Jump to content
Sign in to follow this  
sharingdoodles

[SOLVED]Hijackthis Log Help Plez

Recommended Posts

hello,

1 of my friends r havin probs with there comp :angry:

 

Logfile of HijackThis v1.98.2

Scan saved at 12:09:09, on 06/10/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Windows SyncroAd\SyncroAd.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe

C:\WINDOWS\Downloaded Program Files\eBayTBar.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\oodag.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\INTERN~1\iexplore.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\Program Files\The Cleaner\cleaner.exe

C:\Program Files\The Cleaner\tca.exe

C:\Program Files\The Cleaner\tcm.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: eBay Helper Object - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\eBayBand.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)

O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\eBayBand.dll

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe

O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\djtopr1150.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe

O4 - Global Startup: eBay Toolbar.LNK = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\eBayBand.dll

O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\eBayBand.dll

O16 - DPF: {001F2570-5DF5-11D3-B991-00A0C9BB0874} (eBay Helper Object) - http://download.ebay.com/toolbar/uk/eBayTBar.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...a730016fae314e0

O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WZS70.tmp\swicdad.cab

O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1045602.exe

 

can someone please let me know whats safe to delete?

sorry about this!!

 

cheers Doodles

Edited by sharingdoodles

Share this post


Link to post
Share on other sites

Uninstall all of the following that are listed in the "Add/Remove Programs" in the Windows® Control Panel.

 

TV Media

Windows SyncroAd

Web_Rebates

 

Make sure you can view hidden and system files: Instructions here.

 

Boot to safe mode: Instructions here.

 

Then..

 

Then Close all windows and have hijackthis fix the following that are still listed:

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll

 

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

 

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)

 

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\djtopr1150.exe"

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

 

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

 

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...a730016fae314e0

O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WZS70.tmp\swicdad.cab

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1045602.exe

Then while in safe mode delete the following files and folders if they are still there:

 

C:\Program Files\TV Media <-Folder

C:\Program Files\Windows SyncroAd <-Folder

C:\Program Files\Web_Rebates <-Folder

 

The following step is important as you may have several malware files in your temp directory.

 

Then browse to the C:\documents and settings\Your User Name(repeat for all users in documents and savings)\local settings\temp folder and delete all files and folders in it.

Then browse to the C:\Windows (Winnt)\Temp folder and delete all files and folders in it.

Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

 

Then empty the recycle bin.

 

Then reboot to normal mode.

 

Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

 

Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen.

 

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

 

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

 

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

 

Scan within archives

Scan active processes

Scan Registry

Deep-scan Registry

Scan my IE Favorites for banned URLs

Scan my Hosts File

 

Then click on the "Tweak" Button to open up the tweak settings.

 

Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:

 

Scan registry for all users instead of current user only

 

Make sure the following is unchecked with a "red" X:

 

Unload recognized processes & modules during scan.

 

Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:

 

Always try to unload modules before deletion

During Removal, unload Explorer and IE if necessary

Let Windows remove files in use at next reboot.

 

Click the "Proceed" button to save settings.

 

Click the "Next" button to start the scan.

 

When a scan is completed the Performing System Scan screen will change name to "Scan Complete".

 

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.

 

Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.

 

To fix all the bad critical objects do the following:

 

Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.

 

When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

 

Then,

 

Download SPYBOT Search and Destroy here if it is not already installed on your computer

Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the "Check for Problems" button. When the Check is over All problems displayed in red are regarded as real threats and should be dealt with. Make sure they are all selected and click the "Fix selected problems" button.

 

Then Disable system restore: Instructions here.

 

Reboot

 

Enable system restore.

 

Disable Messenger Service per the following instructions.

 

Click Start > Run and type "services.msc" (no quotes) in the Open: line and click OK

In the right pane, scroll down to Messenger.

Double click Messenger and click the General tab.

Under Service Status: click the Stop button.

In the Startup Type: drop down box, select Disable.

Click Apply and OK.

 

Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it search.reg.

Double click on the search.reg file and grant it permission to add the registry entries.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]

@="http://"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]

"ftp"="ftp://"

"gopher"="gopher://"

"home"="http://"

"mosaic"="http://"

"www"="http://"

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

 

Post a fresh HijackThis log please.

Share this post


Link to post
Share on other sites

they have done all that! heres new log

 

Logfile of HijackThis v1.98.2

Scan saved at 12:11:30, on 07/10/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\The Cleaner\tca.exe

C:\Program Files\The Cleaner\tcm.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\oodag.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe

O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab

 

cheers again for your help

Share this post


Link to post
Share on other sites
Sign in to follow this  

×