HijackThis log... They've got my baby!

Discussion in 'adware, spyware & hijack cleaning' started by antispy, Jun 8, 2004.

Thread Status:
Not open for further replies.
  1. antispy

    antispy Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    6
    So my issue is this. My friend asked me to look at a page cause he had problems with it. After doing it, I realized my homepage kept resetting to http://69.31.79.101/ I've run spyware programs and no such luck it keeps doing it, I ditched some things in HijackThis that were related to it but still no luck. Did I miss anything? You must help me! My computer is dying! SAVE MY BABY! ... Sorry for the dramatics... But anyway any help would be appreciated. Even if it requires me to edit the logs by myself I'll do it. This is a log after I cleared it the first time when it came back. If you can help me I can help my friend so you can save two people in the process. Thanks.




    Logfile of HijackThis v1.97.7
    Scan saved at 4:33:03 PM, on 6/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.101/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.101/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.101/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.101/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.101/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.101/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.31.79.101/search.html
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_3_12_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...7.02&http://www.remington.com/firearms/3d/332
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
    O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.station.sony.com/beta_reg/soesysinfo.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EDBB7CF0-D1F9-456B-A55C-0A8640DB11C5}: NameServer = 151.197.0.38 151.197.0.39
     
  2. antispy

    antispy Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    6
    Oh, I also got rid of the O17. But it came back!
     
    Last edited: Jun 8, 2004
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi antispy,

    Before you start, please move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    Thesewill now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.101/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.101/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.101/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.31.79.101/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.31.79.101/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.31.79.101/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.31.79.101/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.31.79.101/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.31.79.101/search.html

    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe

    O4 - Startup: PowerReg Scheduler.exe

    Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode and delete:
    C:\WINDOWS\System32\winupd.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.