my hijack this log file

Discussion in 'adware, spyware & hijack cleaning' started by Erik Ayala, Apr 6, 2004.

Thread Status:
Not open for further replies.
  1. Erik Ayala

    Erik Ayala Guest

    Spybot claimed i had no problems Ad-aware just gave me that Alexa: Possible Hijacker Attempt thing and one browser hijacker attempt that claimed I couldn't change the home page settings from the Internet Options in IE which both Spybot and Spyware Blaster have the ability to block. I must mention however that I do have some supposed "spyware" that I have to keep, Wildtangent and I think it's the BDE Projector that is integrated into Word Perfect. I did however make sure that Wildtangent cannot download updates. Well I'm sure a lot of this has to do with my hosts file and I'd be happy to replace it if I knew where to get a new one. I mean I don't think Windows Update has or will help. In any case, here's my log file:
    Logfile of HijackThis v1.97.7
    Scan saved at 4:48:53 AM, on 4/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Avast4\ashServ.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\Avast4\ashDisp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\PROGRA~1\ISP50\bin\ppshared.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/launchcast/station.asp?edit=1&u=1249419172
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts file is located at: C:\WINDOWS\help\hosts
    O1 - Hosts: 88.88.88.88 elite
    O1 - Hosts: 207.44.220.30 www.google.akadns.net
    O1 - Hosts: 207.44.220.30 www.google.com
    O1 - Hosts: 207.44.220.30 google.com
    O1 - Hosts: 207.44.220.30 www.altavista.com
    O1 - Hosts: 207.44.220.30 altavista.com
    O1 - Hosts: 207.44.220.30 search.yahoo.com
    O1 - Hosts: 207.44.220.30 uk.search.yahoo.com
    O1 - Hosts: 207.44.220.30 ca.search.yahoo.com
    O1 - Hosts: 207.44.220.30 jp.search.yahoo.com
    O1 - Hosts: 207.44.220.30 au.search.yahoo.com
    O1 - Hosts: 207.44.220.30 de.search.yahoo.com
    O1 - Hosts: 207.44.220.30 search.yahoo.co.jp
    O1 - Hosts: 207.44.220.30 www.lycos.de
    O1 - Hosts: 207.44.220.30 www.lycos.ca
    O1 - Hosts: 207.44.220.30 www.lycos.jp
    O1 - Hosts: 207.44.220.30 www.lycos.co.jp
    O1 - Hosts: 207.44.220.30 alltheweb.com
    O1 - Hosts: 207.44.220.30 web.ask.com
    O1 - Hosts: 207.44.220.30 ask.com
    O1 - Hosts: 207.44.220.30 www.ask.com
    O1 - Hosts: 207.44.220.30 www.teoma.com
    O1 - Hosts: 207.44.220.30 search.aol.com
    O1 - Hosts: 207.44.220.30 www.looksmart.com
    O1 - Hosts: 207.44.220.30 auto.search.msn.com
    O1 - Hosts: 207.44.220.30 search.msn.com
    O1 - Hosts: 207.44.220.30 ca.search.msn.com
    O1 - Hosts: 207.44.220.30 fr.ca.search.msn.com
    O1 - Hosts: 207.44.220.30 search.fr.msn.be
    O1 - Hosts: 207.44.220.30 search.fr.msn.ch
    O1 - Hosts: 207.44.220.30 search.latam.yupimsn.com
    O1 - Hosts: 207.44.220.30 search.msn.at
    O1 - Hosts: 207.44.220.30 search.msn.be
    O1 - Hosts: 207.44.220.30 search.msn.ch
    O1 - Hosts: 207.44.220.30 search.msn.co.in
    O1 - Hosts: 207.44.220.30 search.msn.co.jp
    O1 - Hosts: 207.44.220.30 search.msn.co.kr
    O1 - Hosts: 207.44.220.30 search.msn.com.br
    O1 - Hosts: 207.44.220.30 search.msn.com.hk
    O1 - Hosts: 207.44.220.30 search.msn.com.my
