Hijack This Log

Discussion in 'adware, spyware & hijack cleaning' started by cslice, Feb 25, 2004.

Thread Status:
Not open for further replies.
  1. cslice

    cslice Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    15
    Location:
    South-Eastern PA
    Good gentlemen,

    My client's PC has been suffering from hijackings, I'm hoping you can assist me in getting things corrected. I've run Spybot S&D, but have been unable to install Ad Aware. Complaints are runtime errors, the usual hijacking crap, and a "myrealpics" file in the IE favorites.

    Thanks millions,

    Craig

    Logfile of HijackThis v1.97.7
    Scan saved at 6:51:45 PM, on 2/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\Program Files\Handspring\AlarmApp.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
    O1 - Hosts: 216.200.3.32 worldsex.com
    O1 - Hosts: 216.200.3.32 www.worldsex.com
    O1 - Hosts: 216.200.3.32 sexocean.com
    O1 - Hosts: 216.200.3.32 www.sexocean.com
    O1 - Hosts: 216.200.3.32 easypic.com
    O1 - Hosts: 216.200.3.32 www.easypic.com
    O1 - Hosts: 216.200.3.32 free6.com
    O1 - Hosts: 216.200.3.32 www.free6.com
    O1 - Hosts: 216.200.3.32 al4a.com
    O1 - Hosts: 216.200.3.32 www.al4a.com
    O1 - Hosts: 216.200.3.32 thumbnailpost.com
    O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
    O1 - Hosts: 216.200.3.32 drbizzaro.com
    O1 - Hosts: 216.200.3.32 www.drbizzaro.com
    O1 - Hosts: 216.200.3.32 hoes.com
    O1 - Hosts: 216.200.3.32 www.hoes.com
    O1 - Hosts: 216.200.3.32 absolut-series.com
    O1 - Hosts: 216.200.3.32 www.absolut-series.com
    O1 - Hosts: 216.200.3.32 elephantlist.com
    O1 - Hosts: 216.200.3.32 www.elephantlist.com
    O1 - Hosts: 216.200.3.32 ah-me.com
    O1 - Hosts: 216.200.3.32 www.ah-me.com
    O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\NavExt.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_11_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
    O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINDOWS\madise.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_11_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [STOPzillaInstall] C:\Program Files\STOPzilla!\SZSetup.exe install=local product_install=SZProBase.msi sz_install=finish
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKLM\..\Run: [BCNT] C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Startup: Alarm Manager.LNK = C:\Program Files\Handspring\AlarmApp.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
    O4 - Global Startup: MSupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: winlogon.exe
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A65064D3-BE9F-4EE2-91B1-56842EDC837C}: NameServer = 209.195.201.3 209.195.192.3
    O19 - User stylesheet: C:\WINDOWS\sample.txt
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi cslice :)

    Welcome to Wilders.

    Could u please download and run CWShredder.

    Then post a fresh log.



    snowbound
     
  3. cslice

    cslice Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    15
    Location:
    South-Eastern PA
    OK, ran CWShredder and ran a new log (below).

    Thanks!


    Logfile of HijackThis v1.97.7
    Scan saved at 7:06:28 PM, on 2/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\Program Files\Handspring\AlarmApp.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
    O1 - Hosts: 216.200.3.32 worldsex.com
    O1 - Hosts: 216.200.3.32 www.worldsex.com
    O1 - Hosts: 216.200.3.32 sexocean.com
    O1 - Hosts: 216.200.3.32 www.sexocean.com
    O1 - Hosts: 216.200.3.32 easypic.com
    O1 - Hosts: 216.200.3.32 www.easypic.com
    O1 - Hosts: 216.200.3.32 free6.com
    O1 - Hosts: 216.200.3.32 www.free6.com
    O1 - Hosts: 216.200.3.32 al4a.com
    O1 - Hosts: 216.200.3.32 www.al4a.com
    O1 - Hosts: 216.200.3.32 thumbnailpost.com
    O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
    O1 - Hosts: 216.200.3.32 drbizzaro.com
    O1 - Hosts: 216.200.3.32 www.drbizzaro.com
    O1 - Hosts: 216.200.3.32 hoes.com
    O1 - Hosts: 216.200.3.32 www.hoes.com
    O1 - Hosts: 216.200.3.32 absolut-series.com
    O1 - Hosts: 216.200.3.32 www.absolut-series.com
    O1 - Hosts: 216.200.3.32 elephantlist.com
    O1 - Hosts: 216.200.3.32 www.elephantlist.com
    O1 - Hosts: 216.200.3.32 ah-me.com
    O1 - Hosts: 216.200.3.32 www.ah-me.com
    O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\NavExt.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_11_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
    O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINDOWS\madise.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_11_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [STOPzillaInstall] C:\Program Files\STOPzilla!\SZSetup.exe install=local product_install=SZProBase.msi sz_install=finish
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKLM\..\Run: [BCNT] C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Startup: Alarm Manager.LNK = C:\Program Files\Handspring\AlarmApp.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
    O4 - Global Startup: MSupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: winlogon.exe
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A65064D3-BE9F-4EE2-91B1-56842EDC837C}: NameServer = 209.195.201.3 209.195.192.3
    O19 - User stylesheet: C:\WINDOWS\sample.txt
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Your client's log is looking better. :)

