highjack this please

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mikeed, Jul 19, 2004.

  1. mikeed

    mikeed Private E-2

    HI

    I have run ad aware and now highjack this
    below is my log. Please help me with what i should delete
    I am reading "Do Not Post A Hijack This! Log File Without Reading This First "
    but still need help

    thanks
    michael


    Logfile of HijackThis v1.98.0
    Scan saved at 9:17:59 PM, on 19/07/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\winproc32.exe
    C:\WINDOWS\synt64.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\unzipped\hijackthis[1]\HijackThis.exe
    C:\Program Files\Outlook Express\msimn.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=encry
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=encry
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/?b=encry
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=encry
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=encry
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=encry
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=encry
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=encry
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=encry
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\System32\taskmon.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\WinXP\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\system32\winproc32.exe
    O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\synt64.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
    O16 - DPF: Win32 Classes -
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
    O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5F5A4987-B3C0-4BD7-92FF-F015110246BA}: NameServer = 203.134.12.90 203.134.102.90
     
    mikeed, Jul 19, 2004
    #1
  2. mikeed

    mikeed Private E-2

    Updated


    not sure about this one
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm




    Logfile of HijackThis v1.98.0
    Scan saved at 9:20:58 PM, on 19/07/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\winproc32.exe
    C:\WINDOWS\synt64.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\unzipped\hijackthis[1]\HijackThis.exe
    C:\Program Files\Outlook Express\msimn.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\System32\taskmon.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\WinXP\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\system32\winproc32.exe
    O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\synt64.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
    O16 - DPF: Win32 Classes -
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
    O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5F5A4987-B3C0-4BD7-92FF-F015110246BA}: NameServer = 203.134.12.90 203.134.102.90
     
    mikeed, Jul 19, 2004
    #2
  3. TheLastMessenger

    TheLastMessenger Private E-2

    Delete the ones in BOLD and then delete 'C:\Program Files\Internet Explorer\IEXPLORE.EXE' -and- 'C:\WINDOWS\system32\winproc32.exe' in safe mode.

    This is also suspect and will have to be looked at by some MGeek experts--
    C:\WINDOWS\synt64.exe

    Do these free online scans and post what it picked up, plus delete those that are found:
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Second Step is to make sure you have all the SpywarePrograms below Downloaded (Make sure you download them all to your ProgramFiles NOT Temporary) and UPDATE THEM!!

    Download Microsofts Critial Updates and Patches:
    http://v4.windowsupdate.microsoft.com/en/default.asp

    Disable System Restore:
    http://www.pchell.com/virus/systemrestore.shtml
    If you got 2000 -- don't worry about System Restore boot in SafeMode:
    http://www.cts.duq.edu/content_pages/students/s_virus/s_virus_xprestore.html

    Boot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406/

    Then do this:
    Showing hidden files; follow step by step:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Try running AdAware in safe mode --- Make sure you've already gotten the latest UPDATES (Open, then press the Check for Updates button) and apply the following settings:
    This is where you get Adaware --- http://www.majorgeeks.com/download506.html
    This is a link on how to run it --- http://www.lavahelp.com/howto/fullscan/index.html --- Or You can use the instructions here:
    Click on Start -- custom scanning options -- Customize.
    Check the following settings:
    Scan within archives
    Scan active processes
    Scan registry
    Deep scan registry
    Scan my IE Favorites for banned URL
    Scan my host-file
    Click on Tweak:
    Select -- Scanning Engine
    Check "Unload recognized processes during scanning"
    Check "Include additional Adaware settings in LogFile"
    Select -- Cleaning Engine
    Check "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"
    Then click "proceed" to save your settings.
    Click on Next then Scan. Everything AdAware finds is safe to delete.

    Run SpyBot Search and Destroy --- Make sure you have already gotten the latest UPDATES (Open, then Search for Updates button)
    This is where you get SpyBot --- http://www.majorgeeks.com/download2471.html

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. You can also use Crapcleaner to help you clear out some stuff:
    This is where you get ccleaner --- http://www.majorgeeks.com/download4191.html

    Enable System Restore

    Reboot Normally

    Run HJT and POST log --- Make sure you have already gotten the latest Updates/Versions (Open, Config, then MiscTools, and Check for Updates Online)
    This is where you get HJT --- http://www.majorgeeks.com/download3155.html

    There are also many other programs here that are very useful
    http://forums.majorgeeks.com/index.php?

    FOR FUTURE SECURITY
    Download freeware here:
    http://www.javacoolsoftware.com/spywareblaster.html
     
    TheLastMessenger, Jul 19, 2004
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds