Jump to content


Photo

Help a rookie - Please review my HJT file


  • Please log in to reply
1 reply to this topic

#1 heavyd

heavyd

    Member

  • New Member
  • Pip
  • 3 posts

Posted 18 July 2004 - 06:41 AM

OK guys, here is a scanned file from HJT please help me with deleting the applicable nasty files giving me all the trouble... Thanks

Logfile of HijackThis v1.98.0
Scan saved at 1:28:46 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Ascom EyeSpeed USB\vstartx.exe
C:\Program Files\Ascom EyeSpeed USB\gisdnlog.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\mfcdv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Ascom EyeSpeed USB\gsyno.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\SOFT01~1\multi16.exe
C:\WINDOWS\System32\njqwef.exe
C:\WINDOWS\system32\winqm.exe
C:\windows\system32\sncntr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FRITZ!\IWatch.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ozjml.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ozjml.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ozjml.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ozjml.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ozjml.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ozjml.dll/index.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R3 - Default URLSearchHook is missing
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {306F87C5-2A68-9C39-CFB9-0CD040D569C1} - C:\WINDOWS\system32\apihz.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\Ascom EyeSpeed USB\gsyno.exe" -h
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [soapboob] C:\PROGRA~1\SOFT01~1\multi16.exe
O4 - HKLM\..\Run: [mrdgsu] C:\WINDOWS\System32\njqwef.exe
O4 - HKLM\..\Run: [winqm.exe] C:\WINDOWS\system32\winqm.exe
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\RunOnce: [mfcpt32.exe] C:\WINDOWS\system32\mfcpt32.exe
O4 - HKLM\..\RunOnce: [apizp32.exe] C:\WINDOWS\apizp32.exe
O4 - HKLM\..\RunOnce: [mfcdv.exe] C:\WINDOWS\mfcdv.exe
O4 - HKLM\..\RunOnce: [syskt.exe] C:\WINDOWS\syskt.exe
O4 - HKLM\..\RunOnce: [addha32.exe] C:\WINDOWS\addha32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Program Files\FRITZ!\IWatch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenu...erInstaller.exe
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181...s/ccpm_0237.cab
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.c...ionale_ver3.CAB
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/loader.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} - http://204.177.92.20...deo/NSupd9x.cab
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com...MultiDistFC.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A871DB6-48C3-4F42-83F3-7309F3F1BC9E}: NameServer = 194.230.1.200 194.230.1.168

#2 MrCharlie

MrCharlie

    Member

  • Helper Trainee
  • Pip
  • 25 posts

Posted 18 July 2004 - 07:21 AM

Welcome to the forum.

Please look in your control panels add/remove programs and see if there's any programs you don't recognize or didn't install like toolbars, searchbars, etc; and uninstall them. If you're not sure, please ask first.

Next:

Please move HJT into its own folder- suggest:
C:\Program Files\HJT\HijackThis.exe

Lets clean up some of the spy/adware first, then we'll work on the hijacker.
With only HJT running fix these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm

O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenu...erInstaller.exe

O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.c...ionale_ver3.CAB

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/loader.cab

O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} - http://204.177.92.20...deo/NSupd9x.cab

O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com...MultiDistFC.CAB

Reboot into SafeMode and delete these files:
HowToShowHiddenFiles - if needed
Use ctrl, alt and delete to bring up your task manager and end task on any of these files if they are listed before you delete them.


c:\windows\system32\sncntr.exe<---file

Reboot

There's several methods to get rid of the hijacker.
I've had the best results using the method at the link below.
Sometimes you may have to run AboutBuster several times to clean out all the files.

http://www.pchell.co...lythebest.shtml <---instructions

To ensure you have the lastest version of AboutBuster, here's a direct download from the authors site.

http://malwarebytes....AboutBuster.zip <---direct download AboutBuster

These are the bad entries from this log, the files names may have changed if you reboot your computer - so please check -they're easy to spot.

C:\WINDOWS\system32\ozjml.dll <---this is the dll that's taking over the computer.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ozjml.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ozjml.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ozjml.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ozjml.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ozjml.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ozjml.dll/index.html#22776

O2 - BHO: (no name) - {306F87C5-2A68-9C39-CFB9-0CD040D569C1} - C:\WINDOWS\system32\apihz.dll

O4 - HKLM\..\Run: [soapboob] C:\PROGRA~1\SOFT01~1\multi16.exe
O4 - HKLM\..\Run: [mrdgsu] C:\WINDOWS\System32\njqwef.exe
O4 - HKLM\..\Run: [winqm.exe] C:\WINDOWS\system32\winqm.exe
O4 - HKLM\..\RunOnce: [mfcpt32.exe] C:\WINDOWS\system32\mfcpt32.exe
O4 - HKLM\..\RunOnce: [apizp32.exe] C:\WINDOWS\apizp32.exe
O4 - HKLM\..\RunOnce: [mfcdv.exe] C:\WINDOWS\mfcdv.exe
O4 - HKLM\..\RunOnce: [syskt.exe] C:\WINDOWS\syskt.exe
O4 - HKLM\..\RunOnce: [addha32.exe] C:\WINDOWS\addha32.exe

Here's an easier way to clean up the host files:

Download the Hoster from here http://members.aol.c...dbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

Reboot and post a fresh HJT log and lets see how we did. MrC

from - TomCoyote forum

anyone can buy a new one, but not everyone can fix the old one

Major & Lindsay




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button