Jump to content


Photo

Logfile posted- need help


  • Please log in to reply
1 reply to this topic

#1 vwjoe

vwjoe

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 July 2004 - 06:41 PM

Logfile of HijackThis v1.98.0
Scan saved at 7:37:41 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\SYSTEM\WINDOWS\System32\smss.exe
C:\SYSTEM\WINDOWS\System32\winlogon.exe
C:\SYSTEM\WINDOWS\system32\services.exe
C:\SYSTEM\WINDOWS\system32\lsass.exe
C:\SYSTEM\WINDOWS\system32\svchost.exe
C:\SYSTEM\WINDOWS\System32\svchost.exe
C:\SYSTEM\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\SYSTEM\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\SYSTEM\WINDOWS\System32\tcpsvcs.exe
C:\SYSTEM\WINDOWS\System32\snmp.exe
C:\SYSTEM\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\SYSTEM\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Tweak-XP Pro 3\AdBlocker.exe
C:\Program Files\Messenger\msmsgs.exe
C:\SYSTEM\WINDOWS\System32\dllhost.exe
C:\SYSTEM\WINDOWS\System32\inetsrv\DavCData.exe
C:\SYSTEM\WINDOWS\System32\wuauclt.exe
C:\SYSTEM\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CompuServe\CS3\CS3.EXE
C:\PROGRAM FILES\COMPUSERVE\WBIN\FCSERV32.EXE
C:\Documents and Settings\Joe Langlois\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\DOCUME~1\JOELAN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
file://C:\DOCUME~1\JOELAN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\DOCUME~1\JOELAN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
file://C:\DOCUME~1\JOELAN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
file://C:\DOCUME~1\JOELAN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
file://C:\DOCUME~1\JOELAN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N2 - Netscape 6: user_pref("browser.search.defaultengine",
"engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearch
plugins%5CSBWeb_01.src"); (C:\Documents and Settings\Joe Langlois\Application
Data\Mozilla\Profiles\default\0stv1jzm.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ECAAB231-C027-4224-A6C6-FBFAAEAEBD2A} -
C:\SYSTEM\WINDOWS\System32\engfkjh.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C84 Series on JOEYS]
C:\SYSTEM\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P37 "Auto
EPSON Stylus C84 Series on JOEYS" /O15 "\\JOEYS\Printer" /M "Stylus C84"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [EPSON Stylus C84 Series]
C:\SYSTEM\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON
Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\Run: [Printer Dad]
C:\SYSTEM\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P11 "Printer
Dad" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 3\AdBlocker.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\SYSTEM\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\SYSTEM\WINDOWS\web\related.htm
O18 - Filter: text/html - {9A4A2039-7CE4-42F5-8121-DE1042076BEA} -
C:\SYSTEM\WINDOWS\System32\engfkjh.dll
O18 - Filter: text/plain - {9A4A2039-7CE4-42F5-8121-DE1042076BEA} -
C:\SYSTEM\WINDOWS\System32\engfkjh.dll

#2 racooper

racooper

    Master of my own Domain

  • Emeritus
  • PipPipPipPipPip
  • 1,420 posts

Posted 17 July 2004 - 12:01 AM

vwjoe: Sorry for the delay.

Thank you for coming to SpywareInfo's Forums. We will do our best to help you clean up your PC.

First, you might want to print out this message or copy and paste it into a Notepad document on your desktop for reference while going through the cleanup.

Cleaning Up the System

First, please move HijackThis to it's own directory, for example C:\HJT. HijackThis creates backup files when used to fix up a system, and they could be accidentally deleted if stored in the TEMP directory.

Virus Cleaning
From indications in the log, it's possible that you have a virus. Scanning with an updated antivirus package is recommended to be sure. You can either use one of the online scanners such as Panda ActiveScan or Trend Micro's HouseCall, or download the latest version of the Stinger Utility from McAfee.

Removing About:Blank and sp.html
Most of the bad entries in your HijackThis Log point to infection with a variant of CoolWebSearch. It is likely that a hidden DLL file will put back anything we fix on the surface, so the following steps need to be followed to identify and remove the hidden file before anything else can be fixed.
  • Download Registrar Lite (reglite) and Delete Doctor.
  • Install reglite and run the program. Enter the following into the address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
  • Double-click the right-hand entry AppInit_DLLs. Make a note of the last field, labeled Value. If there is a .dll file listed, this is most likely the hidden file you need to get rid off.
  • IMPORTANT: WRITE DOWN the path and name of the .dll file. DO NOT TRY TO DELETE THIS VALUE NOW.
  • Come back here and post the path and name of the .dll file. We'll proceed from here once the file name is known (or if it doesn't exist).





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button