    Some of those host files look a little suspicious. ;)

    I do not have enough experience with HijackThis so just be patient and one of the experts will be along to assist u with the rest of your log.

    Thanks.


    snowbound
     
  5. cslice

    cslice Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    15
    Location:
    South-Eastern PA
    Thanks, snowbound, I thought some of the host entries looked fishy myself!

    Craig
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi cslice,

    What version of CWShredder did you use and did it complete the job?
    Some entries in your last log should have been removed.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
    O1 - Hosts: 216.200.3.32 worldsex.com
    O1 - Hosts: 216.200.3.32 www.worldsex.com
    O1 - Hosts: 216.200.3.32 sexocean.com
    O1 - Hosts: 216.200.3.32 www.sexocean.com
    O1 - Hosts: 216.200.3.32 easypic.com
    O1 - Hosts: 216.200.3.32 www.easypic.com
    O1 - Hosts: 216.200.3.32 free6.com
    O1 - Hosts: 216.200.3.32 www.free6.com
    O1 - Hosts: 216.200.3.32 al4a.com
    O1 - Hosts: 216.200.3.32 www.al4a.com
    O1 - Hosts: 216.200.3.32 thumbnailpost.com
    O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
    O1 - Hosts: 216.200.3.32 drbizzaro.com
    O1 - Hosts: 216.200.3.32 www.drbizzaro.com
    O1 - Hosts: 216.200.3.32 hoes.com
    O1 - Hosts: 216.200.3.32 www.hoes.com
    O1 - Hosts: 216.200.3.32 absolut-series.com
    O1 - Hosts: 216.200.3.32 www.absolut-series.com
    O1 - Hosts: 216.200.3.32 elephantlist.com
    O1 - Hosts: 216.200.3.32 www.elephantlist.com
    O1 - Hosts: 216.200.3.32 ah-me.com
    O1 - Hosts: 216.200.3.32 www.ah-me.com
    O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\NavExt.dll

    O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINDOWS\madise.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe

    O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

    O4 - Global Startup: MSupdate.exe

    O4 - Global Startup: winlogon.exe

    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -

    O19 - User stylesheet: C:\WINDOWS\sample.txt

    Download the latest version of CWShredder Unzip and run it by using the Fix button and carefully follow the instructions the program gives you.

    Regards,

    Pieter
     
  7. cslice

    cslice Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    15
    Location:
    South-Eastern PA
    Pieter,

    Obviously the version of CWShreder I used was old, v1.04.1. I've downloaded the v1.51.1 and will run it on my client's PC. Unfortunately, I won't be able to do that until next Monday. In this case I think I will run CWShredder, run another HJT log and fix what you've indicated. I notice you indicate removing the reference to "SpyHunter", which is a program that my client purchased. Will removing that reference remove "Spyhunter" from start up?

    vielen dank,
    Craig
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Craig,

    Yes, removing that entry will remove SpyHunter from startup.
    I'm sorry to hear he paid for it.
    IMO he could have done better with getting Spybot S&D or AdAware.
    Both have free versions and are much more effective (still IMO)

    Regards,

    Pieter
     
  9. cslice

    cslice Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    15
    Location:
    South-Eastern PA
    Not a problem. He does have Spybot S&D and AdAware (which wouldn't install for some reason), but he got the SpyHunter on his own. As long as I'm successful in removing his hijacker and protecting him from future infections, it will exist only to make him feel better. I REALLY appreciate all the help given here, you are all exceptionally generous with your time and talents! Those responsible for these hijackers should be strung up!

    Best,
    Craig
     
Thread Status:
Not open for further replies.