|
| ||
| Hijack this... 1 Attachment(s) Hi there, After visiting a couple of software crack sites yesterday I noticed a program started to appear on my taskbar named "~close~" (screen shot attached). I've already run AdAware, Spybot and read through the HijackThis tutorial. Below is my HijackThis log, thanks in advance for your help! Logfile of HijackThis v1.97.7 Scan saved at 11:58:11 AM, on 6/16/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\SOUNDMAN.EXE C:\Program Files\Winamp3\winampa.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\NavNT\vptray.exe C:\WINNT\system32\mrlugh.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Webshots\WebshotsTray.exe C:\Program Files\ICQ\ICQ.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\msagent\AgentSvr.exe C:\Program Files\ePrompter\ePrompter.exe C:\Program Files\Microsoft Office\Office\POWERPNT.EXE C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe C:\Program Files\Microsoft Office\Office\EXCEL.EXE C:\PROGRA~1\TECHSM~1\SNAGIT~2\SnagIt32.exe C:\PROGRA~1\TECHSM~1\SNAGIT~2\TSCHelp.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe O4 - HKLM\..\Run: [bxwbjg] C:\WINNT\system32\mrlugh.exe O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: AIM (HKLM) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} (FileMgr Class) - https://atlas.atlasdmt.com/bin/AtlasCtrl.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {6B401179-541E-4BF3-800F-10C39B529DB9} - http://ftp.gurunet.com/pub/GuruNetFreeSetup.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.atlasdmt.com/update/msxml4.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...886.2696990741 O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dacgroup.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dacgroup.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dacgroup.com |
| ||
| Re: Hijack this...help please First of all we have to remove Newdotnet, either from add/remove programs, or by going here. & scrolling down to the uninstall tool. Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' : O4 - HKLM\..\Run: [bxwbjg] C:\WINNT\system32\mrlugh.exe O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe Reboot into safe mode following the instructions here & navigate to & delete the following if found: C:\WINNT\system32\mrlugh.exe< file C:\WINNT\alchem.exe< file Reboot normally. The 017 entries take me to a yellow pages site. Seems a bit suss to me. If this is from your ISP or company network then leave them, otherwise fix them with HJT. |
| ||
| Re: Hijack this...help please Thanks for the instructions. I rescanned and fixed the 04 entries, however when I was in the process of rebooting I could not get in using my usual login password in safe mode, so I was not able to delete the two files (mrlugh.exe and alchem.exe). This is actually my computer at work so I'm wary about locking myself out and having IT come over :rolleyes:. The two files are still there and I'm guessing I can not delete them in normal mode (I tried and received a sharing violation error message). Should I attempt to login in safe mode again or is there another way to delete the 2 files? I have no idea why it wasn't accepting my password... |
| ||
| Re: Hijack this...help please Download moveonboot from here. Quote:
|
| ||
| Re: Hijack this...help please Thanks, I ran Moveonboot and deleted the two files, also ran Ad-aware and Spybot but it seems the problem is still there...below is my latest Hijack this log: Logfile of HijackThis v1.97.7 Scan saved at 12:59:49 PM, on 6/21/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\SOUNDMAN.EXE C:\Program Files\Winamp3\winampa.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\NavNT\vptray.exe C:\Program Files\DIGStream\digstream.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Webshots\WebshotsTray.exe C:\Program Files\ICQ\ICQ.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\msagent\AgentSvr.exe C:\Program Files\ePrompter\ePrompter.exe C:\Program Files\Microsoft Office\Office\POWERPNT.EXE C:\Program Files\Microsoft Office\Office\EXCEL.EXE C:\Documents and Settings\ccui\My Documents\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: AIM (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} (FileMgr Class) - https://atlas.atlasdmt.com/bin/AtlasCtrl.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {6B401179-541E-4BF3-800F-10C39B529DB9} - http://ftp.gurunet.com/pub/GuruNetFreeSetup.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.atlasdmt.com/update/msxml4.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...886.2696990741 O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dacgroup.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dacgroup.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dacgroup.com |
| ||
| Re: Hijack this... Try clearing out the temp internet files, delete your cookies & check the favourites folder for unwanted sites. |
| ||
| Re: Hijack this... :D Thanks for all your help!!! |
| All times are GMT -4. The time now is 11:16 pm. |
Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC