|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-24-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry help with hijackthis logGo to the Tech-Forums Discussion Home PagePosted by: traecastles hey, i've run adaware and spybot s&d and avg anti-virus, and usually after every start up, they always find something new. please help me with this log. thanks. Logfile of HijackThis v1.99.1 Scan saved at 3:58:17 PM, on 4/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\DOCUME~1\JRiley\LOCALS~1\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.connectchurch.com/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm R3 - Default URLSearchHook is missing O1 - Hosts: 81.211.105.49 greatsearch.biz O1 - Hosts: 81.211.105.49 [url]www.greatsearch.biz[/url] O1 - Hosts: 81.211.105.49 cashsearch.biz O1 - Hosts: 81.211.105.49 [url]www.cashsearch.biz[/url] O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O9 - Extra button: Dell Home - {91CF7A40-4889-11D4-9113-0001031C84F3} - C:\WINDOWS\system32\shdocvw.dll (HKCU) O17 - HKLM\System\CCS\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com O17 - HKLM\System\CS1\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com O17 - HKLM\System\CS2\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com thanks alot! Posted by: MicroBell Please move hijackthis to it's own folder on C: (C:\HJT) [color=blue][b]Before attacking an adware/spyware problem with hijackthis make sure you have already run[color=red] ad-aware SE[/color] with [color=red]VX2[/color] add-on cleaner, [color=red]Spybot Search & Destroy[/color] (with updated database) and [color=red]CWShredder[/color] as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..[/color][/b] If you have a highspeed connection please Run an online virus scan from [URL=http://housecall.trendmicro.com/housecall/start_corp.asp ][b]TrendMicro[/b][/URL] Please select the “autoclean” option when prompted to do so. Download [b]Hoster[/b] [url]http://members.aol.com/toadbee/hoster.zip[/url] Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) [b]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm R3 - Default URLSearchHook is missing O1 - Hosts: 81.211.105.49 greatsearch.biz O1 - Hosts: 81.211.105.49 [url]www.greatsearch.biz[/url] O1 - Hosts: 81.211.105.49 cashsearch.biz O1 - Hosts: 81.211.105.49 [url]www.cashsearch.biz[/url] O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)[/b] C:\WINDOWS\SYSTEM32\[b]NZDD.DLL[/b] <-- delete that file C:\Program Files\[b]Ebates_MoeMoneyMaker[/b] <-- delete that folder Now run the hoster program and restore your hosts file. Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not Posted by: Warez Monster Remove entries at your own risk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank This page could possibly be nasty. If you do not know the entry 'about :blank', delete it. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it. R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis! R3 - Default URLSearchHook is missing Nasty Should be fixed if you do not know the application or if no application is mentioned. This entry should be fixed. O1 - Hosts: 81.211.105.49 greatsearch.biz Nasty This entry should be fixed immediately! Must be fixed! O1 - Hosts: 81.211.105.49 [url]www.greatsearch.biz[/url] Nasty This entry should be fixed immediately! Must be fixed! O1 - Hosts: 81.211.105.49 cashsearch.biz Nasty This entry should be fixed immediately! Must be fixed! O1 - Hosts: 81.211.105.49 [url]www.cashsearch.biz[/url] Nasty This entry should be fixed immediately! Must be fixed! O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL Must be fixed! O9 - Extra button: Dell Home - {91CF7A40-4889-11D4-9113-0001031C84F3} - C:\WINDOWS\system32\shdocvw.dll (HKCU) Possibly nasty Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry 'Dell Home ' is unknown. O17 - HKLM\System\CCS\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'bddeng.com'? If not, fix this entry. O17 - HKLM\System\CS1\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'bddeng.com'? If not, fix this entry. O17 - HKLM\System\CS2\Services\Tcpip\..\{08660A51-9F42-43A4-B1D2-1E7CB004C972}: Domain = bddeng.com Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |