Jump to content


Photo

my cws symptoms and hjt log


  • Please log in to reply
1 reply to this topic

#1 itaybt

itaybt

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 05:50 AM

1.the home page hijacked by res://kavjr.dll/index.html#20635
2.the latest CWShredder didn't find anything
3.could not go to merijn.com website
4.when trying to get to google redirected to - res://kavjr.dll/url_error.html#google.com"- "windows help center"
5.the latest adaware found cws process and deleted it but it returned after reboot.

here is the HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 01:40:10 PM, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\inKline Global\PC Booster\pcbooster.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\atltd32.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\apiju32.exe
C:\Program Files\Avant Browser\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kavjr.dll/sp.html#20635
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kavjr.dll/index.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kavjr.dll/index.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kavjr.dll/sp.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kavjr.dll/sp.html#20635
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kavjr.dll/index.html#20635
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9B0F7030-AF9E-455A-F0F3-B9E15FD227AE} - C:\WINDOWS\system32\netrh32.dll
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [atltd32.exe] C:\WINDOWS\system32\atltd32.exe
O4 - HKLM\..\RunOnce: [apiju32.exe] C:\WINDOWS\apiju32.exe
O4 - HKLM\..\RunOnce: [apicb32.exe] C:\WINDOWS\system32\apicb32.exe
O4 - HKCU\..\Run: [GoldWord] C:\Program Files\GoldWord\gw.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: ... פתח את כל הקישורים בדף זה - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: הדגש - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: הוסף לרשימת הפרסומות החסומות - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: חסום את כל התמונות משרת זה - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: חפש - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: KANA IQ LiveA - https://help1.bankle...o.il/EU/eu1.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.5.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C550974E-3C03-4873-A18B-4417919F3E41}: NameServer = 128.139.6.1,128.139.4.3

#2 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 11 July 2004 - 03:12 PM

Download About:Buster from Here

http://www.downloads...AboutBuster.zip

Unzip it to your desktop. Double click it and hit Ok, then Start, then Ok to start the scan. The scan should take a few seconds. Once it is done save the report. Post the report and a new Hijack this log here.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button