Jump to content


Photo

hijackthis log


  • Please log in to reply
3 replies to this topic

#1 buster777

buster777

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 May 2004 - 08:55 PM

Can someone help me with the below hijack log file?

--------------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 6:46:41 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\CHINCL~1\Barb grim play.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Internet Explorer\IEengine.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ATOM ARMY - {F0A969C1-68FB-DBE3-AB43-D2CCDAEE6C73} - C:\PROGRA~1\HIDEAD~1\ownsrule.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [64GREY] C:\PROGRA~1\CHINCL~1\Barb grim play.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Organize Quick and Easy.lnk = C:\Program Files\Organize Quick and Easy\QNE.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#2 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 27 May 2004 - 09:26 PM

Ok, from chat I know that you have already uninstalled wintools. Perform the following in order

Move HijackThis inside a folder so its backup icons don't clutter your desktop and show hidden files/folders.

Download CWShredder.
Unzip it, run it using the fix button and follow the prompts.

Next run HijackThis.

Place a check mark in HijackThis next to each of the following.
Close all browser windows and shut down all other programs with a placeholder in the taskbar.
Click "fix checked." Some of them may be gone since running CWShredder.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O3 - Toolbar: ATOM ARMY - {F0A969C1-68FB-DBE3-AB43-D2CCDAEE6C73} - C:\PROGRA~1\HIDEAD~1\ownsrule.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [64GREY] C:\PROGRA~1\CHINCL~1\Barb grim play.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe


Reboot (this is very important)

Delete the following (unless you kept the associated program)
Folders
C:\PROGRA~1\CHINCL~1 <<The folder name will start with chincl
C:\Program Files\Hotbar
C:\Program Files\Common files\WinTools

Files
C:\WINDOWS\win32.exe
C:\Program Files\Internet Explorer\IEengine.exe

Post a fresh log to this thread.

Edited by rand1038, 27 May 2004 - 09:31 PM.


#3 buster777

buster777

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 May 2004 - 09:54 PM

Here is the new log

--------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 7:47:51 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Rick\Desktop\backup\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....p://about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Organize Quick and Easy.lnk = C:\Program Files\Organize Quick and Easy\QNE.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#4 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 27 May 2004 - 10:24 PM

buster777 deleted the R0 and R1 lines with HijackThis, rebooted and they did not reoccur at this time.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button