This is what i get from my hijackthis.log

Discussion in 'adware, spyware & hijack cleaning' started by raxvoc, May 10, 2004.

Thread Status:
Not open for further replies.
  1. raxvoc

    raxvoc Registered Member

    Joined:
    May 10, 2004
    Posts:
    1
    Hope someone can help to identify the anomaly. Thanks.!!
    This is a Great site!! Didnt know such thing exists!!

    Logfile of HijackThis v1.97.7
    Scan saved at 5:13:14 PM, on 5/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\STDSB.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
    C:\PROGRA~1\PHONEM~1\dartjoy.exe
    C:\WINDOWS\System32\wjview.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Alset\HelpExpress\Admin\HXIUL.EXE
    C:\Program Files\Alset\HelpExpress\Admin\Client\HelpExp.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\emsw.exe
    C:\Program Files\couponsandoffers\couponsandoffers.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Admin\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.html?http://biz.thestar.com.my/marketwatch/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {650BDB9C-CF84-DD69-AAF6-65CE655CB2B4} - C:\PROGRA~1\FOUREX~1\Boreeach.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Logo okay platform - {FDAF7992-4E36-BE30-65B0-81A562E3A82F} - C:\PROGRA~1\FOUREX~1\Boreeach.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\Run: [once atom] C:\PROGRA~1\PHONEM~1\dartjoy.exe
    O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Admin\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Admin\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.lyricspy.com/mp3_plugin.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi raxvoc,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.html?http://biz.thestar.com.my/marketwatch/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com

    O2 - BHO: (no name) - {650BDB9C-CF84-DD69-AAF6-65CE655CB2B4} - C:\PROGRA~1\FOUREX~1\Boreeach.dll

    O3 - Toolbar: Logo okay platform - {FDAF7992-4E36-BE30-65B0-81A562E3A82F} - C:\PROGRA~1\FOUREX~1\Boreeach.dll

    O4 - HKLM\..\Run: [once atom] C:\PROGRA~1\PHONEM~1\dartjoy.exe
    O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"

    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Admin\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Admin\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.lyricspy.com/mp3_plugin.exe

    Then reboot into safe mode and delete:
    C:\Program Files\Alset\HelpExpress <= entire folder
    C:\WINDOWS\emsw.exe
    C:\Program Files\Window Active <= entire folder
    C:\Program Files\FOUREX~1 <= entire folder that holds Boreeach.dll
    C:\Program Files\couponsandoffers <= entire folder
    C:\Program Files\PHONEM~1 <= entire folder that holds dartjoy.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.