Annoyances.org
Home » Windows Me Discussion Forum » Message 1097751694 Search | Help | Home
  
re: dual hijacking worms please help
Thursday, October 14, 2004 at 4:01 am
Windows Me Annoyances Discussion Forum
Posted by tyler (3 messages posted) 

Hi, thanks for the advice.  I have already done everything you had listed and it 
still didn't work.  Here is a copy of my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 2:11:14 PM, on 10/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
c:\jetsuite\jsdaemon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\BELSTA.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Systran\4_0\Premium\SYSTRA~1.EXE
C:\Program Files\Real\RealOne Player\realplay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Brandon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.wanadoo.fr
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=tylerin&key=8191b541669a7f9ae6f7c6baa9704b95&ts=405922e8&A=0&B=1079251200000&C=1079251200000&D=1077782400000&I=7.NH1&L=g%2322&M=984038400000&N=PLHS&O=A
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 
6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink 
TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program 
Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {D3919E1A-D6A5-11D6-AC3E-00B0D094B576} - 
C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program 
Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [LidPolicy] c:\Program Files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 
 -osboot
O4 - HKLM\..\Run: [BELSTA.EXE] BELSTA.EXE START
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe 
/AUTOSTART
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\RunServices: [Symantec Security Routine Addon for Microsoft Windows] 
navpxaw32.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" 
boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe 
Gamma Loader.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton 
GoBack\GBTray.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation 
Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - 
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.wob.ag/iNotes6.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) 
- http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38063.9009837963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab









On Wednesday, October 13, 2004 at 1:40 pm, Carol J wrote:

>

>Make sure you have both Spybot S&D and AW updated. Close all open windows, before 

>running the scans. If you haven't been helped on another forum, paste your HJT log 

>here in a post. Also, please post the exact names of the other tools you used. If 

>they're on this list, remove them:

>
>color="CC00FF">

>Rogue/Suspect Anti-Spyware Products & Web Sites

>

>Ad-Aware SE Personal Also, download the "Ad-Aware VX2 Cleaner Plug-In". 

>Follow these instructions and run a full system scan: 
>color="CC00FF">

>Reconfigure Ad-Aware for Full Scan

>
>color="#CC00FF" font face='Trebuchet MS'>

>_SpyBot 

>Search_&_Destroy v1.3 

>

>Before rebooting into Normal mode, clear out all your temp folders to get rid of 

>any junk hiding in there. Go into Internet Options - delete TIF and choose 'delete 

>all Offline content'. Settings - set the size of your TIF folder between 5 - 10 
MB. 

>Choose - View Objects - choose View Details on the toolbar. If any ActiveX Controls 

>are marked "unknown" or "damaged", remove them. Remove any you don't recognize or 

>no longer need. Empty C:\Windows\temp folder and C:\temp folder, if you have one. 

>Note: Some temp files may currently be in use, until the next reboot. Empty Recycle 

>bin. 

>

>If you still have problems, run HJT and paste the log here in a post: 
>color="CC00FF">

>Hijack This 1.98.2 Unzip 'HJT' into it's own folder (ex: C:\HJT), 
because 

>it creates backups. Log off and close all open windows. Run the Scan. Most of the 

>entries listed are legitimate or required entries. Don't fix anything, until 

>you know which items to fix. For a description of the entries: 
>href="http://216.180.233.162/~merijn/htlogtutorial.html">

>Merjin - HJT Tutorial

>

>After the scan is finished, the Scan button will turn into Save Log. Press that 
and 

>paste the contents here. Note: Before posting the log, check this box: Check 
this 

>box to preserve your spacing, etc....

>

>Recommended to install SpywareBlaster (freeware), to help prevent future malware 

>infections. It's for prevention/protection only; it's not a cleaner: Check for and 

>download updates after installing it. Enable protection. SpywareGuard can be used, 

>in addition, for real time protection. Check for updates frequently: 
>color="CC00FF">

>JavaCool Software 

>

>Consider using an alternative browser as your main browser. FireFox or Opera are 

>a couple good choices. IE has too many security issues and is very vulnerable to 

>malware infections and hijackings. For other tips and suggestions: 
>color="CC00FF">

>How you got infected in the first place

>

>

>

>color="CC00FF">

>Dealing with Unwanted Spyware and Parasites



Written in response to:
re: dual hijacking worms please help (Ms. Eagle: Wednesday, October 13, 2004 at 1:40 pm)

Responses to this message:
*re: dual hijacking worms please help (Ms. Eagle: Thursday, October 14, 2004 at 12:46 pm)
*re: dual hijacking worms please help (joe: Thursday, October 14, 2004 at 1:24 pm)

All messages in this thread [show all]
-dual hijacking worms please help (tyler: Wed, Oct 13, 2004, 5:18 am)
*re: dual hijacking worms please help (J.R.: Wed, Oct 13, 2004, 7:39 am)
-re: dual hijacking worms please help (joe: Wed, Oct 13, 2004, 9:23 am)
*re:and to add.... (joe: Wed, Oct 13, 2004, 9:54 am)
-re: dual hijacking worms please help (Ms. Eagle: Wed, Oct 13, 2004, 1:40 pm)
-re: dual hijacking worms please help (tyler: Thu, Oct 14, 2004, 4:01 am)
-re: dual hijacking worms please help (Ms. Eagle: Thu, Oct 14, 2004, 12:46 pm)
-re: dual hijacking worms please help (tyler: Thu, Oct 14, 2004, 1:48 pm)
*re: dual hijacking worms please help (Ms. Eagle: Thu, Oct 14, 2004, 1:54 pm)
*Addendum re: dual hijacking worms (Ms. Eagle: Thu, Oct 14, 2004, 2:24 pm)
-re: dual hijacking worms please help (joe: Thu, Oct 14, 2004, 1:24 pm)
-re: dual hijacking worms please help (Ms. Eagle: Thu, Oct 14, 2004, 1:34 pm)
-re: dual hijacking worms please help (joe: Thu, Oct 14, 2004, 1:46 pm)
-re: dual hijacking worms please help (Ms. Eagle: Thu, Oct 14, 2004, 3:01 pm)
*re: dual hijacking worms please help (joe: Thu, Oct 14, 2004, 4:31 pm)
Return to the Windows Me Discussion Forum

All content at Annoyances.org is Copyright © 1995-2008 Creative Elementtm All rights reserved.
Please do not plagiarize; redistributing these pages without permission is strictly prohibited.