Hijackthis thread

Discussion in 'adware, spyware & hijack cleaning' started by Vilath, Jul 7, 2004.

Thread Status:
Not open for further replies.
  1. Vilath

    Vilath Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    8
    I believe I have a CWS infection, and would like someone to take a look at my HJT log. Thanks!

    Logfile of HijackThis v1.97.7
    Scan saved at 08:43:32, on 07/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\mysql\bin\mysqld-nt.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Games\NWN\NWN\nwserver.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Spybot - Search & Destroy\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {A959EB24-CAE9-498D-B143-9CAA94C7F33B} - C:\WINDOWS\System32\hhn.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: PowerReg Scheduler.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'xfire_lsp_7626.dll' missing
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38149.1507523148
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Yes you have a hijack problem.

    I would first like you to download Adaware if you don't already have it (don't run it yet, but I would like you to open it and update the reference file and then close it.)

    Next, Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

    Close all windows except HijackThis and check these lines then click on Fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\V\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {A959EB24-CAE9-498D-B143-9CAA94C7F33B} - C:\WINDOWS\System32\hhn.dll

    Don't reboot yet.

    Start APM (the program you downloaded second)
    In the upper window select explorer.exe
    In the lower window find and rightclick C:\WINDOWS\System32\hhn.dll
    Select Unload DLL and click OK on the prompts that follow.

    Reboot and scan with AdAware (the first program you downloaded)

    Reboot. Now, do the following

    Copy the contents of the quote box to Notepad.
    Name the file Appinit.bat
    Save as type All Files
    Save on the Desktop.


    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Copy and paste that log here along with a new HJT log.
     
Thread Status:
Not open for further replies.