Jump to content


Photo

Hi-jacked comp - please help!- log


  • This topic is locked This topic is locked
4 replies to this topic

#1 ~ACH~

~ACH~

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 July 2004 - 02:23 AM

:scratchhead:

Hey!!!


I'm a total rookie when comes to this so hopefully you guys are able to help me out. Currently my comp fell victim to "malware/spyware/adware?" which has caused my comp to be:

*extremely slow (on-line & off-line)
*not able to download basically anything
*links just pop-up onto my favorites files
*browser is hi-jacked

My girfriend had threatened to smash the monitor over my head I don't fix our comp...so please help me out if possible...I happen to like my head :D

Anyway, heres my Hijack This log:




C:\WINDOWS\System32\eqnger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\gditemon.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Documents and Settings\Adolfo Chavez\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADOLFO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {05F259E4-4855-4343-9595-63EBD1FAB1F4} - C:\WINDOWS\System32\mmgb.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M] C:\documents and settings\adolfo chavez\local settings\temp\M.exe
O4 - HKLM\..\Run: [6gsty] C:\documents and settings\adolfo chavez\local settings\temp\6gsty.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [l] C:\documents and settings\adolfo chavez\local settings\temp\l.exe
O4 - HKLM\..\Run: [FdHP] C:\documents and settings\adolfo chavez\local settings\temp\FdHP.exe
O4 - HKLM\..\Run: [3F7f3sj] eqnger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IoopRiH7S] gditemon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Help - {16942A87-8E14-4D82-869E-D997B1540E49} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {344FFDE9-F61F-4101-9A50-F5F6CDE30B9E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {B6D8B3BC-D252-4A86-BD45-52D8F84B188F} - http://www.comcast.net (file missing) (HKCU)
O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O18 - Filter: text/html - {04F44BE8-7E6A-4CBD-A20A-AE05F6C98785} - C:\WINDOWS\System32\mmgb.dll
O18 - Filter: text/plain - {04F44BE8-7E6A-4CBD-A20A-AE05F6C98785} - C:\WINDOWS\System32\mmgb.dll






.....thanks a bunch guys....any info would be awesome :unsure:

#2 H@ns

H@ns

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 2,630 posts

Posted 20 July 2004 - 02:48 AM

Hi ACH,

Please download and run CWShredder
Use the Fix button and follow the instructions provided by the program.

Then reboot and post a new HijackThis log.

EDIT: please post a COMPLETE HJT log! ;)

Edited by H@ns, 20 July 2004 - 02:49 AM.

Nucia Security Forums - Dutch Anti-Malware Support

#3 ~ACH~

~ACH~

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 July 2004 - 11:40 AM

HEY!!!



Okey doke, so heres my HJT log after running CWShredder:



Logfile of HijackThis v1.98.0
Scan saved at 9:23:45 AM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\adolfo chavez\local settings\temp\M.exe
C:\documents and settings\adolfo chavez\local settings\temp\6gsty.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\documents and settings\adolfo chavez\local settings\temp\l.exe
C:\documents and settings\adolfo chavez\local settings\temp\FdHP.exe
C:\WINDOWS\System32\eqnger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\gditemon.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Documents and Settings\Adolfo Chavez\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M] C:\documents and settings\adolfo chavez\local settings\temp\M.exe
O4 - HKLM\..\Run: [6gsty] C:\documents and settings\adolfo chavez\local settings\temp\6gsty.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [l] C:\documents and settings\adolfo chavez\local settings\temp\l.exe
O4 - HKLM\..\Run: [FdHP] C:\documents and settings\adolfo chavez\local settings\temp\FdHP.exe
O4 - HKLM\..\Run: [3F7f3sj] eqnger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IoopRiH7S] gditemon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Help - {16942A87-8E14-4D82-869E-D997B1540E49} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {344FFDE9-F61F-4101-9A50-F5F6CDE30B9E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {B6D8B3BC-D252-4A86-BD45-52D8F84B188F} - http://www.comcast.net (file missing) (HKCU)
O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab





Haaa haa haa I think I got it right this time....the log should be complete...I would totally apreciate any help what so ever....I'm pretty desperate :oops:

#4 ~ACH~

~ACH~

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 21 July 2004 - 06:12 PM

:eek:

AAAHHH!!! My situation seemed like it worsened...my log is posted right above this post...so if someone would check out and tell me what to delete it would truly awesome....THANKS!!!! :techsupport:

#5 ~ACH~

~ACH~

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 29 July 2004 - 03:00 PM

:grrr: My PC is really aggravating me to the point of tossing it out the window...I truly need help with my log. I would truly appreciate if someone helps me out :D I know I have "bumped" this post a couple of times but I need help!



Thanks,
ACH :lol:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button