HIJACKTHIS LOG- PLEEESE HELP

Discussion in 'adware, spyware & hijack cleaning' started by gpinto, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. gpinto

    gpinto Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    1
    Logfile of HijackThis v1.97.7
    Scan saved at 5:55:42 PM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\RoamMgr.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Intel\Switching\User\RoamSvc.exe
    C:\WINDOWS\addom32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\syskx.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\WINDOWS\webshots.scr
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fzaig.dll/sp.html#27063
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.upenn.edu/penn_portal/view.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.upenn.edu/penn_portal/view.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fzaig.dll/sp.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fzaig.dll/index.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fzaig.dll/sp.html#27063
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53D3238B-64AB-2309-6B42-5DFB1EF3F534} - C:\WINDOWS\system32\javajm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [d3yz.exe] C:\WINDOWS\system32\d3yz.exe
    O4 - HKLM\..\Run: [wingu.exe] C:\WINDOWS\system32\wingu.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [syskx.exe] C:\WINDOWS\syskx.exe
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKLM\..\RunOnce: [netwh.exe] C:\WINDOWS\netwh.exe
    O4 - HKLM\..\RunOnce: [mfcqz.exe] C:\WINDOWS\mfcqz.exe
    O4 - HKLM\..\RunOnce: [addrz.exe] C:\WINDOWS\system32\addrz.exe
    O4 - HKLM\..\RunOnce: [ietu.exe] C:\WINDOWS\system32\ietu.exe
    O4 - HKLM\..\RunOnce: [ipkk32.exe] C:\WINDOWS\ipkk32.exe
    O4 - HKLM\..\RunOnce: [ntgh32.exe] C:\WINDOWS\ntgh32.exe
    O4 - HKLM\..\RunOnce: [addru32.exe] C:\WINDOWS\addru32.exe
    O4 - HKLM\..\RunOnce: [ntxt.exe] C:\WINDOWS\system32\ntxt.exe
    O4 - HKLM\..\RunOnce: [atlzk.exe] C:\WINDOWS\atlzk.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.9131597222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play01.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi gpinto,

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\addom32.exe
    C:\WINDOWS\syskx.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fzaig.dll/sp.html#27063

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fzaig.dll/sp.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fzaig.dll/index.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fzaig.dll/sp.html#27063

    O2 - BHO: (no name) - {53D3238B-64AB-2309-6B42-5DFB1EF3F534} - C:\WINDOWS\system32\javajm.dll

    O4 - HKLM\..\Run: [d3yz.exe] C:\WINDOWS\system32\d3yz.exe
    O4 - HKLM\..\Run: [wingu.exe] C:\WINDOWS\system32\wingu.exe

    O4 - HKLM\..\Run: [syskx.exe] C:\WINDOWS\syskx.exe

    O4 - HKLM\..\RunOnce: [netwh.exe] C:\WINDOWS\netwh.exe
    O4 - HKLM\..\RunOnce: [mfcqz.exe] C:\WINDOWS\mfcqz.exe
    O4 - HKLM\..\RunOnce: [addrz.exe] C:\WINDOWS\system32\addrz.exe
    O4 - HKLM\..\RunOnce: [ietu.exe] C:\WINDOWS\system32\ietu.exe
    O4 - HKLM\..\RunOnce: [ipkk32.exe] C:\WINDOWS\ipkk32.exe
    O4 - HKLM\..\RunOnce: [ntgh32.exe] C:\WINDOWS\ntgh32.exe
    O4 - HKLM\..\RunOnce: [addru32.exe] C:\WINDOWS\addru32.exe
    O4 - HKLM\..\RunOnce: [ntxt.exe] C:\WINDOWS\system32\ntxt.exe
    O4 - HKLM\..\RunOnce: [atlzk.exe] C:\WINDOWS\atlzk.exe

    O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201

    Then reboot into safe mode and delete:
    C:\WINDOWS\addom32.exe
    C:\WINDOWS\syskx.exe
    C:\WINDOWS\fzaig.dll
    C:\WINDOWS\system32\javajm.dat

    Look for additional information here: https://www.wilderssecurity.com/showpost.php?p=198412&postcount=26

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.