    O1 - Hosts: 207.44.220.30 search.msn.com.sg
    O1 - Hosts: 207.44.220.30 search.msn.com.tw
    O1 - Hosts: 207.44.220.30 search.msn.co.za
    O1 - Hosts: 207.44.220.30 search.msn.de
    O1 - Hosts: 207.44.220.30 search.msn.dk
    O1 - Hosts: 207.44.220.30 search.msn.es
    O1 - Hosts: 207.44.220.30 search.msn.fi
    O1 - Hosts: 207.44.220.30 search.msn.fr
    O1 - Hosts: 207.44.220.30 search.msn.it
    O1 - Hosts: 207.44.220.30 search.msn.nl
    O1 - Hosts: 207.44.220.30 search.msn.no
    O1 - Hosts: 207.44.220.30 search.msn.se
    O1 - Hosts: 207.44.220.30 search.ninemsn.com.au
    O1 - Hosts: 207.44.220.30 search.t1msn.com.mx
    O1 - Hosts: 207.44.220.30 search.xtramsn.co.nz
    O1 - Hosts: 207.44.220.30 search.yupimsn.com
    O1 - Hosts: 207.44.220.30 uk.search.msn.com
    O1 - Hosts: 207.44.220.30 search.lycos.com
    O1 - Hosts: 207.44.220.30 www.lycos.com
    O1 - Hosts: 207.44.220.30 www.google.ca
    O1 - Hosts: 207.44.220.30 google.ca
    O1 - Hosts: 207.44.220.30 www.google.uk
    O1 - Hosts: 207.44.220.30 www.google.co.uk
    O1 - Hosts: 207.44.220.30 www.google.com.au
    O1 - Hosts: 207.44.220.30 www.google.co.jp
    O1 - Hosts: 207.44.220.30 www.google.jp
    O1 - Hosts: 207.44.220.30 www.google.at
    O1 - Hosts: 207.44.220.30 www.google.be
    O1 - Hosts: 207.44.220.30 www.google.ch
    O1 - Hosts: 207.44.220.30 www.google.de
    O1 - Hosts: 207.44.220.30 www.google.se
    O1 - Hosts: 207.44.220.30 www.google.dk
    O1 - Hosts: 207.44.220.30 www.google.fi
    O1 - Hosts: 207.44.220.30 www.google.fr
    O1 - Hosts: 207.44.220.30 www.google.com.gr
    O1 - Hosts: 207.44.220.30 www.google.com.hk
    O1 - Hosts: 207.44.220.30 www.google.ie
    O1 - Hosts: 207.44.220.30 www.google.co.il
    O1 - Hosts: 207.44.220.30 www.google.it
    O1 - Hosts: 207.44.220.30 www.google.co.kr
    O1 - Hosts: 207.44.220.30 www.google.com.mx
    O1 - Hosts: 207.44.220.30 www.google.nl
    O1 - Hosts: 207.44.220.30 www.google.co.nz
    O1 - Hosts: 207.44.220.30 www.google.pl
    O1 - Hosts: 207.44.220.30 www.google.pt
    O1 - Hosts: 207.44.220.30 www.google.com.ru
    O1 - Hosts: 207.44.220.30 www.google.com.sg
    O1 - Hosts: 207.44.220.30 www.google.co.th
    O1 - Hosts: 207.44.220.30 www.google.com.tr
    O1 - Hosts: 207.44.220.30 www.google.com.tw
    O1 - Hosts: 207.44.220.30 go.google.com
    O1 - Hosts: 207.44.220.30 google.at
    O1 - Hosts: 207.44.220.30 google.be
    O1 - Hosts: 207.44.220.30 google.de
    O1 - Hosts: 207.44.220.30 google.dk
    O1 - Hosts: 207.44.220.30 google.fi
    O1 - Hosts: 207.44.220.30 google.fr
    O1 - Hosts: 207.44.220.30 google.com.hk
    O1 - Hosts: 207.44.220.30 google.ie
    O1 - Hosts: 207.44.220.30 google.co.il
    O1 - Hosts: 207.44.220.30 google.it
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) - http://instantsupport.hp.com/update/030227/MPChWrapper.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.songplayer.com/plugins/iftwclix.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.9858796296
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{65F3E823-5FC8-4755-BE73-31BF9D040487}: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC7CAD8-38CC-46FB-9BA6-A61FEB218AC2}: NameServer = 198.81.18.4
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Erik :)

