Results 1 to 4 of 4

Thread: please help Hijackthis log

  1. 11-18-2003, 09:26 PM #1
    steve Guest

    please help Hijackthis log

    Hi all
    new to group (I only just got 'hijacked'), so apologies for any repitition.
    After searching the net have found out about hijackthis, downloaded and
    scanned.
    I am not sure what is nasty & what is not & was hoping someone could decifer
    the log file for me (pasted below).
    Every time I reboot my home page defaults to a local file, 'hp.htm' in the
    winnt folder.

    Again, any help would be greatly appreciated.
    Cheers
    Steve

    Logfile of HijackThis v1.97.7
    Scan saved at 10:23:52 AM, on 19/11/2003
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    F:\WINNT\System32\smss.exe
    F:\WINNT\system32\winlogon.exe
    F:\WINNT\system32\services.exe
    F:\WINNT\system32\lsass.exe
    F:\WINNT\system32\svchost.exe
    F:\WINNT\system32\spoolsv.exe
    F:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    F:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    F:\WINNT\System32\svchost.exe
    F:\WINNT\system32\regsvc.exe
    F:\WINNT\system32\MSTask.exe
    F:\WINNT\System32\WBEM\WinMgmt.exe
    F:\WINNT\System32\mspmspsv.exe
    F:\WINNT\Explorer.EXE
    F:\Program Files\Winamp\Winampa.exe
    F:\Program Files\Grisoft\AVG6\avgcc32.exe
    F:\WINNT\System32\internat.exe
    F:\Program Files\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
    F:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    F:\Program Files\Internet Explorer\IEXPLORE.EXE
    F:\Program Files\Outlook Express\msimn.exe
    F:\PROGRA~1\WinZip\winzip32.exe
    F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://ie-search.com/home.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    f:\winnt\hp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    http://ie-search.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pve
    r={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://ie-search.com/home.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://ie-search.com/home.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    http://ie-search.com/home.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
    Internet Explorer provided by APC
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://ie-search.com/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
    http://ie-search.com/srchasst.html (obfuscated)
    O1 - Hosts: 206.161.200.105 auto.search.msn.com
    O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
    O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
    O1 - Hosts: 206.161.200.105 www.your.com
    O1 - Hosts: 206.161.200.105 your.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program
    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} -
    F:\WINNT\System32\nzdd.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    F:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\Program Files\Elaborate
    Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] F:\Program Files\Grisoft\AVG6\avgcc32.exe
    /startup
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set --
    by windows setup --
    O4 - HKLM\..\Run: [SpyHunter] I:\Spyhunter\SpyHunter.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [UIWatcher] F:\Program Files\ashampoo\Ashampoo UnInstaller
    Suite\UIWatcher.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = F:\Program
    Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O8 - Extra context menu item: Search Using Copernic - F:\Program
    Files\Copernic 2001 Basic\Search Extension.htm
    O12 - Plugin for .mid: F:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: F:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: F:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: F:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/2...rus.com/housec
    all/xscan53.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) -
    file://D:\AutoCad\AcDcToday.ocx
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) -
    file://D:\AutoCad\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) -
    file://D:\AutoCad\InstFred.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) -
    file://D:\AutoCad\AcPreview.ocx




    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003


    Reply With Quote Reply With Quote
  2. 11-19-2003, 12:17 AM #2
    YoKenny Guest

    Re: please help Hijackthis log

    steve wrote:
    > Hi all
    > new to group (I only just got 'hijacked'), so apologies for any
    > repitition. After searching the net have found out about hijackthis,
    > downloaded and scanned.
    > I am not sure what is nasty & what is not & was hoping someone could
    > decifer the log file for me (pasted below).
    > Every time I reboot my home page defaults to a local file, 'hp.htm'
    > in the winnt folder.
    >
    > Again, any help would be greatly appreciated.
    > Cheers
    > Steve
    >
    > Logfile of HijackThis v1.97.7
    > Scan saved at 10:23:52 AM, on 19/11/2003
    > Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    > MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    >
    > Running processes:
    > F:\WINNT\System32\smss.exe
    > F:\WINNT\system32\winlogon.exe
    > F:\WINNT\system32\services.exe
    > F:\WINNT\system32\lsass.exe
    > F:\WINNT\system32\svchost.exe
    > F:\WINNT\system32\spoolsv.exe
    > F:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    > F:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    > F:\WINNT\System32\svchost.exe
    > F:\WINNT\system32\regsvc.exe
    > F:\WINNT\system32\MSTask.exe
    > F:\WINNT\System32\WBEM\WinMgmt.exe
    > F:\WINNT\System32\mspmspsv.exe
    > F:\WINNT\Explorer.EXE
    > F:\Program Files\Winamp\Winampa.exe
    > F:\Program Files\Grisoft\AVG6\avgcc32.exe
    > F:\WINNT\System32\internat.exe
    > F:\Program Files\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
    > F:\Program Files\Common Files\Microsoft Shared\Works
    > Shared\wkcalrem.exe F:\Program Files\Internet Explorer\IEXPLORE.EXE
    > F:\Program Files\Outlook Express\msimn.exe
    > F:\PROGRA~1\WinZip\winzip32.exe
    > F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe
    >
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    > http://ie-search.com/srchasst.html (obfuscated)

    As soon as I read this you have been hijacked by CWS!

    Get CWShredder:
    Use the online update function or direct download.
    http://www.spywareinfo.com/~merijn/files/cwshredder.zip

    Read about it:
    http://www.spywareinfo.com/~merijn/cwschronicles.html

    Post your log into the support forum:
    http://tomcoyote.org/forums/index.php?showforum=27

    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    > http://ie-search.com/home.html (obfuscated)
    > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    > f:\winnt\hp.htm
    > R1 - HKCU\Software\Microsoft\Internet
    > Explorer\Main,Default_Search_URL = http://ie-search.com/home.html
    > (obfuscated)
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    > = http://ie-search.com/srchasst.html (obfuscated)
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    > = http://ie-search.com/srchasst.html (obfuscated)
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    >
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pve
    > r={SUB_PVER}&ar=home
    > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    > http://ie-search.com/srchasst.html (obfuscated)
    > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    > http://ie-search.com/home.html (obfuscated)
    > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    > http://ie-search.com/home.html (obfuscated)
    > R1 - HKLM\Software\Microsoft\Internet
    > Explorer\Main,Default_Search_URL = http://ie-search.com/home.html
    > (obfuscated)
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    > = http://ie-search.com/srchasst.html (obfuscated)
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    > = http://ie-search.com/srchasst.html (obfuscated)
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    > Microsoft Internet Explorer provided by APC
    > R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    > http://ie-search.com/home.html (obfuscated)
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    > http://ie-search.com/srchasst.html (obfuscated)
    > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    > http://ie-search.com/srchasst.html (obfuscated)
    > R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
    > http://ie-search.com/srchasst.html (obfuscated)
    > O1 - Hosts: 206.161.200.105 auto.search.msn.com
    > O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
    > O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
    > O1 - Hosts: 206.161.200.105 www.your.com
    > O1 - Hosts: 206.161.200.105 your.com
    > O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    > O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no
    > file)
    > O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} -
    > F:\WINNT\System32\nzdd.dll
    > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > F:\WINNT\System32\msdxm.ocx
    > O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    > O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    > O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\Winampa.exe"
    > O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\Program Files\Elaborate
    > Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    > O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
    > O4 - HKLM\..\Run: [AVG_CC] F:\Program Files\Grisoft\AVG6\avgcc32.exe
    > /startup
    > O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c
    > /set -- by windows setup --
    > O4 - HKLM\..\Run: [SpyHunter] I:\Spyhunter\SpyHunter.exe
    > O4 - HKCU\..\Run: [internat.exe] internat.exe
    > O4 - HKCU\..\Run: [UIWatcher] F:\Program Files\ashampoo\Ashampoo
    > UnInstaller Suite\UIWatcher.exe
    > O4 - Global Startup: Billminder.lnk = C:\Program
    > Files\QUICKENW\billmind.exe O4 - Global Startup: Microsoft Office.lnk
    > = F:\Program Files\Microsoft Office\Office\OSA9.EXE
    > O4 - Global Startup: Microsoft Works Calendar Reminders.lnk =
    > F:\Program Files\Common Files\Microsoft Shared\Works
    > Shared\wkcalrem.exe
    > O8 - Extra context menu item: Search Using Copernic - F:\Program
    > Files\Copernic 2001 Basic\Search Extension.htm
    > O12 - Plugin for .mid: F:\Program Files\Internet
    > Explorer\PLUGINS\npqtplugin.dll
    > O12 - Plugin for .mov: F:\Program Files\Internet
    > Explorer\PLUGINS\npqtplugin.dll
    > O12 - Plugin for .spop: F:\Program Files\Internet
    > Explorer\Plugins\NPDocBox.dll
    > O12 - Plugin for .wav: F:\Program Files\Internet
    > Explorer\PLUGINS\npqtplugin.dll
    > O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com
    > O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    > Control) -
    > http://download.macromedia.com/pub/s...irector/sw.cab O16
    > - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    >
    http://a840.g.akamai.net/7/840/537/2...rus.com/housec
    > all/xscan53.cab
    > O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control)
    > - file://D:\AutoCad\AcDcToday.ocx
    > O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) -
    > file://D:\AutoCad\InstBanr.ocx
    > O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) -
    > file://D:\AutoCad\InstFred.ocx
    > O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    > Object) -
    > http://download.macromedia.com/pub/s...sh/swflash.cab
    > O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control)
    > - file://D:\AutoCad\AcPreview.ocx

