Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
graphnick

Please help with hijack log file......................

By graphnick, in Everything New Technology

Recommended Posts

graphnick    0

graphnick
Posted

Can someone please tell me how to get rid of this virus i have. I have put my hijack log file in, i think i have to uncheck some stuff.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 185856, on 02/02/2004

Platform Windows XP SP1 (WinNT 5.01.2600)

MSIE Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes

C\WINDOWS\System32\smss.exe

C\WINDOWS\system32\winlogon.exe

C\WINDOWS\system32\services.exe

C\WINDOWS\system32\lsass.exe

C\WINDOWS\system32\svchost.exe

C\WINDOWS\System32\svchost.exe

C\WINDOWS\system32\spoolsv.exe

C\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C\WINDOWS\System32\nvsvc32.exe

C\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C\WINDOWS\Explorer.exe

C\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe

C\Program Files\Common Files\CMEII\CMESys.exe

C\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C\Program Files\ToPicks\Bin\Idhost.exe

C\Program Files\ClearSearch\Loader.exe

C\Program Files\Common Files\Dpi\dpi.exe

C\Program Files\Analog Devices\SoundMAX\SMTray.exe

C\quicktime\quicktime pro v.6.0-full\quicktimeinstaller\qttask.exe

C\WINDOWS\system32\pcs\pcsvc.exe

C\Program Files\Messenger\msmsgs.exe

C\Program Files\Common Files\GMT\GMT.exe

C\Program Files\Internet Explorer\iexplore.exe

C\Documents and Settings\All Users\Documents\AntiVirus\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http//www.freeserve.com/iesearch/default.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http//www.freeserve.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http//www.freeserve.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve

F0 - system.ini Shell=Explorer.exe C\WINDOWS\System32\System32.exe

F2 - REGsystem.ini Shell=Explorer.exe C\WINDOWS\System32\System32.exe

O2 - BHO (no name) - {00000000-0000-0000-0000-000000000240} - C\Program Files\ClearSearch\IE_ClrSch.DLL

O2 - BHO (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4E - (no file)

O2 - BHO (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - C\Program Files\Topicks\Bin\HtCheck2.dll

O2 - BHO myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O2 - BHO Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C\Program Files\ClearSearch\IE_ClrSch.DLL

O3 - Toolbar &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar Topicks Categories - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - C\Program Files\Topicks\Bin\TpBar.dll

O3 - Toolbar &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run [TIxDSL] C\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe

O4 - HKLM\..\Run [CMESys] "C\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run [AdaptecDirectCD] "C\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run [ToPicks Starter] C\Program Files\ToPicks\Bin\Idhost.exe

O4 - HKLM\..\Run [ClrSchLoader] C\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run [NvCplDaemon] RUNDLL32.EXE C\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run [nwiz] nwiz.exe /install

O4 - HKLM\..\Run [Dpi] C\Program Files\Common Files\Dpi\dpi.exe

O4 - HKLM\..\Run [belt] C\WINDOWS\Belt.exe

O4 - HKLM\..\Run [smapp] C\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run [QuickTime Task] "C\quicktime\quicktime pro v.6.0-full\quicktimeinstaller\qttask.exe" -atboottime

O4 - HKLM\..\Run [Pcsv] C\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKLM\..\RunServices [CMD] cmd32.exe

O4 - HKCU\..\Run [MSMSGS] "C\Program Files\Messenger\msmsgs.exe" /background

O4 - HKLM\..\RunOnce [DELDIR0.EXE] "C\DOCUME~1\NICHOL~1\LOCALS~1\Temp\DELDIR0.EXE" "C\Program Files\McAfee\McAfee Shared Components\Guardian\"

O4 - Global Startup Adobe Gamma Loader.lnk = C\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup GStartup.lnk = C\Program Files\Common Files\GMT\GMT.exe

O4 - Global Startup updater.lnk = C\Program Files\Common Files\updater\wupdater.exe

O9 - Extra button Downloads (HKLM)

O9 - Extra button Related (HKLM)

O9 - Extra 'Tools' menuitem Show &Related Links (HKLM)

O12 - Plugin for .spop C\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF START_PAGE_URL=http//www.freeserve.com/

O16 - DPF {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http//www.apple.com/qtactivex/qtplugin.cab

O16 - DPF {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https//components.viewpoint.com/MTSInstallers/MetaStream3.cab

O16 - DPF {20000273-8230-4DD4-BE4F-6889D1E74167} - http//download2.abetterinternet.com/download/cabs/FON19113/payload2.cab

O16 - DPF {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http//212.145.159.194/251065/dialercab/WebRecomendada.cab

O16 - DPF {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http//launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http//a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http//www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http//www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http//download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0C0B2551-E17F-44FE-AA28-1F208C9F98DF} NameServer = 195.92.195.94 195.92.195.95

O17 - HKLM\System\CS1\Services\Tcpip\..\{0C0B2551-E17F-44FE-AA28-1F208C9F98DF} NameServer = 195.92.195.94 195.92.195.95

Share this post

Link to post

jimbo    0

jimbo
Posted

Unfortunately it is likely System32.exe that is the culprit.

Many viruses create a file like that because it "looks" like a system file.

 

A quick search of www.sarc.com came up with 14 viruses that created a system32.exe file.

 

Best bet is to update your antivirus, rescan your computer, note down exactly which virus you have then go to www.sarc.com and find the removal tools for that specific virus (assuming that the antivirus program can't clean it)....

 

Alternately if you have another machine (with a similar OS) you can go to other machine, update the antivirus, then hook up the hard drive as a secondary drive and scan it.

Share this post

Link to post

vatar    0

vatar
Posted

Here are your problems.

 

C:\Program Files\Common Files\Dpi\dpi.exe

C:\WINDOWS\system32\pcs\pcsvc.exe

 

O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

 

O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/FON19113/payload2.cab

O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) -

 

See http://pestpatrol.com/pestinfo/d/delfin_media_viewer.asp for information about dpi.exe and pcsvc.exe

Share this post

Link to post

may24    0

may24
Posted

Can someone please tell me how to get rid of Malvare, CWS Hijack i have. I have put my hijack log file in , i just don't know what to do .

Today I downloaded "Hijack this" , my first time,i could say i'm a starter , can somebody help me?????.

 

 

Logfile of HijackThis v1.99.0

Scan saved at 5:44:39 PM, on 1/27/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\42isi6c43zthd.exe

C:\WINDOWS\System32\tibs3.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\PROGRA~1\mcafee.com\mps\mscifapp.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

C:\Program Files\BigFix\BigFix.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\Manny\LOCALS~1\Temp\Temporary Directory 1 for HijackThis[1].zip\HijackThis.exe

C:\WINDOWS\System32\webvw.exe

C:\DOCUME~1\Manny\LOCALS~1\Temp\Temporary Directory 3 for HijackThis[1].zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=33464

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=33464

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=33464

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=33464

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=33464

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\C94DML~1.DLL (file missing)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\42isi6c43zthd.exe

O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MP[censored]e] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup

O4 - HKCU\..\Run: [webvw] C:\WINDOWS\System32\webvw.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: Civilization Registration.lnk = E:\ATR1.EXE

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: winlogin.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab

O20 - AppInit_DLLs: 9zsfbslmbgdmmt.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

 

 

Share this post

Link to post

galink    0

galink
Posted

Hope this gets to may24

Personally I stopped using Mcaffee & Norton and all that Spam and spyware killer stuff and just switched to AVG Free. One Free copy per home address. Free updates for life. Auto updates, auto scheduler, email scan, boot scan, catches everything except popups. Then I just set my Security settings in IE and XP SP2 properly and I have no trouble.

 

We have started recommending this for all our clients as well. If they really like it we recommend they by the Pro version.

 

Just go to Add remove programs and uninstall all that other junk after you get the AVG and update it and go through all the settings in the Control Center.

 

Also, remove any programs you don't need but if you are not sure do some research first.

 

IF you know what you are doing you can search the registry and remove the keys for the stuff that still shows up after you have removed programs and done a complete scan and removed all viruses and trojans and malware, etc.

 

Don't forget once system is clean you may still have things in the system restore that show up so:

Set system Restore as low as possible and apply to clear it out Then turn it off

Do a complete shut down

Now do another Complete System Scan

If everything checks out turn System Restore Back on.

 

Hope this helps.

Share this post

Link to post

may24    0

may24
Posted

Thanks a lot GALINK! laugh .

 

 

The first thing I did today was to read your answer and without a doubt I downloaded the antivirus AVG ,i made the scan and it found 30 infected files, some of them were healed others didn't but my home page is once again "GOOGLE" smile .

 

Now I'm getting rid of ad-aware personal ,I'll remove it and use this antivirus you recommended,I'm having problems getting the updates for AVG, something about a connection failure ,it says CHECK YOUR INTERNET CONNECTION SETTINGS ,so i'm downloading manually the updates , I guess it's because the firewall of Mcafee antivirus .

 

I need some advices , thanks in advance :P .

Share this post

Link to post

galink    0

galink
Posted

May24 - so glad it helped

Sorry been really busy haven't been on for a couple of days

The ones it didn't remove can be found by viewing the test details then look to see the full path

You can then go through My Computer and delete those manually

Make sure you have your folder options set to show system and hidden files and file extensions

 

Personally I would get rid of the Mcaffee altogether and just use the XP firewall it works great with the AVG

 

But sometimes you have to go to the Control Panel and Services to Stop Mcafee before it will let you remove it

 

Hoping for the Best.

 

 

Share this post

Link to post

may24    0

may24
Posted

thanks for your help Galink , the AVG removed all the infected files smile , it works very well i could say : better than Mcafee .

 

I resolved the conecction problems and I'm getting the updates automatically.

 

greetings laugh

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Everything New Technology
×