Jump to content


Photo

Hijack this log


  • This topic is locked This topic is locked
5 replies to this topic

#1 sangria

sangria

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 July 2004 - 03:35 PM

HELP! :unsure: Spyware has invaded my PC yet again. I appreciate any help in advance. Thanks
-------------------------

Logfile of HijackThis v1.97.7
Scan saved at 4:28:53 PM, on 7/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\CTSvcCDA.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\System32\msrexe.exe
E:\WINDOWS\wt\updater\wcmdmgr.exe
E:\windows\temp\rW.exe
E:\Program Files\Common Files\Real\Update_OB\realevent.exe
E:\Program Files\Common Files\slmss\slmss.exe
C:\May17_loader.exe
E:\WINDOWS\System32\IEHost.exe
E:\Program Files\Common Files\Dpi\dpi.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\System32\RUNDLL32.exe
E:\Program Files\Internet Optimizer\optimize.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\System32\eksuiz.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://E:\WINDOWS\System32\SearchBar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O1 - Hosts: auto.search.msn.com
O1 - Hosts: search.netscape.com
O1 - Hosts: ieautosearch
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - E:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - E:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - E:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - E:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - E:\WINDOWS\System32\SWin32.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - E:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {CBD0AE82-164C-6D51-07BE-7FFB5D1FDF2A} - E:\WINDOWS\System32\drmveclt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - E:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System Service] E:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [Regsvc] E:\WINDOWS\system\regsv.exe
O4 - HKLM\..\Run: [wcmdmgr] E:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [rW] E:\windows\temp\rW.exe
O4 - HKLM\..\Run: [Adstartup] E:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE E:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\May17_loader.exe" /HideUninstall /PC="AM.NICT" /ShowLegalNote
O4 - HKLM\..\Run: [Bakra] E:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] E:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [WhenUSearch] E:\Program Files\WhenUSearch\Search.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Pcsv] E:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] E:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [qmyddwdgkfr] E:\WINDOWS\System32\eksuiz.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [\IEService.exe] E:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7906.6803009259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#2 Slice18

Slice18

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 17 July 2004 - 05:21 PM

just wondering before we get into the cmplicated stuff, did u try adaware yet?
user posted image
Check Out My Companys Webpage Pyro T Software

#3 sangria

sangria

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 July 2004 - 07:16 PM

Yes, I've tried adaware as well as spybot.
It's getting worse by the minute. popups galore, Earlier I couldn't even open up IE.

#4 sangria

sangria

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 July 2004 - 07:57 AM

Please Can someone help me???
I am desperate here.

#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 18 July 2004 - 06:00 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://E:\WINDOWS\System32\SearchBar.htm

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O1 - Hosts: auto.search.msn.com
O1 - Hosts: search.netscape.com
O1 - Hosts: ieautosearch
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - E:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - E:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - E:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - E:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - E:\WINDOWS\System32\SWin32.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - E:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {CBD0AE82-164C-6D51-07BE-7FFB5D1FDF2A} - E:\WINDOWS\System32\drmveclt.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - E:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [System Service] E:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [Regsvc] E:\WINDOWS\system\regsv.exe
O4 - HKLM\..\Run: [wcmdmgr] E:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [rW] E:\windows\temp\rW.exe
O4 - HKLM\..\Run: [Adstartup] E:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE E:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\May17_loader.exe" /HideUninstall /PC="AM.NICT" /ShowLegalNote
O4 - HKLM\..\Run: [Bakra] E:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] E:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [WhenUSearch] E:\Program Files\WhenUSearch\Search.exe
O4 - HKLM\..\Run: [Pcsv] E:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] E:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [qmyddwdgkfr] E:\WINDOWS\System32\eksuiz.exe
O4 - HKCU\..\Run: [\IEService.exe] E:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

Reboot and delete

files
All files in the E:\windows\temp folder
E:\WINDOWS\System32\msrexe.exe
E:\WINDOWS\system\regsv.exe
c:\installer
E:\WINDOWS\System32\automove.exe
E:\WINDOWS\bxxs5.dll
C:\May17_loader.exe
E:\WINDOWS\System32\IEHost.exe
E:\WINDOWS\System32\dp-him.exe
E:\WINDOWS\System32\eksuiz.exe
E:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

folders
E:\WINDOWS\wt
E:\Program Files\WhenUSearch
E:\WINDOWS\system32\pcs
E:\Program Files\Common Files\Dpi

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#6 sangria

sangria

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 19 July 2004 - 01:08 PM

Thank you so very much for your help! I really hope things will get back to normal now. Here is my new hijack log, after doing your instructions & running adaware once.





Logfile of HijackThis v1.97.7
Scan saved at 2:06:49 PM, on 7/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\CTSvcCDA.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - E:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: auto.search.msn.com
O1 - Hosts: search.netscape.com
O1 - Hosts: ieautosearch
O2 - BHO: (no name) - {CBD0AE82-164C-6D51-07BE-7FFB5D1FDF2A} - E:\WINDOWS\System32\drmveclt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [TV Media] E:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] E:\Program Files\TV Media\Tvm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7906.6803009259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button