    Yea you are right,

    Just fix this entry with HijackThis :

    O1 - Hosts file is located at: C:\WINDOWS\help\hosts

    Also fix :

    NOTE : do NOT fix this one : O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC7CAD8-38CC-46FB-9BA6-A61FEB218AC2}: NameServer = 198.81.18.4

    These can go :

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{65F3E823-5FC8-4755-BE73-31BF9D040487}: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

    Restart the PC after doing so and check if all is well again

    Cheers,
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I love it when a plan comes together.

    Follow Unzy's excellent instructions and you can also fix this one:
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    Regards,

    Pieter
     
    Last edited by a moderator: Apr 14, 2004
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    lol!

    Nice one Pietz :)
     
  5. Erik Ayala

    Erik Ayala Guest

    oops!

    Sorry guys, but it seems that old link to my hijackthis log help is no longer valid so the only thing I can think of doing while making sure you have my information is posting this again. I aplogogize. I know it makes for a big thread.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:45:28 PM, on 4/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Avast4\ashServ.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\Avast4\ashDisp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\ISP50\bin\ppshared.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 7 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/launchcast/station.asp?edit=1&u=1249419172
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts file is located at: C:\WINDOWS\help\hosts
    O1 - Hosts: 88.88.88.88 elite
    O1 - Hosts: 207.44.220.30 www.google.akadns.net
    O1 - Hosts: 207.44.220.30 www.google.com
    O1 - Hosts: 207.44.220.30 google.com
    O1 - Hosts: 207.44.220.30 www.altavista.com
    O1 - Hosts: 207.44.220.30 altavista.com
    O1 - Hosts: 207.44.220.30 search.yahoo.com
    O1 - Hosts: 207.44.220.30 uk.search.yahoo.com
    O1 - Hosts: 207.44.220.30 ca.search.yahoo.com
    O1 - Hosts: 207.44.220.30 jp.search.yahoo.com
    O1 - Hosts: 207.44.220.30 au.search.yahoo.com
    O1 - Hosts: 207.44.220.30 de.search.yahoo.com
    O1 - Hosts: 207.44.220.30 search.yahoo.co.jp
    O1 - Hosts: 207.44.220.30 www.lycos.de
    O1 - Hosts: 207.44.220.30 www.lycos.ca
    O1 - Hosts: 207.44.220.30 www.lycos.jp
    O1 - Hosts: 207.44.220.30 www.lycos.co.jp
    O1 - Hosts: 207.44.220.30 alltheweb.com
    O1 - Hosts: 207.44.220.30 web.ask.com
    O1 - Hosts: 207.44.220.30 ask.com
    O1 - Hosts: 207.44.220.30 www.ask.com
    O1 - Hosts: 207.44.220.30 www.teoma.com
    O1 - Hosts: 207.44.220.30 search.aol.com
    O1 - Hosts: 207.44.220.30 www.looksmart.com
    O1 - Hosts: 207.44.220.30 auto.search.msn.com
    O1 - Hosts: 207.44.220.30 search.msn.com
    O1 - Hosts: 207.44.220.30 ca.search.msn.com
    O1 - Hosts: 207.44.220.30 fr.ca.search.msn.com
    O1 - Hosts: 207.44.220.30 search.fr.msn.be
    O1 - Hosts: 207.44.220.30 search.fr.msn.ch
    O1 - Hosts: 207.44.220.30 search.latam.yupimsn.com
    O1 - Hosts: 207.44.220.30 search.msn.at
    O1 - Hosts: 207.44.220.30 search.msn.be
    O1 - Hosts: 207.44.220.30 search.msn.ch
    O1 - Hosts: 207.44.220.30 search.msn.co.in
    O1 - Hosts: 207.44.220.30 search.msn.co.jp
    O1 - Hosts: 207.44.220.30 search.msn.co.kr
    O1 - Hosts: 207.44.220.30 search.msn.com.br
    O1 - Hosts: 207.44.220.30 search.msn.com.hk
    O1 - Hosts: 207.44.220.30 search.msn.com.my
    O1 - Hosts: 207.44.220.30 search.msn.com.sg
    O1 - Hosts: 207.44.220.30 search.msn.com.tw
    O1 - Hosts: 207.44.220.30 search.msn.co.za
    O1 - Hosts: 207.44.220.30 search.msn.de
    O1 - Hosts: 207.44.220.30 search.msn.dk
    O1 - Hosts: 207.44.220.30 search.msn.es
    O1 - Hosts: 207.44.220.30 search.msn.fi
    O1 - Hosts: 207.44.220.30 search.msn.fr
    O1 - Hosts: 207.44.220.30 search.msn.it
    O1 - Hosts: 207.44.220.30 search.msn.nl
    O1 - Hosts: 207.44.220.30 search.msn.no
    O1 - Hosts: 207.44.220.30 search.msn.se
    O1 - Hosts: 207.44.220.30 search.ninemsn.com.au
    O1 - Hosts: 207.44.220.30 search.t1msn.com.mx
    O1 - Hosts: 207.44.220.30 search.xtramsn.co.nz
    O1 - Hosts: 207.44.220.30 search.yupimsn.com
    O1 - Hosts: 207.44.220.30 uk.search.msn.com
    O1 - Hosts: 207.44.220.30 search.lycos.com
    O1 - Hosts: 207.44.220.30 www.lycos.com
    O1 - Hosts: 207.44.220.30 www.google.ca
    O1 - Hosts: 207.44.220.30 google.ca
    O1 - Hosts: 207.44.220.30 www.google.uk
    O1 - Hosts: 207.44.220.30 www.google.co.uk
    O1 - Hosts: 207.44.220.30 www.google.com.au
    O1 - Hosts: 207.44.220.30 www.google.co.jp
    O1 - Hosts: 207.44.220.30 www.google.jp
    O1 - Hosts: 207.44.220.30 www.google.at
    O1 - Hosts: 207.44.220.30 www.google.be
    O1 - Hosts: 207.44.220.30 www.google.ch
    O1 - Hosts: 207.44.220.30 www.google.de
    O1 - Hosts: 207.44.220.30 www.google.se
    O1 - Hosts: 207.44.220.30 www.google.dk
    O1 - Hosts: 207.44.220.30 www.google.fi
    O1 - Hosts: 207.44.220.30 www.google.fr
    O1 - Hosts: 207.44.220.30 www.google.com.gr
    O1 - Hosts: 207.44.220.30 www.google.com.hk
    O1 - Hosts: 207.44.220.30 www.google.ie
    O1 - Hosts: 207.44.220.30 www.google.co.il
    O1 - Hosts: 207.44.220.30 www.google.it
    O1 - Hosts: 207.44.220.30 www.google.co.kr
    O1 - Hosts: 207.44.220.30 www.google.com.mx
    O1 - Hosts: 207.44.220.30 www.google.nl
    O1 - Hosts: 207.44.220.30 www.google.co.nz
    O1 - Hosts: 207.44.220.30 www.google.pl
    O1 - Hosts: 207.44.220.30 www.google.pt
    O1 - Hosts: 207.44.220.30 www.google.com.ru
    O1 - Hosts: 207.44.220.30 www.google.com.sg
    O1 - Hosts: 207.44.220.30 www.google.co.th
    O1 - Hosts: 207.44.220.30 www.google.com.tr
    O1 - Hosts: 207.44.220.30 www.google.com.tw
    O1 - Hosts: 207.44.220.30 go.google.com
    O1 - Hosts: 207.44.220.30 google.at
    O1 - Hosts: 207.44.220.30 google.be
    O1 - Hosts: 207.44.220.30 google.de
    O1 - Hosts: 207.44.220.30 google.dk
    O1 - Hosts: 207.44.220.30 google.fi
    O1 - Hosts: 207.44.220.30 google.fr
    O1 - Hosts: 207.44.220.30 google.com.hk
    O1 - Hosts: 207.44.220.30 google.ie
    O1 - Hosts: 207.44.220.30 google.co.il
    O1 - Hosts: 207.44.220.30 google.it
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) - http://instantsupport.hp.com/update/030227/MPChWrapper.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.songplayer.com/plugins/iftwclix.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.9858796296
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{65F3E823-5FC8-4755-BE73-31BF9D040487}: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC7CAD8-38CC-46FB-9BA6-A61FEB218AC2}: NameServer = 198.81.19.4
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
     
