Jump to content


Photo

res:// Hijack


  • Please log in to reply
4 replies to this topic

#1 ffelfurt

ffelfurt

    Member

  • New Member
  • Pip
  • 3 posts

Posted 24 July 2004 - 12:43 PM

Heya.
I've tried using Ad-Aware, Spybot, Spysweeper, online virus scanners, hsremove, csshredder, aboutbuster & editing the registry manually (all in safemode of course).
Still no such luck with it, having to use firefox to be able to browse at all.

Here's the log from hijack hope you can help!, loads of thanks in advance!
Have a good evening.

Logfile of HijackThis v1.98.0
Scan saved at 18:34:19, on 24/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\appys.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\apina32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mnrgf.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mnrgf.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mnrgf.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mnrgf.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mnrgf.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mnrgf.dll/index.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AEBCE367-E844-B4BE-D8C1-9CBC2371EAB7} - C:\WINDOWS\sysnx.dll
O4 - HKLM\..\Run: [appys.exe] C:\WINDOWS\appys.exe
O4 - HKLM\..\RunOnce: [appbj.exe] C:\WINDOWS\appbj.exe
O4 - HKLM\..\RunOnce: [apina32.exe] C:\WINDOWS\system32\apina32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D977DCF-6217-404A-A151-A591A2C244AA}: NameServer = 195.92.195.94,195.92.195.95

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 24 July 2004 - 01:00 PM

I updated About:Buster

Please download About:Buster Version 1.31 and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.


Ducky

If this doesnt work, boot into safe mode and try. How to boot into safe mode?

Edited by RubbeR DuckY, 24 July 2004 - 01:05 PM.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 ffelfurt

ffelfurt

    Member

  • New Member
  • Pip
  • 3 posts

Posted 24 July 2004 - 01:14 PM

Hijack this log:

Logfile of HijackThis v1.98.0
Scan saved at 17:02:06, on 25/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mnrgf.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mnrgf.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mnrgf.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mnrgf.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mnrgf.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mnrgf.dll/index.html#37794
R3 - Default URLSearchHook is missing
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D977DCF-6217-404A-A151-A591A2C244AA}: NameServer = 195.92.195.94,195.92.195.95


About:Buster Log:

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\kchkt.dat
Removed! : C:\WINDOWS\kflqzr.dat
Removed! : C:\WINDOWS\mfcum.exe
Removed! : C:\WINDOWS\mnrgf.dll
Removed! : C:\WINDOWS\System32\ksuqi.dat
Removed! : C:\WINDOWS\System32\lvmmd.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


Don't want to open explorer until your say-so incase
stuff loads back on, cheers!

Edited by ffelfurt, 25 July 2004 - 11:19 AM.


#4 ffelfurt

ffelfurt

    Member

  • New Member
  • Pip
  • 3 posts

Posted 25 July 2004 - 11:20 AM

-Bump-

#5 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 04 September 2004 - 05:40 PM

Sorry for the delay, if you still have problems post a fresh log please




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button