Hijack this log..

Discussion in 'adware, spyware & hijack cleaning' started by Avtar, May 16, 2004.

Thread Status:
Not open for further replies.
  1. Avtar

    Avtar Registered Member

    Joined:
    May 16, 2004
    Posts:
    2
    Having all kinds of problems with my computer.. I pretty much know there's all kinds of viruses, or spyware, or adware, or whatever on here. Any and all help is appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:33:53 PM, on 5/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avant Browser\iexplore.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Documents and Settings\Owner\My Documents\download\velocity92c\virus2.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msvbvm60] C:\WINDOWS\System32\msvbvm60.exe
    O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
    O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
    O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: PartyPoker.com (HKLM)
    O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38065.5359722222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0CC7AE9B-88B7-491D-B5B1-3CA3C4564171}: NameServer = 198.6.100.125 198.6.1.125
     
  2. Avtar

    Avtar Registered Member

    Joined:
    May 16, 2004
    Posts:
    2
    noone can help? :(
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Avtar,


    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com

    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe

    O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1

    O4 - HKCU\..\Run: [msvbvm60] C:\WINDOWS\System32\msvbvm60.exe
    O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
    O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1

    O9 - Extra button: PartyPoker.com (HKLM)
    O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

    Then reboot into safe mode and delete:
    C:\WINDOWS\nsdb <= entire folder
    C:\WINDOWS\sysupd.exe
    C:\WINDOWS\svhost.exe <= NOTE: only exactly that one, do not delete legitimate files with similar names
    C:\WINDOWS\System32\msvbvm60.exe <= NOTE: only the exe not the dll
    C:\WINDOWS\System32\wapisvsu.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.