Help Me with Hi Jack This Log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by fallon, May 31, 2004.

  1. fallon

    fallon Private E-2

    Please help me. what should I fix

    Logfile of HijackThis v1.97.7
    Scan saved at 10:24:45 PM, on 5/31/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6PLY72H4\HijackThis[1].exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [JxUshm7] C:\documents and settings\owner\local settings\temp\JxUshm7.exe
    O4 - HKLM\..\Run: [t3tO7F] C:\documents and settings\owner\local settings\temp\t3tO7F.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Usy6x9W6.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [AutoLoader30261aSVNZPc] "C:\WINDOWS\System32\sfcoin.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [37tg3mP] lfpupdll.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Pop-up Blocker\Ultimate Pop-up Blocker.exe
    O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpit.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://active.macromedia.com/flash2/cabs/swflash.cab
     
    fallon, May 31, 2004
    #1
  2. DanTekGeek

    DanTekGeek Master Sergeant

    i cant see anything that needs to be fixed, maybee if you told us what your problem was we could help you more
     
    DanTekGeek, May 31, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No Dan! There is a bunch of stuff to clean.

    Run the following online virus scanners:

    http://housecall.trendmicro.com/

    Now run Sygate's online Trojan scan at http://scan.sygatetech.com/pretrojanscan.html
    or
    download and run this peper trojan uninstaller while online:
    http://www.memorywatcher.com/uninst.exe

    Let's see where that gets us. That should clean up a few of the items that need fixing with HiJaak This which are:

    O4 - HKLM\..\Run: [JxUshm7] C:\documents and settings\owner\local settings\temp\JxUshm7.exe
    O4 - HKLM\..\Run: [t3tO7F] C:\documents and settings\owner\local settings\temp\t3tO7F.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Usy6x9W6.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [37tg3mP] lfpupdll.exe

    Kill the process below with Task Manager:

    dp trojan.exe

    Now find these two files (co-located) and delete them:
    dp trojan.exe
    readme.txt

    Now boot in Safe Mode and delete (if they still exist):
    C:\documents and settings\owner\local settings\temp\JxUshm7.exe
    C:\documents and settings\owner\local settings\temp\t3tO7F.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\WINDOWS\System32\Usy6x9W6.exe
    c:\installer\id53.exe
    lfpupdll.exe

    I'm not sure what this next line is but it does not look like it belongs here. Do you have any idea what it is for? I would think it should be removed.
    O4 - HKLM\..\Run: [AutoLoader30261aSVNZPc] "C:\WINDOWS\System32\sfcoin.exe" /PC="AM.WILD" /HideUninstall
     
    chaslang, May 31, 2004
    #3
  4. DanTekGeek

    DanTekGeek Master Sergeant

    *DanTekGeek cowers in his corner

    ..sorrry...
     
    DanTekGeek, Jun 1, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem Dan! Next time you can watch my back! ;)
     
    chaslang, Jun 1, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I missed one other one that has to be fixed:

    O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpit.exe

    Now boot in Safe Mode and delete (if it still exists):
    C:\WINDOWS\System32\wnscpit.exe
     
    chaslang, Jun 1, 2004
    #6
  7. fallon

    fallon Private E-2

    thanks for the help
     
    fallon, Jun 1, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem! Have you been able to do everything I asked? Also, how are thins running now?
     
    chaslang, Jun 1, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds