|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
HiJackThis log
Need assistance with a W2K laptop, please. I've run SpyBot, AdAware, and Trend Housecall. Thanks!
Logfile of HijackThis v1.98.2 Scan saved at 4:53:45 AM, on 12/14/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\WINNT\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINNT\GWMDMMSG.exe C:\WINNT\GWHotKey.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\2Wire\2PortalMon.exe C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\m7gh57ries5ysxthd.exe C:\WINNT\system32\tibs3.exe C:\Documents and Settings\Administrator\Application Data\owtr.exe C:\Program Files\Common Files\Symantec Shared\NMain.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\system32\atitvo32.exe C:\Program Files\Hijackthis\HijackThis19802.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=533 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINNT\_hp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\_s.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINNT\_sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINNT\_sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINNT\_hp.html R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINNT\_hp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank F2 - REG:system.ini: UserInit=Userinit.exe, O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\W8C6S4~2.DLL O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe O4 - HKLM\..\Run: [estzsniyxt] C:\WINNT\system32\ahzveuj.exe O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\m7gh57ries5ysxthd.exe O4 - HKLM\..\Run: [whcd] C:\WINNT\whcd.exe O4 - HKLM\..\Run: [tibs3] C:\WINNT\system32\tibs3.exe O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKCU\..\Run: [dmstyle] C:\WINNT\system32\dmstyle.exe O4 - HKCU\..\Run: [atitvo32] C:\WINNT\system32\atitvo32.exe O4 - HKCU\..\Run: [Yyhnzka] C:\WINNT\system32\l?gonui.exe O4 - HKCU\..\Run: [Into] C:\Documents and Settings\Administrator\Application Data\owtr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: winlogin.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/t...x.chm::/ad.exe O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...1a0351cafa03db O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/tes...enXInstall.cab O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/deltacvx.cab O18 - Filter: text/html - {3177EA86-6095-4228-A2F4-47BE6880E792} - C:\WINNT\system32\dhng.dll O18 - Filter: text/plain - {3177EA86-6095-4228-A2F4-47BE6880E792} - C:\WINNT\system32\dhng.dll O20 - AppInit_DLLs: zwxgbibgj7tkixll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll |
#2
|
|||
|
|||
Hi PCLady,
Dowload the following program CWShredder It should be the current version, but check for updates Run Program cwshredder and have it fix anything it finds. Make sure you click the “Fix” button Restart your computer, Please restart HJT put a check next to the following if they still exist, close all open windows and click “Fix Checked” R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=533 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINNT\_hp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\_s.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINNT\_sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINNT\_sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINNT\_hp.html R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINNT\_hp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\W8C6S4~2.DLL O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe O4 - HKLM\..\Run: [estzsniyxt] C:\WINNT\system32\ahzveuj.exe O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\m7gh57ries5ysxthd.exe O4 - HKLM\..\Run: [whcd] C:\WINNT\whcd.exe O4 - HKLM\..\Run: [tibs3] C:\WINNT\system32\tibs3.exe O4 - HKCU\..\Run: [dmstyle] C:\WINNT\system32\dmstyle.exe O4 - HKCU\..\Run: [atitvo32] C:\WINNT\system32\atitvo32.exe O4 - HKCU\..\Run: [Yyhnzka] C:\WINNT\system32\l?gonui.exe O4 - HKCU\..\Run: [Into] C:\Documents and Settings\Administrator\Application Data\owtr.exe < Delete the associated folder O4 - Global Startup: winlogin.exe <Be sure and not delete the legit Winlogon O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/.../x.chm::/ad.exe O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...a0 351cafa03db O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softw...006_regular.cab O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab O18 - Filter: text/html - {3177EA86-6095-4228-A2F4-47BE6880E792} - C:\WINNT\system32\dhng.dll O18 - Filter: text/plain - {3177EA86-6095-4228-A2F4-47BE6880E792} - C:\WINNT\system32\dhng.dll O20 - AppInit_DLLs: zwxgbibgj7tkixll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the above files highlighted in BOLD Restart your computer, Post back a fresh log please |
#3
|
|||
|
|||
Hi, Don. Thanks for your assistance. I'm not sure which of the winlogon.exe files to delete. They all show that they're MS in the properties. I tried stopping it with Task Manager, but no luck. Here's the latest log:
Logfile of HijackThis v1.98.2 Scan saved at 6:48:53 AM, on 12/14/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\WINNT\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINNT\GWMDMMSG.exe C:\WINNT\GWHotKey.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\2Wire\2PortalMon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Hijackthis\HijackThis19802.exe F2 - REG:system.ini: UserInit=Userinit.exe, O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\m7gh57ries5ysxthd.exe O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKCU\..\Run: [atitvo32] C:\WINNT\system32\atitvo32.exe O4 - HKCU\..\Run: [Into] C:\Documents and Settings\Administrator\Application Data\cawt.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: winlogin.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/tes...enXInstall.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/deltacvx.cab Where to next, Captain? |
#4
|
|||
|
|||
Looking much better!
