 |  |  |  |  |  |  |  |
HiJackThis logfile-plz help
 |
My homepage keeps getting reset to http://213.159.117.134/index.php
Plz help
Here is HiJackThis logfile:
Logfile of HijackThis v1.98.2
Scan saved at 7:22:40 PM, on 8/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\addmp32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ieyn32.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Main\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Main\Application Data\Mozilla\Profiles\default\8ndtfdd2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {710CE7D8-7CDF-35F3-6A22-9AEB843DD571} - C:\WINDOWS\system32\ieyn32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ieyn32.exe] C:\WINDOWS\system32\ieyn32.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [addmp32.exe] C:\WINDOWS\addmp32.exe
O4 - HKLM\..\RunOnce: [wintq.exe] C:\WINDOWS\wintq.exe
O4 - HKLM\..\RunOnce: [appdz32.exe] C:\WINDOWS\appdz32.exe
O4 - HKLM\..\RunOnce: [iegx32.exe] C:\WINDOWS\system32\iegx32.exe
O4 - HKLM\..\RunOnce: [javanb.exe] C:\WINDOWS\system32\javanb.exe
O4 - HKLM\..\RunOnce: [sdkzj.exe] C:\WINDOWS\sdkzj.exe
O4 - HKLM\..\RunOnce: [msdl.exe] C:\WINDOWS\system32\msdl.exe
O4 - HKLM\..\RunOnce: [netuh32.exe] C:\WINDOWS\system32\netuh32.exe
O4 - HKLM\..\RunOnce: [syshe.exe] C:\WINDOWS\system32\syshe.exe
O4 - HKLM\..\RunOnce: [ieie.exe] C:\WINDOWS\system32\ieie.exe
O4 - HKLM\..\RunOnce: [winhb.exe] C:\WINDOWS\winhb.exe
O4 - HKLM\..\RunOnce: [d3tv.exe] C:\WINDOWS\system32\d3tv.exe
O4 - HKLM\..\RunOnce: [msih32.exe] C:\WINDOWS\msih32.exe
O4 - HKLM\..\RunOnce: [apprc32.exe] C:\WINDOWS\apprc32.exe
O4 - HKLM\..\RunOnce: [apidq32.exe] C:\WINDOWS\system32\apidq32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud7.sports.sc5.yahoo.com/jav...gcst1016_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\Main\LOCALS~1\Temp\ThereInstallHelper.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O21 - SSODL: System - {74E23EEC-8A62-48E7-9A34-66798A60166D} - C:\WINDOWS\system32\system32.dll
Thanks.
Plz help
Here is HiJackThis logfile:
Logfile of HijackThis v1.98.2
Scan saved at 7:22:40 PM, on 8/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\addmp32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ieyn32.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Main\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Main\Application Data\Mozilla\Profiles\default\8ndtfdd2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {710CE7D8-7CDF-35F3-6A22-9AEB843DD571} - C:\WINDOWS\system32\ieyn32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ieyn32.exe] C:\WINDOWS\system32\ieyn32.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [addmp32.exe] C:\WINDOWS\addmp32.exe
O4 - HKLM\..\RunOnce: [wintq.exe] C:\WINDOWS\wintq.exe
O4 - HKLM\..\RunOnce: [appdz32.exe] C:\WINDOWS\appdz32.exe
O4 - HKLM\..\RunOnce: [iegx32.exe] C:\WINDOWS\system32\iegx32.exe
O4 - HKLM\..\RunOnce: [javanb.exe] C:\WINDOWS\system32\javanb.exe
O4 - HKLM\..\RunOnce: [sdkzj.exe] C:\WINDOWS\sdkzj.exe
O4 - HKLM\..\RunOnce: [msdl.exe] C:\WINDOWS\system32\msdl.exe
O4 - HKLM\..\RunOnce: [netuh32.exe] C:\WINDOWS\system32\netuh32.exe
O4 - HKLM\..\RunOnce: [syshe.exe] C:\WINDOWS\system32\syshe.exe
O4 - HKLM\..\RunOnce: [ieie.exe] C:\WINDOWS\system32\ieie.exe
O4 - HKLM\..\RunOnce: [winhb.exe] C:\WINDOWS\winhb.exe
O4 - HKLM\..\RunOnce: [d3tv.exe] C:\WINDOWS\system32\d3tv.exe
O4 - HKLM\..\RunOnce: [msih32.exe] C:\WINDOWS\msih32.exe
O4 - HKLM\..\RunOnce: [apprc32.exe] C:\WINDOWS\apprc32.exe
O4 - HKLM\..\RunOnce: [apidq32.exe] C:\WINDOWS\system32\apidq32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud7.sports.sc5.yahoo.com/jav...gcst1016_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\Main\LOCALS~1\Temp\ThereInstallHelper.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O21 - SSODL: System - {74E23EEC-8A62-48E7-9A34-66798A60166D} - C:\WINDOWS\system32\system32.dll
Thanks.
