HijackThis Log Please check..

Discussion in 'adware, spyware & hijack cleaning' started by Negadelphia, Jun 11, 2004.

Thread Status:
Not open for further replies.
  1. Negadelphia

    Negadelphia Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    1
    Somebody please help me, and check this hijack log, I think I got everything but not sure.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:23:26 PM, on 6/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\support.com\bin\tgcmd.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\SM1BG.EXE
    C:\documents and settings\pc\local settings\temp\c0R86wIUl.exe
    C:\documents and settings\pc\local settings\temp\N0WBq.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Greetings Workshop\GWREMIND.EXE
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\WINDOWS\System32\Arzhag6.exe
    C:\WINDOWS\System32\Jot5gN9.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINDOWS\System32\wldkmon.exe
    C:\WINDOWS\System32\wmv2disp.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\Documents and Settings\pc\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [c0R86wIUl] C:\documents and settings\pc\local settings\temp\c0R86wIUl.exe
    O4 - HKLM\..\Run: [N0WBq] C:\documents and settings\pc\local settings\temp\N0WBq.exe
    O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\WuzT.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [AutoLoader2F2u1RcLJYac] "C:\WINDOWS\System32\w3264k.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [2stS3Fh] wldkmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [JB22RPNFS] wmv2disp.exe
    O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT /SCAN
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: ComcastHSI (HKLM)
    O9 - Extra button: Support (HKLM)
    O9 - Extra button: Help (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
    O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37573.1634837963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

    Thanks, Negz
     
  2. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    First:
    You have a Peper Trojan.
    Download and run this Peper trojan uninstaller, making sure you're online while running it!:
    http://downloads.subratam.org/PeperFix.exe


    Second:
    Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. I suggest 'c:\program files\hijackthis\' but any folder other than the Desktop or a temporary folder is fine.

    Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

    Check the following items in HijackThis.
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [c0R86wIUl] C:\documents and settings\pc\local settings\temp\c0R86wIUl.exe
    O4 - HKLM\..\Run: [N0WBq] C:\documents and settings\pc\local settings\temp\N0WBq.exe
    O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\WuzT.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [AutoLoader2F2u1RcLJYac] "C:\WINDOWS\System32\w3264k.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [2stS3Fh] wldkmon.exe
    O4 - HKCU\..\Run: [JB22RPNFS] wmv2disp.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab



    Close all windows except HijackThis and click Fix checked:

    While still in Safe Mode*, delete the following: (you may need to show hidden files**)
    C:\documents and settings\pc\local settings\temp\c0R86wIUl.exe
    C:\documents and settings\pc\local settings\temp\N0WBq.exe
    C:\Program Files\Common files\WinTools\ <-- delete entire folder
    C:\WINDOWS\System32\w3264k.exe
    C:\Program Files\AutoUpdate\ <-- delete entire folder
    C:\WINDOWS\System32\wldkmon.exe
    C:\WINDOWS\System32\wmv2disp.exe
    C:\Program Files\SysAI\ <-- delete entire folder


    *How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    **Show Hidden and System files and folders
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

    Reboot in normal mode.

    Run HiJackThis again and post a new log in this thread.
     
Thread Status:
Not open for further replies.