  6. dangitall

    dangitall Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    430
    Location:
    New Hamster, USA
    Re: oops!

    Sorry, Erik but, if you're looking for help with HJT, you're in the wrong forum. Oops, indeed! ;)
     
  7. Erik Ayala

    Erik Ayala Guest

    Re: oops!

    lol Well can someone please provide me a fresh link? I have no idea where to look for it and I already tried the search option with no luck.
     
  8. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Re: oops!

    Moved ya in here; you'll have much better luck here :ninja:
     
  9. Erik Ayala

    Erik Ayala Guest

    Thanks guys. But what about those hijacked domains listed under 01? All the google and search sites? Then there's that weird one... 88.88.88.88 elite. o_O
     
  10. Erik Ayala

    Erik Ayala Guest

    Thank you guys so much! My search sites work again!! Can you tell me what to do with my hosts file? It's obviously not in use anymore but it's still there can I delete it no problem? Well I still have a problem with my "mainautomation server..." messege in SB, this time I'll go to the appropriate forum. :)
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Erik, I have merged your two threads together.

    Regards,

    snap
     
  12. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Erik,

    If you have followed Unzy's instructions, could you please post a new HijackThis log so we can see where you are at. :)

    Thank you,

    snap
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: oops!

    eric

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    ALL O1 entries

    All O17 entries except O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC7CAD8-38CC-46FB-9BA6-A61FEB218AC2}: NameServer = 198.81.19.4

    then reboot & post a new log
     
  14. Erik Ayala

    Erik Ayala Guest

    I must again express my gratitude for the help. Question.... Should I start a new thread for the new log?
     
  15. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Erik Ayala

    You should Keep it in this tread.

    TheQuest :cool:
     
  16. Erik Ayala

    Erik Ayala Guest

    Thank you for the info. Here it is.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:58:22 PM, on 4/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Avast4\ashServ.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\Avast4\ashDisp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\ISP50\bin\ppshared.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 11 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/launchcast/station.asp?edit=1&u=1249419172
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) - http://instantsupport.hp.com/update/030227/MPChWrapper.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.songplayer.com/plugins/iftwclix.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.9858796296
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7FC7CAD8-38CC-46FB-9BA6-A61FEB218AC2}: NameServer = 198.81.19.134
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I can't see anything bad now

    have all the problems gone away
     
  18. Erik Ayala

    Erik Ayala Guest

    Well, my only problem with the internet is that error message I get with that certain CLSID in Spyware Blaster [Internet Explorer Exploit (2)]. Would that be a problem worth discussing here?
     
  19. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi mikebl,

    I am splitting your problem off from this thread to a thread of its own. It gets confusing when there is more than one problem being workrd on in a single thread. Your post is now located HERE.

    Regards,
    Kent
     
  20. Erik Ayala

    Erik Ayala Guest

    I want to say how grateful I am for the help at the forum and, I know it's not necessary, but I'd like to know if I can donate to the site and if so, where?
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.