Just a few more, Please restart HJT put a check next to the following, close all open windows and click “Fix Checked” O4 - HKCU\..\Run: [atitvo32] C:\WINNT\system32\atitvo32.exe O4 - HKCU\..\Run: [Into] C:\Documents and Settings\Administrator\Application Data\cawt.exe O4 - Global Startup: winlogin.exe Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the following in BOLD C:\WINNT\system32\atitvo32.exe C:\Documents and Settings\Administrator\Application Data\cawt.exe <Delete the associated folder if found with this file winlogin.exe << You want to delete this file and NOT winlogon Restart your computer, Restart HJT and post back a fresh log please |
#5
|
|||
|
|||
Yes, looking much better, thanks! Can't believe I misread winlogin as winlogon. Scary. Here's the latest:
Logfile of HijackThis v1.98.2 Scan saved at 8:06:59 AM, on 12/14/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\WINNT\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINNT\GWMDMMSG.exe C:\WINNT\GWHotKey.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\2Wire\2PortalMon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Hijackthis\HijackThis19802.exe F2 - REG:system.ini: UserInit=Userinit.exe, O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\m7gh57ries5ysxthd.exe O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/tes...enXInstall.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/deltacvx.cab |
#6
|
|||
|
|||
You did fine, I missed one as well,
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked” O4 - HKLM\..\Run: [Control handler] C:\WINNT\system32\m7gh57ries5ysxthd.exe Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the above files highlighted in BOLD C:\WINNT\system32\m7gh57ries5ysxthd.exe Restart your computer, Post back a fresh log please |
#7
|
|||
|
|||
Here it is. Clean at last?
Logfile of HijackThis v1.98.2 Scan saved at 10:28:37 PM, on 12/14/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\WINNT\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINNT\GWMDMMSG.exe C:\WINNT\GWHotKey.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\2Wire\2PortalMon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Hijackthis\HijackThis19802.exe F2 - REG:system.ini: UserInit=Userinit.exe, O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/tes...enXInstall.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/deltacvx.cab |
#8
|
|||
|
|||
Yes. I think we can tick you of the list.Your clean
|
#9
|
|||
|
|||
Thanks so much for your help, Don. I do appreciate it.
|
#10
|
|||
|
|||
Regret to report that it's back to the xysearch about:blank home page in IE. Do you see anything else in the last log that could have caused this? I found salm.exe and supporting files in the c:\temp folder - got rid of them. Downloading and installing NAV 2005 and will run that. Thanks!
|
#12
|
|||
|
|||
Hi. I returned the computer before I saw this. I reran Ad-Aware, SpyBot, and Norton. I think it's OK now, but if I get word that it's still infected, I'll try this. I'll surely try it on another one I'm troubleshooting. Thanks!
Cathy |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
HiJackThis log | PCLady | Malware Removal | 4 | January 8th, 2005 04:00 AM |
HijackThis log... | LongboardLuLu | Malware Removal | 4 | January 3rd, 2005 03:35 AM |
New HiJackThis log | Sand | Malware Removal | 3 | December 30th, 2004 01:11 AM |
Hijackthis log...please help! | adri_chii | Malware Removal | 5 | December 29th, 2004 06:41 AM |
HiJackThis log | PCLady | Malware Removal | 3 | December 27th, 2004 06:50 AM |
All times are GMT +1. The time now is 08:52 PM.