Jump to content


Start Page hijacked -ran hijack this -logfile here

  • Please log in to reply
2 replies to this topic

#1 cam2003



  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 10:20 AM

Good day:

Could some please look at my Hijack this logfile and see what could be eliminated. CWS shredder finds cws.searchx trojan.. appears to clean it but upon reboot it is back again. I 'fixed' all the Search pages in Hijack This.. and Internet Explorer appears okay.. but when I reboot it is all back and Spybot says things are changing.. just after I do the fix..? I wasn't sure.. what to allow or deny... The computer in question is up to date with Windows and Office and Anti-virus updates. Previous to all of this beginning to happen, the user went to open a page.. and norton detected trojan startpage in nobgbf.dll and mac.dll and quarantined it.. I am thinking that more than one trojan got downloaded and not all got detected.

This is the log file

Logfile of HijackThis v1.97.7
Scan saved at 12:28:46 PM, on 6/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\MylesL\Desktop\trojan search software\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MylesL\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MylesL\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MylesL\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MylesL\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MylesL\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MylesL\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {388DCFCE-0094-4925-9FD2-58E83D460F05} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Xpress3DQuoteCab -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37953.262662037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...cabs/swflash.ca

Thanks in advance for any assistance.

#2 cam2003



  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 10:25 AM

Also, please note:

Spybot Search and Destroy at one point detected the following:

Process ID: 1600
File Name: expinst.exe
Found in: c:\winnt\msdownld.tmp\as022dedd.tmp
id: fun web products

#3 cam2003



  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 02:23 PM

Well, since I appear to be posting and talking to myself.. lol.. I can also tell myself that I think I figured it out... by searching many, many posted messages (here, Computing.Net and at spycop) until I think I finally found a solution that works for me.. (so far anyway)... I have done several reboots and so far.. it is still gone... This is copied from Computing.Net from Steve...

and this worked for me as well in Windows 2000 (as well as clearing my temp folders, running hijack this, spybot, adaware and shredder (updating them first) and running a virus scan in safe mode after), resetting internet explorer back to proper default home page... I have now set my security settings from medium to high on the problem computer.. and told them they will have to deal with the prompting.. to protect their machine.... Just for your information as well.. The antivirus, office and windows software were completely up to date and this one still got through..... I would get rid of it and it kept coming back.. sometimes not right away but after a couple of reboots... Until now... I make no guarantees but so far.. its working....

You will be going into the registry (be careful)...


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.

Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!