklb32.exe] C:\WINDOWS\system32\sdklb32.exe
    O4 - HKLM\..\RunOnce: [javavi32.exe] C:\WINDOWS\system32\javavi32.exe
    O4 - HKLM\..\RunOnce: [addnk32.exe] C:\WINDOWS\system32\addnk32.exe
    O4 - HKLM\..\RunOnce: [appov.exe] C:\WINDOWS\system32\appov.exe
    O4 - HKLM\..\RunOnce: [winpx.exe] C:\WINDOWS\winpx.exe
    O4 - HKLM\..\RunOnce: [mfcln.exe] C:\WINDOWS\system32\mfcln.exe
    O4 - HKLM\..\RunOnce: [ipmc32.exe] C:\WINDOWS\system32\ipmc32.exe
    O4 - HKLM\..\RunOnce: [netgi32.exe] C:\WINDOWS\system32\netgi32.exe
    O4 - HKLM\..\RunOnce: [ntmc32.exe] C:\WINDOWS\system32\ntmc32.exe
    O4 - HKLM\..\RunOnce: [msqh32.exe] C:\WINDOWS\msqh32.exe
    O4 - HKLM\..\RunOnce: [ieyp.exe] C:\WINDOWS\ieyp.exe
    O4 - HKLM\..\RunOnce: [mfcee.exe] C:\WINDOWS\mfcee.exe
    O4 - HKLM\..\RunOnce: [iefr32.exe] C:\WINDOWS\system32\iefr32.exe
    O4 - HKLM\..\RunOnce: [mfcad32.exe] C:\WINDOWS\mfcad32.exe
    O4 - HKLM\..\RunOnce: [wincq.exe] C:\WINDOWS\system32\wincq.exe
    O4 - HKLM\..\RunOnce: [ieyr.exe] C:\WINDOWS\ieyr.exe
    O4 - HKLM\..\RunOnce: [appqi32.exe] C:\WINDOWS\system32\appqi32.exe
    O4 - HKLM\..\RunOnce: [atlci.exe] C:\WINDOWS\system32\atlci.exe
    O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\sdkal.exe
    O4 - HKLM\..\RunOnce: [javahj.exe] C:\WINDOWS\system32\javahj.exe
    O4 - HKLM\..\RunOnce: [addrx32.exe] C:\WINDOWS\addrx32.exe
    O4 - HKLM\..\RunOnce: [sdklj32.exe] C:\WINDOWS\sdklj32.exe
    O4 - HKLM\..\RunOnce: [javaha32.exe] C:\WINDOWS\javaha32.exe
    O4 - HKLM\..\RunOnce: [winhi.exe] C:\WINDOWS\system32\winhi.exe
    O4 - HKLM\..\RunOnce: [iptw.exe] C:\WINDOWS\iptw.exe
    O4 - HKLM\..\RunOnce: [sdknj.exe] C:\WINDOWS\sdknj.exe
    O4 - HKLM\..\RunOnce: [sdkdp.exe] C:\WINDOWS\sdkdp.exe
    O4 - HKLM\..\RunOnce: [msdg.exe] C:\WINDOWS\system32\msdg.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1682722ea85e2593b002/netzip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\systi.exe
    C:\WINDOWS\system32\javazu32.dat
    C:\WINDOWS\xkyhc.dll
    + the file the servive is pointing at. You can find that on the tab where you disabled it above the Startup Type box

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  4. Rich Roach

    Rich Roach Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    I followed your instructions, but forgot how to start up in Safe Mode, so I had to go onto the Internet in the middle of things. I think it messed things up. I still have all the same problems. Here is my latest HiJack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:35:25 AM, on 18/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\sdkpm.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\apibs.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\All Users\Documents\HiJack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kamkk.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kamkk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kamkk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {AA78CB81-818D-E958-0B35-5F4AA7956452} - C:\WINDOWS\appyi.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [apibs.exe] C:\WINDOWS\system32\apibs.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [sdkpm.exe] C:\WINDOWS\sdkpm.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087411641547
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38010.9193981482
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks,
    Rich
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Check if it is still disabled.
    If not rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\sdkpm.exe
    C:\WINDOWS\system32\apibs.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kamkk.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kamkk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kamkk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kamkk.dll/sp.html#37049

    O2 - BHO: (no name) - {AA78CB81-818D-E958-0B35-5F4AA7956452} - C:\WINDOWS\appyi.dll

    O4 - HKLM\..\Run: [apibs.exe] C:\WINDOWS\system32\apibs.exe

    O4 - HKLM\..\RunOnce: [sdkpm.exe] C:\WINDOWS\sdkpm.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\sdkpm.exe
    C:\WINDOWS\system32\apibs.exe
    C:\WINDOWS\appyi.dat
    C:\WINDOWS\system32\kamkk.dll

    Regards,

    Pieter
     
  6. Rich Roach

    Rich Roach Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    4
    Peter,

    I've been away for a few weeks, but I really want to THANK you for your help with my Toshiba laptop. Everything is running clean now.

    THANK YOU!

    Rich
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.