    Deleted AVG advert!

    Reply With Quote Reply With Quote
  3. 11-19-2003, 12:41 AM #3
    steve Guest

    Re: please help Hijackthis log

    YoKenny you are a legend.
    CWShredder seems to have done the job.
    Should I still post the log file to the Tom Coyote forum (for the
    information of others?) or was that a 'just in case'?
    Thanks for the help
    Steve


    "YoKenny" <YKnot@home.invalid> wrote in message
    news:_1Dub.112038$HoK.27172@news01.bloor.is.net.ca ble.rogers.com...
    > steve wrote:
    > > Hi all
    > > new to group (I only just got 'hijacked'), so apologies for any
    > > repitition. After searching the net have found out about hijackthis,
    > > downloaded and scanned.
    > > I am not sure what is nasty & what is not & was hoping someone could
    > > decifer the log file for me (pasted below).
    > > Every time I reboot my home page defaults to a local file, 'hp.htm'
    > > in the winnt folder.
    > >
    > > Again, any help would be greatly appreciated.
    > > Cheers
    > > Steve
    > >
    > > Logfile of HijackThis v1.97.7
    > > Scan saved at 10:23:52 AM, on 19/11/2003
    > > Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    > > MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    > >
    > > Running processes:
    > > F:\WINNT\System32\smss.exe
    > > F:\WINNT\system32\winlogon.exe
    > > F:\WINNT\system32\services.exe
    > > F:\WINNT\system32\lsass.exe
    > > F:\WINNT\system32\svchost.exe
    > > F:\WINNT\system32\spoolsv.exe
    > > F:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    > > F:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    > > F:\WINNT\System32\svchost.exe
    > > F:\WINNT\system32\regsvc.exe
    > > F:\WINNT\system32\MSTask.exe
    > > F:\WINNT\System32\WBEM\WinMgmt.exe
    > > F:\WINNT\System32\mspmspsv.exe
    > > F:\WINNT\Explorer.EXE
    > > F:\Program Files\Winamp\Winampa.exe
    > > F:\Program Files\Grisoft\AVG6\avgcc32.exe
    > > F:\WINNT\System32\internat.exe
    > > F:\Program Files\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
    > > F:\Program Files\Common Files\Microsoft Shared\Works
    > > Shared\wkcalrem.exe F:\Program Files\Internet Explorer\IEXPLORE.EXE
    > > F:\Program Files\Outlook Express\msimn.exe
    > > F:\PROGRA~1\WinZip\winzip32.exe
    > > F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe
    > >
    > > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    > > http://ie-search.com/srchasst.html (obfuscated)
    >
    > As soon as I read this you have been hijacked by CWS!
    >
    > Get CWShredder:
    > Use the online update function or direct download.
    > http://www.spywareinfo.com/~merijn/files/cwshredder.zip
    >
    > Read about it:
    > http://www.spywareinfo.com/~merijn/cwschronicles.html
    >
    > Post your log into the support forum:
    > http://tomcoyote.org/forums/index.php?showforum=27
    >
    > > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    > > http://ie-search.com/home.html (obfuscated)
    > > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    > > f:\winnt\hp.htm
    > > R1 - HKCU\Software\Microsoft\Internet
    > > Explorer\Main,Default_Search_URL = http://ie-search.com/home.html
    > > (obfuscated)
    > > R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    > > = http://ie-search.com/srchasst.html (obfuscated)
    > > R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    > > = http://ie-search.com/srchasst.html (obfuscated)
    > > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    > >
    >
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pve
    > > r={SUB_PVER}&ar=home
    > > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    > > http://ie-search.com/srchasst.html (obfuscated)
    > > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    > > http://ie-search.com/home.html (obfuscated)
    > > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    > > http://ie-search.com/home.html (obfuscated)
    > > R1 - HKLM\Software\Microsoft\Internet
    > > Explorer\Main,Default_Search_URL = http://ie-search.com/home.html
    > > (obfuscated)
    > > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    > > = http://ie-search.com/srchasst.html (obfuscated)
    > > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    > > = http://ie-search.com/srchasst.html (obfuscated)
    > > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    > > Microsoft Internet Explorer provided by APC
    > > R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    > > http://ie-search.com/home.html (obfuscated)
    > > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    > > http://ie-search.com/srchasst.html (obfuscated)
    > > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    > > http://ie-search.com/srchasst.html (obfuscated)
    > > R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
    > > http://ie-search.com/srchasst.html (obfuscated)
    > > O1 - Hosts: 206.161.200.105 auto.search.msn.com
    > > O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
    > > O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
    > > O1 - Hosts: 206.161.200.105 www.your.com
    > > O1 - Hosts: 206.161.200.105 your.com
    > > O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > > F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    > > O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no
    > > file)
    > > O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} -
    > > F:\WINNT\System32\nzdd.dll
    > > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > > F:\WINNT\System32\msdxm.ocx
    > > O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    > > O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    > > O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\Winampa.exe"
    > > O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\Program Files\Elaborate
    > > Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    > > O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
    > > O4 - HKLM\..\Run: [AVG_CC] F:\Program Files\Grisoft\AVG6\avgcc32.exe
    > > /startup
    > > O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c
    > > /set -- by windows setup --
    > > O4 - HKLM\..\Run: [SpyHunter] I:\Spyhunter\SpyHunter.exe
    > > O4 - HKCU\..\Run: [internat.exe] internat.exe
    > > O4 - HKCU\..\Run: [UIWatcher] F:\Program Files\ashampoo\Ashampoo
    > > UnInstaller Suite\UIWatcher.exe
    > > O4 - Global Startup: Billminder.lnk = C:\Program
    > > Files\QUICKENW\billmind.exe O4 - Global Startup: Microsoft Office.lnk
    > > = F:\Program Files\Microsoft Office\Office\OSA9.EXE
    > > O4 - Global Startup: Microsoft Works Calendar Reminders.lnk =
    > > F:\Program Files\Common Files\Microsoft Shared\Works
    > > Shared\wkcalrem.exe
    > > O8 - Extra context menu item: Search Using Copernic - F:\Program
    > > Files\Copernic 2001 Basic\Search Extension.htm
    > > O12 - Plugin for .mid: F:\Program Files\Internet
    > > Explorer\PLUGINS\npqtplugin.dll
    > > O12 - Plugin for .mov: F:\Program Files\Internet
    > > Explorer\PLUGINS\npqtplugin.dll
    > > O12 - Plugin for .spop: F:\Program Files\Internet
    > > Explorer\Plugins\NPDocBox.dll
    > > O12 - Plugin for .wav: F:\Program Files\Internet
    > > Explorer\PLUGINS\npqtplugin.dll
    > > O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com
    > > O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
    > > Control) -
    > > http://download.macromedia.com/pub/s...irector/sw.cab O16
    > > - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    > >
    >
    http://a840.g.akamai.net/7/840/537/2...rus.com/housec
    > > all/xscan53.cab
    > > O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control)
    > > - file://D:\AutoCad\AcDcToday.ocx
    > > O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) -
    > > file://D:\AutoCad\InstBanr.ocx
    > > O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) -
    > > file://D:\AutoCad\InstFred.ocx
    > > O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    > > Object) -
    > > http://download.macromedia.com/pub/s...sh/swflash.cab
    > > O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control)
    > > - file://D:\AutoCad\AcPreview.ocx
    >
    > Deleted AVG advert!
    >


