Hijack this log

Discussion in 'adware, spyware & hijack cleaning' started by Lawrence, Nov 17, 2003.

Thread Status:
Not open for further replies.
  1. Lawrence

    Lawrence Guest

    got a trojan, used Search & Destroy. My browser search page is still defaulting to here4search.com upon reboot. Can you help?

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
    O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE
    O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
    O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
    O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
    O4 - Startup: NetTurbo.lnk = C:\Program Files\SharewareOnline.com, Inc\NetTurbo\NetTurbo.exe
    O4 - Startup: America Online 6.0 Tray Icon.lnk.disabled
    O4 - Startup: Billminder.lnk.disabled
    O4 - Startup: Quicken Startup.lnk.disabled
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O9 - Extra button: @Home (HKCU)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .ppz: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npsurge.dll
    O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
    O12 - Plugin for .kad: C:\PROGRA~1\INTERN~1\PLUGINS\npaucd32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://msnbc.com/download/nm1228.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
    O16 - DPF: {BF8AEBF6-0656-11d4-9EFF-00B0D011B1AE} (Communities.com TPV Support 01) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
    O16 - DPF: Communities.com The Palace Viewer - http://www.thepalace.com/TPV/CC_TPV.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {BB276850-DFAB-11D3-9C4B-00A0C94C8A8A} (ParallelGraphics Cortona Sound Support) - http://www.parallelgraphics.com/bin/cortdsnd.cab
    O16 - DPF: {10B80390-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona JavaScript Support) - http://www.parallelgraphics.com/bin/cortjs.cab
    O16 - DPF: {10B80394-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona DirectX Support) - http://www.parallelgraphics.com/bin/corthwrdx.cab
    O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortcore.cab
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/arcadegames/blasterball/wildtangent/wtinst.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/14779ef529bd9f76b721/netzip/RdxIE.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
     
  2. BWMerlin

    BWMerlin Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    71
    Hi these can be fixed but u may want to wait for someone to confirm.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
    O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE
    O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
    All 016 entries, if u need them u will be ask to dl them agian

    Like i said u may want to wait for someone to confirm.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi Lawrence,

    Download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Then have HijackThis Fix:
    O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/arcadegames/blasterball/wildtangent/wtinst.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/14779ef529bd9f76b721/netzip/RdxIE.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab

    Then reboot.

    If you still have problems then, could you please post a log including the header? It can be important to know what version of HijackThis, IE and Windows you are using.

    Regards,

    Pieter
     
  4. Lawrence

    Lawrence Guest

    Thanks a ton.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    You're welcome. :)

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.