Jump to content


Photo

Hijack This Logfile


  • Please log in to reply
1 reply to this topic

#1 perfektgreen

perfektgreen

    Member

  • New Member
  • Pip
  • 1 posts

Posted 09 July 2004 - 12:17 AM

Logfile of HijackThis v1.97.7
Scan saved at 10:16:33 PM, on 7/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\Program Files\Direct Object\ddscr.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\wanmpsvc.exe
E:\Documents and Settings\Bao Chan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
R3 - URLSearchHook: SearchHook Class - {41B7B291-143E-43A1-9CCF-91655DFDE60F} - E:\WINDOWS\System32\oakum.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000250-0320-4DD4-BE4F-7566D2314352} - E:\WINDOWS\VoiceIP.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - E:\PROGRA~1\Srng\SNHelper.dll (file missing)
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [tevlsbh] rundll32 E:\WINDOWS\System32:tevlsbh.dll,Init 1
O4 - HKLM\..\Run: [ogtjxjg] rundll32 E:\WINDOWS\System32:ogtjxjg.dll,Init 1
O4 - HKLM\..\Run: [cbwau] E:\WINDOWS\cbwau.exe
O4 - HKLM\..\Run: [srcpp32] E:\WINDOWS\srcpp32.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [*tevlsbh] rundll32 E:\WINDOWS\System32:tevlsbh.dll,Init 1
O4 - HKLM\..\RunOnce: [*ogtjxjg] rundll32 E:\WINDOWS\System32:ogtjxjg.dll,Init 1
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 July 2004 - 07:01 AM

Hi,
Download Posted Image Ad-Aware

After installing Ad-Aware, and before running the program.

Update Ad-aware's Reference File: instructions Posted Image here

Required Step: Posted Image Reconfigure Ad-Aware for Full Scan

Note: do not run Ad-Aware yet, just update and reconfigure

Posted Image Important! Create a folder via Windows Explorer for HijackThis, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files: [required step]
Open the Windows Explorer | Tools | Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
R3 - URLSearchHook: SearchHook Class - {41B7B291-143E-43A1-9CCF-91655DFDE60F} - E:\WINDOWS\System32\oakum.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000250-0320-4DD4-BE4F-7566D2314352} - E:\WINDOWS\VoiceIP.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - E:\PROGRA~1\Srng\SNHelper.dll (file missing)
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [tevlsbh] rundll32 E:\WINDOWS\System32:tevlsbh.dll,Init 1
O4 - HKLM\..\Run: [ogtjxjg] rundll32 E:\WINDOWS\System32:ogtjxjg.dll,Init 1
O4 - HKLM\..\Run: [cbwau] E:\WINDOWS\cbwau.exe
O4 - HKLM\..\Run: [srcpp32] E:\WINDOWS\srcpp32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [*tevlsbh] rundll32 E:\WINDOWS\System32:tevlsbh.dll,Init 1
O4 - HKLM\..\RunOnce: [*ogtjxjg] rundll32 E:\WINDOWS\System32:ogtjxjg.dll,Init 1
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

E:\WINDOWS\System32\oakum.dll <--this file
E:\WINDOWS\VoiceIP.dll <--this file
E:\WINDOWS\System32:tevlsbh.dll <--this file
E:\WINDOWS\System32:ogtjxjg.dll <--this file
E:\WINDOWS\cbwau.exe <--this file
E:\WINDOWS\srcpp32.exe <--this file
C:\Recycled\Q330995.exe <--this file
E:\PROGRAM FILES\Srng <--this folder

While still in Safe Mode, run Ad-Aware and fix everything it finds.

Restart normally and then ...

Posted ImageImportant! Your system is severly out of date!
Visit Posted Image Windows Update and install all the "Critical Updates"

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button