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003


    Reply With Quote Reply With Quote
  4. 11-19-2003, 01:00 AM #4
    YoKenny Guest

    Re: please help Hijackthis log

    steve wrote:
    > YoKenny you are a legend.
    > CWShredder seems to have done the job.
    > Should I still post the log file to the Tom Coyote forum (for the
    > information of others?) or was that a 'just in case'?
    > Thanks for the help
    > Steve

    Thanks! I'm just a humble scumware buster!

    No need to post your log unless you are having more problems.
    See you over at Tom Coyote. (big grin)

    > "YoKenny" wrote:
    >> steve wrote:
    >>> Hi all
    >>> new to group (I only just got 'hijacked'), so apologies for any
    >>> repitition. After searching the net have found out about hijackthis,
    >>> downloaded and scanned.
    >>> I am not sure what is nasty & what is not & was hoping someone could
    >>> decifer the log file for me (pasted below).
    >>> Every time I reboot my home page defaults to a local file, 'hp.htm'
    >>> in the winnt folder.
    >>>
    >>> Again, any help would be greatly appreciated.
    >>> Cheers
    >>> Steve
    >>>
    >>> Logfile of HijackThis v1.97.7
    >>> Scan saved at 10:23:52 AM, on 19/11/2003
    >>> Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    >>> MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    >>>
    >>> Running processes:
    >>> F:\WINNT\System32\smss.exe
    >>> F:\WINNT\system32\winlogon.exe
    >>> F:\WINNT\system32\services.exe
    >>> F:\WINNT\system32\lsass.exe
    >>> F:\WINNT\system32\svchost.exe
    >>> F:\WINNT\system32\spoolsv.exe
    >>> F:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    >>> F:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    >>> F:\WINNT\System32\svchost.exe
    >>> F:\WINNT\system32\regsvc.exe
    >>> F:\WINNT\system32\MSTask.exe
    >>> F:\WINNT\System32\WBEM\WinMgmt.exe
    >>> F:\WINNT\System32\mspmspsv.exe
    >>> F:\WINNT\Explorer.EXE
    >>> F:\Program Files\Winamp\Winampa.exe
    >>> F:\Program Files\Grisoft\AVG6\avgcc32.exe
    >>> F:\WINNT\System32\internat.exe
    >>> F:\Program Files\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
    >>> F:\Program Files\Common Files\Microsoft Shared\Works
    >>> Shared\wkcalrem.exe F:\Program Files\Internet Explorer\IEXPLORE.EXE
    >>> F:\Program Files\Outlook Express\msimn.exe
    >>> F:\PROGRA~1\WinZip\winzip32.exe
    >>> F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe
    >>>
    >>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    >>> http://ie-search.com/srchasst.html (obfuscated)
    >>
    >> As soon as I read this you have been hijacked by CWS!
    >>
    >> Get CWShredder:
    >> Use the online update function or direct download.
    >> http://www.spywareinfo.com/~merijn/files/cwshredder.zip
    >>
    >> Read about it:
    >> http://www.spywareinfo.com/~merijn/cwschronicles.html
    >>
    >> Post your log into the support forum:
    >> http://tomcoyote.org/forums/index.php?showforum=27
    <snip>
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules