Please help with Hijack this log>>>>>>

Discussion in 'adware, spyware & hijack cleaning' started by vlachtj, May 24, 2004.

Thread Status:
Not open for further replies.
  1. vlachtj

    vlachtj Registered Member

    Joined:
    May 19, 2004
    Posts:
    4
    My browser has been hijacked. I just ran the most current versions of CWShredder, Ad-Aware, Spybot. This is my last resort. Please help.


    Logfile of HijackThis v1.97.7
    Scan saved at 11:07:49 AM, on 5/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\PROMon.exe
    C:\WINNT\System32\CTHELPER.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\WINNT\System32\svcc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world-search.biz/
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\svcc.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://world-search.biz/search.php?url=
    O13 - WWW Prefix: http://world-search.biz/search.php?url=
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/download/tgctlcm.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38112.6486574074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7D65A949-B46D-48C5-A800-B2CA70061BFF}: NameServer = 205.188.146.146
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi vlachtj

    Can you download and run :

    http://www.zerosrealm.com/downloads/pv.zip

    Unzip to folder of choice (desktop, my documents, whatever)

    Make sure you are online and have at least one browser window open (like startpage or so)

    Open runme.bat and choose option 1

    A txt log will open up. Post the complete log here

    Thnx

    Cheers,
     
  3. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
    (or use Process Explorer)
    C:\WINNT\System32\svcc.exe

    Turn off System Restore http://www.trendmicro.com/en/security/advisories/win_me_clean.htm


    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world-search.biz/
    O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\svcc.exe internat.dll,LoadKeyboardProfile
    O4 - Startup: PowerReg Scheduler.exe
    O13 - DefaultPrefix: http://world-search.biz/search.php?url=
    O13 - WWW Prefix: http://world-search.biz/search.php?url=


    Reboot and delete the C:\WINNT\System32\svcc.exe file

    Turn system restore back on now if you think you are clean


    ------ some info
    http://sarc.com/avcenter/venc/data/adware.worldsearch.html

    ------edit - I see you have to be quick around here - beat to it again :D
     
  4. vlachtj

    vlachtj Registered Member

    Joined:
    May 19, 2004
    Posts:
    4
    Unzy - I tried to post the log you requested but I received this error when I submitted my reply:

    The following errors occurred when this message was submitted:
    You have included too many images in your signature or in your previous post. Please go back and correct the problem and then continue again.

    Images include use of smilies, the vB code tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator. [/I]

    I guess I will try what IMM suggested. If that doesn't work, I will post another log. Thanks for all your help! I appreciate it.
     
  5. vlachtj

    vlachtj Registered Member

    Joined:
    May 19, 2004
    Posts:
    4
    IMM,

    Thanks for your work on this!!! It has been removed!!!

    You & Unzy have been very helpful. Thank you very much,

    vlachtj
     
Thread Status:
Not open for further replies.