•
•
Join Date: May 2004
Posts: 1,478
Reputation: 
Solved Threads: 18
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O4 - HKLM\..\RunOnce: [ieie.exe] C:\WINDOWS\system32\ieie.exe
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.skoobidoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O4 - HKLM\..\RunOnce: [ieie.exe] C:\WINDOWS\system32\ieie.exe
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.skoobidoo.com
I tried to delete the registry keys with the website in them, but they keep coming back.
The other ones deleted fine tho, thanks.
Here is a current hijackthis log:
Logfile of HijackThis v1.98.2
Scan saved at 5:17:41 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\addmp32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ieyn32.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Main\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Main\Application Data\Mozilla\Profiles\default\8ndtfdd2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {710CE7D8-7CDF-35F3-6A22-9AEB843DD571} - C:\WINDOWS\system32\ieyn32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ieyn32.exe] C:\WINDOWS\system32\ieyn32.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [addmp32.exe] C:\WINDOWS\addmp32.exe
O4 - HKLM\..\RunOnce: [wintq.exe] C:\WINDOWS\wintq.exe
O4 - HKLM\..\RunOnce: [appdz32.exe] C:\WINDOWS\appdz32.exe
O4 - HKLM\..\RunOnce: [iegx32.exe] C:\WINDOWS\system32\iegx32.exe
O4 - HKLM\..\RunOnce: [javanb.exe] C:\WINDOWS\system32\javanb.exe
O4 - HKLM\..\RunOnce: [sdkzj.exe] C:\WINDOWS\sdkzj.exe
O4 - HKLM\..\RunOnce: [msdl.exe] C:\WINDOWS\system32\msdl.exe
O4 - HKLM\..\RunOnce: [netuh32.exe] C:\WINDOWS\system32\netuh32.exe
O4 - HKLM\..\RunOnce: [syshe.exe] C:\WINDOWS\system32\syshe.exe
O4 - HKLM\..\RunOnce: [winhb.exe] C:\WINDOWS\winhb.exe
O4 - HKLM\..\RunOnce: [d3tv.exe] C:\WINDOWS\system32\d3tv.exe
O4 - HKLM\..\RunOnce: [msih32.exe] C:\WINDOWS\msih32.exe
O4 - HKLM\..\RunOnce: [apprc32.exe] C:\WINDOWS\apprc32.exe
O4 - HKLM\..\RunOnce: [apidq32.exe] C:\WINDOWS\system32\apidq32.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud7.sports.sc5.yahoo.com/jav...gcst1016_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\Main\LOCALS~1\Temp\ThereInstallHelper.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O21 - SSODL: System - {74E23EEC-8A62-48E7-9A34-66798A60166D} - C:\WINDOWS\system32\system32.dll
The other ones deleted fine tho, thanks.
Here is a current hijackthis log:
Logfile of HijackThis v1.98.2
Scan saved at 5:17:41 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\addmp32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ieyn32.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Main\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Main\Application Data\Mozilla\Profiles\default\8ndtfdd2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {710CE7D8-7CDF-35F3-6A22-9AEB843DD571} - C:\WINDOWS\system32\ieyn32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ieyn32.exe] C:\WINDOWS\system32\ieyn32.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [addmp32.exe] C:\WINDOWS\addmp32.exe
O4 - HKLM\..\RunOnce: [wintq.exe] C:\WINDOWS\wintq.exe
O4 - HKLM\..\RunOnce: [appdz32.exe] C:\WINDOWS\appdz32.exe
O4 - HKLM\..\RunOnce: [iegx32.exe] C:\WINDOWS\system32\iegx32.exe
O4 - HKLM\..\RunOnce: [javanb.exe] C:\WINDOWS\system32\javanb.exe
O4 - HKLM\..\RunOnce: [sdkzj.exe] C:\WINDOWS\sdkzj.exe
O4 - HKLM\..\RunOnce: [msdl.exe] C:\WINDOWS\system32\msdl.exe
O4 - HKLM\..\RunOnce: [netuh32.exe] C:\WINDOWS\system32\netuh32.exe
O4 - HKLM\..\RunOnce: [syshe.exe] C:\WINDOWS\system32\syshe.exe
O4 - HKLM\..\RunOnce: [winhb.exe] C:\WINDOWS\winhb.exe
O4 - HKLM\..\RunOnce: [d3tv.exe] C:\WINDOWS\system32\d3tv.exe
O4 - HKLM\..\RunOnce: [msih32.exe] C:\WINDOWS\msih32.exe
O4 - HKLM\..\RunOnce: [apprc32.exe] C:\WINDOWS\apprc32.exe
O4 - HKLM\..\RunOnce: [apidq32.exe] C:\WINDOWS\system32\apidq32.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud7.sports.sc5.yahoo.com/jav...gcst1016_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\Main\LOCALS~1\Temp\ThereInstallHelper.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O21 - SSODL: System - {74E23EEC-8A62-48E7-9A34-66798A60166D} - C:\WINDOWS\system32\system32.dll
Ive tried deleting them with hijackthis and spybot search and destroy, ad-aware doesnt even find them.
They are the ones ending in the website http://213.159.117.1334/index.php
They keep coming back after deletion.
Plz help
Here is a current HiJackThis logfile:
Logfile of HijackThis v1.98.2
Scan saved at 5:56:41 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\addmp32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ieyn32.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Main\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Main\Application Data\Mozilla\Profiles\default\8ndtfdd2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {710CE7D8-7CDF-35F3-6A22-9AEB843DD571} - C:\WINDOWS\system32\ieyn32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ieyn32.exe] C:\WINDOWS\system32\ieyn32.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [addmp32.exe] C:\WINDOWS\addmp32.exe
O4 - HKLM\..\RunOnce: [wintq.exe] C:\WINDOWS\wintq.exe
O4 - HKLM\..\RunOnce: [appdz32.exe] C:\WINDOWS\appdz32.exe
O4 - HKLM\..\RunOnce: [iegx32.exe] C:\WINDOWS\system32\iegx32.exe
O4 - HKLM\..\RunOnce: [javanb.exe] C:\WINDOWS\system32\javanb.exe
O4 - HKLM\..\RunOnce: [sdkzj.exe] C:\WINDOWS\sdkzj.exe
O4 - HKLM\..\RunOnce: [msdl.exe] C:\WINDOWS\system32\msdl.exe
O4 - HKLM\..\RunOnce: [netuh32.exe] C:\WINDOWS\system32\netuh32.exe
O4 - HKLM\..\RunOnce: [syshe.exe] C:\WINDOWS\system32\syshe.exe
O4 - HKLM\..\RunOnce: [winhb.exe] C:\WINDOWS\winhb.exe
O4 - HKLM\..\RunOnce: [d3tv.exe] C:\WINDOWS\system32\d3tv.exe
O4 - HKLM\..\RunOnce: [msih32.exe] C:\WINDOWS\msih32.exe
O4 - HKLM\..\RunOnce: [apprc32.exe] C:\WINDOWS\apprc32.exe
O4 - HKLM\..\RunOnce: [apidq32.exe] C:\WINDOWS\system32\apidq32.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud7.sports.sc5.yahoo.com/jav...gcst1016_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\Main\LOCALS~1\Temp\ThereInstallHelper.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O21 - SSODL: System - {74E23EEC-8A62-48E7-9A34-66798A60166D} - C:\WINDOWS\system32\system32.dll
Thanks.
They are the ones ending in the website http://213.159.117.1334/index.php
They keep coming back after deletion.
Plz help
Here is a current HiJackThis logfile:
Logfile of HijackThis v1.98.2
Scan saved at 5:56:41 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\addmp32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ieyn32.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Main\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Main\Application Data\Mozilla\Profiles\default\8ndtfdd2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {710CE7D8-7CDF-35F3-6A22-9AEB843DD571} - C:\WINDOWS\system32\ieyn32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ieyn32.exe] C:\WINDOWS\system32\ieyn32.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [addmp32.exe] C:\WINDOWS\addmp32.exe
O4 - HKLM\..\RunOnce: [wintq.exe] C:\WINDOWS\wintq.exe
O4 - HKLM\..\RunOnce: [appdz32.exe] C:\WINDOWS\appdz32.exe
O4 - HKLM\..\RunOnce: [iegx32.exe] C:\WINDOWS\system32\iegx32.exe
O4 - HKLM\..\RunOnce: [javanb.exe] C:\WINDOWS\system32\javanb.exe
O4 - HKLM\..\RunOnce: [sdkzj.exe] C:\WINDOWS\sdkzj.exe
O4 - HKLM\..\RunOnce: [msdl.exe] C:\WINDOWS\system32\msdl.exe
O4 - HKLM\..\RunOnce: [netuh32.exe] C:\WINDOWS\system32\netuh32.exe
O4 - HKLM\..\RunOnce: [syshe.exe] C:\WINDOWS\system32\syshe.exe
O4 - HKLM\..\RunOnce: [winhb.exe] C:\WINDOWS\winhb.exe
O4 - HKLM\..\RunOnce: [d3tv.exe] C:\WINDOWS\system32\d3tv.exe
O4 - HKLM\..\RunOnce: [msih32.exe] C:\WINDOWS\msih32.exe
O4 - HKLM\..\RunOnce: [apprc32.exe] C:\WINDOWS\apprc32.exe
O4 - HKLM\..\RunOnce: [apidq32.exe] C:\WINDOWS\system32\apidq32.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud7.sports.sc5.yahoo.com/jav...gcst1016_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_42.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\Main\LOCALS~1\Temp\ThereInstallHelper.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O21 - SSODL: System - {74E23EEC-8A62-48E7-9A34-66798A60166D} - C:\WINDOWS\system32\system32.dll
Thanks.
•
•
Join Date: May 2004
Posts: 1,478
Reputation:
Solved Threads: 18
In your logfile all i see is those top ones. But you say you want to delete registry files for coolwebsearch then you should goto start<run<regedt32 then look in the folders HKEY_LOCAL_MACHINE<SOFTWARE and HKEY_CURRENT_USER<sotware in those folders is every registry entry for any software on your computer you should be able to find coolwebsearch in these folders and delete them.
•
•
Join Date: May 2004
Posts: 1,478
Reputation:
Solved Threads: 18
oops sorry about double posting but i caught this while quickly taking a second look at your log.
O4 - HKLM\..\RunOnce: [sdkzj.exe] C:\WINDOWS\sdkzj.exe
this could be a virus i would set a system restore point and remove it using hijack this the n boot into safe mode (esc+F8 while rebooting) and delete it manually make sure the process is not running in your task manager.
O4 - HKLM\..\RunOnce: [sdkzj.exe] C:\WINDOWS\sdkzj.exe
this could be a virus i would set a system restore point and remove it using hijack this the n boot into safe mode (esc+F8 while rebooting) and delete it manually make sure the process is not running in your task manager.
•
•
Join Date: May 2004
Posts: 1,478
Reputation:
Solved Threads: 18
4 - HKLM\..\RunOnce: [sdkzj.exe] C:\WINDOWS\sdkzj.exe
this might be a virus i've seen it in other logs so I would create a system restore point and fix that(unless you know that you want that program running).
this might be a virus i've seen it in other logs so I would create a system restore point and fix that(unless you know that you want that program running).
•
•
Join Date: Feb 2004
Posts: 10,489
Reputation: 
Solved Threads: 805
Download CWShredder from here & run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Iinternet Explorer, before running CWShredder. Reboot.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
Reboot after doing this & post another log please.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
Reboot after doing this & post another log please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo AV/Firewall Spywareblaster
Opera AVAST anti-virus Comodo AV/Firewall Spywareblaster
•
•
Join Date: Feb 2004
Posts: 10,489
Reputation:
Solved Threads: 805
I have merged both your threads. Please keep to one thread to reduce any possible confusion.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo AV/Firewall Spywareblaster
Opera AVAST anti-virus Comodo AV/Firewall Spywareblaster
|
Similar Threads
- hijackthis logfile. computer is totally messed up (Viruses, Spyware and other Nasties)
- quicklink and others: HijackThis Logfile (Viruses, Spyware and other Nasties)
- help needed - HijackThis logfile (cd-rom opens/closes) (Viruses, Spyware and other Nasties)
- HijackThis Logfile-Probs after XP SP2 download (Viruses, Spyware and other Nasties)
- Please Analyze My HijackThis Logfile, I'm having "bridge.dll" problems at least. (Viruses, Spyware and other Nasties)
- MSIEH - Ran Hijackthis - what do i do with the logfile? (Windows NT / 2000 / XP)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: cant open invader programs trying to track source.
- Next Thread: Please help browser hijack log included
Views: 2940 | Replies: 8
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
access acrobat adobe alert analysis antivirus apple attack audio avg banks bar bing blackhat botnet breach center child-protection children chip-and-pin code combofix commercial connect control credit-cards crypto cyber ddos dialler disk domains dumbass email europe explorer fake firefox fraud google government gumblar hack hacking halloween helprequired-urgent herss.exe hijack hosts ibm ie8 internet iphone kneber links logfiles login mail malware mcafee microsoft nasties news norton panel password police pop porn pro problem redirect regedit report research rogueantivirus security sites software spam spyware spywareexternalwindows7adminstratortrojans symantec system terrorism trojan unwanted update virus viruses vista volume vulnerability warning web win windows windowsxp xp_antispyware_2010 yahoo
