yepp0: HijackThis Log file, need help against ware

Discussion in 'adware, spyware & hijack cleaning' started by yepp0, Apr 16, 2004.

Thread Status:
Not open for further replies.
  1. yepp0

    yepp0 Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    1
    Re: HijackThis Log file, need help against ware

    I've got some adware and it really irritates me. I've scaned with hijackthis but I don't know what I should do with the results o_O . Please help...

    Logfile of HijackThis v1.95.0
    Scan saved at 13:24:37, on 16-4-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\ATI Technologies\HydraVision\HydraMD.exe
    C:\Program Files\Medion Home CinemaXL\PowerCinema\PCMService.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Digital Image\Monitor.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\mnmsrvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\dvapi32a.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\PAL SPYREM\spyrem.exe
    C:\Documents and Settings\Famlie\Local Settings\Temp\Tijdelijke map 8 voor hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://mysearchnow.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.nl/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.the-exit.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.the-exit.com/search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.the-exit.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.the-exit.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5B3B5132-A150-DA8D-B028-470953F20C89} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Digital Image Monitor.lnk = ?
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37758.3172685185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re: HijackThis Log file, need help against ware

    Hi yepp0,

    Before you start, please download the latest version of HijackThis from here: http://www.spywareinfoforum.com/~merijn/files/HijackThis.exe and save it into a separate folder. The program will make backups in the folder in the folder it's in. These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://mysearchnow.com/searchbar.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.the-exit.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.the-exit.com/search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.the-exit.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.the-exit.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O2 - BHO: (no name) - {5B3B5132-A150-DA8D-B028-470953F20C89} - (no file)

    Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode and delete:
    C:\PROGRAM FILES\COMET SYSTEMS <= entire folder

    After the reboot in HijackThis click Config > Misc Tools > Generate Startuplist
    This will produce a text file, please post the content.

    Regards,

    Pieter
     
    Last edited: Apr 16, 2004
Thread Status:
Not open for further replies.