Jason - hijackthis log

Discussion in 'adware, spyware & hijack cleaning' started by DChihorn, May 27, 2004.

Thread Status:
Not open for further replies.
  1. DChihorn

    DChihorn Registered Member

    Joined:
    May 27, 2004
    Posts:
    2
    I have used Hijack this on several occasions in the past for fixing problems. I normally go to http://www.merijn.org/htlogtutorial.html for the HowTo read the hijack this logs. From there it also has links to the various start up list and BHO list and what not.

    I prefer to try and fix on my own using the provided info, dont like people doing my work for me. But, that link does not seem to be working for me anymore, and I cant seem to find the replacement link to the information. So, I am hoping that I can post up my log file and get some help..

    Or better if someone can feed me the new links to those info sites, I would greatly appreciate that too.


    Thanks:

    Code:
    Logfile of HijackThis v1.97.7
    Scan saved at 9:57:42 AM, on 5/27/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
    
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    C:\WINNT\system32\qttask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\winnt\system32\sncntr.exe
    C:\winnt\system32\msdrvmx.exe
    C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Nikon\NkView5\NkvMon.exe
    C:\Program Files\PrecisionTime\PrecisionTime.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\WINNT\mslagent\mslagent_.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\WINNT\system32\videocntl.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINNT\msagent\AgentSvr.exe
    C:\program files\vcom\dialers\livesexcam_mx\livesexcam_mx.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\testrada\Local Settings\Temp\HijackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.nytimes.com/[/url]
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=c:\winnt\system32\videocntl.exe
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINNT\system32\SafeSearch.dll (file missing)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem216.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar15.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\system32\qttask.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [sncntr] c:\winnt\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [msdrvmx] c:\winnt\system32\msdrvmx.exe /nocomm
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [LiveSexCam_mx] C:\Program Files\VCom\Dialers\LiveSexCam_mx\LiveSexCam_mx.exe /dontdial 
    O4 - HKLM\..\Run: [Videocntl] c:\winnt\system32\videocntl.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [mslagent] C:\WINNT\mslagent\mslagent_.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Videocntl] c:\winnt\system32\videocntl.exe
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O8 - Extra context menu item: &Search - [url]http://bar.mywebsearch.com/menusearch.html?p=ZRzfw003[/url]
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - [url]http://akamai.downloadv3.com/binaries/IA/dtc32_ES.cab[/url]
    O16 - DPF: {1A9EC776-942A-4A51-8CD6-0DD9C25ED05B} - [url]http://akamai.downloadv3.com/binaries/LiveService/LiveService_1_EN.cab[/url]
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.exe[/url]
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - [url]http://akamai.downloadv3.com/binaries/IA/netia32_ES.cab[/url]
    O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - [url]http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN.cab[/url]
    O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - [url]http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab[/url]
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - [url]http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1009_1035_pack.cab[/url]
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
    O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - [url]http://204.177.92.201/quickdl/proclaim/NSupd9x.cab[/url]
    O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - [url]http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB[/url]
    O17 - HKLM\System\CCS\Services\Tcpip\..\{93520553-1FA2-4DC7-8F91-B8F05E4AA644}: NameServer = 200.33.148.201,200.33.148.193
    
    
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi DChihorn,

    Hopefully you will find all the links here:
    https://www.wilderssecurity.com/showthread.php?t=15983

    This is the advice I would have given:

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINNT\system32\SafeSearch.dll (file missing)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL

    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem216.dll

    O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar15.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL

    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [sncntr] c:\winnt\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [msdrvmx] c:\winnt\system32\msdrvmx.exe /nocomm
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [LiveSexCam_mx] C:\Program Files\VCom\Dialers\LiveSexCam_mx\LiveSexCam_mx.exe /dontdial

    O4 - HKCU\..\Run: [mslagent] C:\WINNT\mslagent\mslagent_.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRzfw003

    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_ES.cab
    O16 - DPF: {1A9EC776-942A-4A51-8CD6-0DD9C25ED05B} - http://akamai.downloadv3.com/binari...ervice_1_EN.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.exe
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_ES.cab
    O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binari...ervice_4_EN.cab
    O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binari...ne2oneSvcEN.cab
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binari...9_1035_pack.cab

    O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/proclaim/NSupd9x.cab
    O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB

    Then reboot into safe mode and delete:
    C:\Program Files\Internet Optimizer <= entire folder
    c:\winnt\system32\sncntr.exe
    c:\winnt\system32\msdrvmx.exe
    C:\Program Files\Common Files\CMEII <= entire folder
    C:\Program Files\VCom\Dialers\LiveSexCam_mx <= entire folder
    C:\WINNT\mslagent <= entire folder
    C:\Program Files\PrecisionTime <= entire folder
    C:\Program Files\MyWebSearch <= entire folder
    C:\Program Files\Common Files\GMT <= entire folder

    Regards,

    Pieter
     
  3. DChihorn

    DChihorn Registered Member

    Joined:
    May 27, 2004
    Posts:
    2
    Thanks for the help. Sorry about that (running the hijack straight from zip), i am not actually in front of the machine. I had sent it to the user and had him do the scan and send me the log.

    Also thanks for the links, I will go look at them.

    Jason
     
Thread Status:
Not open for further replies.