HiJack This Log Please Help!!

Discussion in 'adware, spyware & hijack cleaning' started by annie_lynn, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    HiJack This Log Please Help ASAP!!!

    I recently got some pretty nasty Spyware on my computer and I can't get my MSN Toolbar to work now. Please let me know what to get rid of. Thanks.



    Logfile of HijackThis v1.97.7
    Scan saved at 5:15:23 PM, on 6/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\System32\dci_hp.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\elsmsnap.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Dap69iMO.exe
    C:\WINDOWS\System32\Hdh0MJdr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Andrea Harwell\Desktop\Andrea's Music & Stuff\Other\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com/
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\LegMSCZ.exe
    O4 - HKLM\..\Run: [577j3Ej] dci_hp.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
    O4 - HKCU\..\Run: [KwotROH6W] elsmsnap.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38119.944525463
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play02.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
     
    Last edited: Jun 28, 2004
  2. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    bump

    Will someone please help me??
     
  3. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    bump


    hello?? will someone please help me?? i could really use the help!!
     
  4. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    Re: HiJack This Log I NEED HELP ASAP!!!

    bump

    Will someone please help me?? I've been posting for days and no one is helping me!!! Please help me with what I need to fix on my Hijack This Log!!
     
  5. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi annie_lynn

    Download the peper fix here. Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission. Reboot and run it a second time while connected to the net.

    Then check the following items in Hijackthis - close ALL windows\browsers except Hijackthis and click "Fix checked":

    C:\WINDOWS\System32\dci_hp.exe

    You know what this is?
    C:\WINDOWS\System32\elsmsnap.exe
    If NOT - pls. check !

    pls. scan this file
    C:\WINDOWS\system32\slserv.exe
    http://www.kaspersky.com/remoteviruschk.html

    Any idea what this is?
    C:\WINDOWS\System32\Dap69iMO.exe
    If NOT - pls. check !

    C:\WINDOWS\System32\Hdh0MJdr.exe

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

    O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\LegMSCZ.exe
    O4 - HKLM\..\Run: [577j3Ej] dci_hp.exe

    O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
    O4 - HKCU\..\Run: [KwotROH6W] elsmsnap.exe

    Make sure you can view hidden and system files: Instructions here

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\WINDOWS\System32\dci_hp.exe
    C:\WINDOWS\System32\elsmsnap.exe <-- see above !
    C:\WINDOWS\system32\slserv.exe <--- see above !
    C:\WINDOWS\System32\Dap69iMO.exe < ----- see above !
    C:\WINDOWS\System32\Hdh0MJdr.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\WINDOWS\System32\LegMSCZ.exe
    C:\Program Files\\MProcessor

    Then reboot and use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  6. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    how do you get it to bring up the running processes on Hijack This??
    cause i'm not sure how to delete those because when I do the scan it doesn't show those, but they show up when I save the log
     
  7. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    OPen your taskmanager BEFORE you go into safemode and END all the tasks I mentioned in the log - this way it will be "easier".
     
  8. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    How do you get to %Userprofile%\Local Settings\Temp ??
     
  9. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    YOUR NAME \Local Settings\Temp
     
  10. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    Here's the new log:


    Logfile of HijackThis v1.97.7
    Scan saved at 1:00:55 AM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Andrea Harwell\Desktop\Andrea's Music & Stuff\Other\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://amazon.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38119.944525463
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play02.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
     
  11. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI annie_lynn

    Almost done - I finally found this one.

    Check the following item in HIjackthis - close ALL browsers\windows and click "Fix checked":

    C:\WINDOWS\system32\slserv.exe

    Reboot into SAFEMODE and delete

    C:\WINDOWS\system32\slserv.exe

    Reboot

    Then go for an on-line scan:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Allow them to clean.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.


    If you got rid of this one - your log is clean !!
     
  12. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    It's not letting me end that process in the Task Manager
     
  13. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    It is a virus - go directly to an on-line scan !!!
     
  14. annie_lynn

    annie_lynn Registered Member

    Joined:
    May 22, 2004
    Posts:
    23
    Here's an updated log:
    Just thought you might want to double check it.


    Logfile of HijackThis v1.97.7
    Scan saved at 2:19:15 AM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Andrea Harwell\Desktop\Andrea's Music & Stuff\Other\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://amazon.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38119.944525463
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play02.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
     
Thread Status:
Not open for further replies.