Hijack This Log

•

What is DaniWeb IT Discussion Community?

You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 427,497 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,438 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.

Join our community!

Please support our Viruses, Spyware and other Nasties advertiser: Programming Forums

Thread Tools Display Modes

Views: 4108 | Replies: 5 | Solved

•

Join Date: Apr 2004

Posts: 3

Reputation: sproston is an unknown quantity at this point

Rep Power: 0

Solved Threads: 0

sproston

Offline

Newbie Poster

Hijack This Log

Apr 4th, 2004

Hi, I want to get rid of this www.lookfor.cc search pop up thing. I've run Ad-aware and set the settings to how it said on aother post, then I've run the 'Hijack This' program and done the scan, I've fixed a couple of files which I know that should be fixed, but I'm not sure on the rest of the log, this is how it stands now:

Logfile of HijackThis v1.97.7
Scan saved at 14:36:34, on 04/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wapitr.exe
C:\New Setups\Trust Digital Camera\Ulead Photo Express\CalCheck.exe
C:\AOL 6.0\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joanne\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.worldusa.com"); (C:\Program Files\Netscape\Users\sproston\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\New Setups\YM\Common\ycomp5_1_3_0.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\winfg\winfg32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\winfg\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\winfg\msiesh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\New Setups\YM\Common\ycomp5_1_3_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\NEWSET~1\ICQ\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ngbcdlg] "C:\WINDOWS\System32\ngbcdlg.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapitr.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O4 - HKLM\..\RunOnce: [KB826939] rundll32.exe apphelp.dll,ShimFlushCache
O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\AOL 6.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\New Setups\Trust Digital Camera\Ulead Photo Express\CalCheck.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com/uk
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27d13de5...p/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...081.1694444444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...yse/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...yiebio4025.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBB8DECB-AE57-485C-875B-4F60FE72BECE}: NameServer = 195.93.48.134

Please can you advise on what to do now, many thanks for your help

•

Join Date: Feb 2004

Location: Oztralya

Posts: 7,825

Reputation: crunchie is a jewel in the rough

Rep Power: 22

Solved Threads: 431

crunchie

Offline

Spyware Killer

Re: Hijack This Log

Apr 4th, 2004

You have a CoolWebSearch infection. Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Reboot after doing this & post another log please.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster

Please do not PM me for help. Instead, post in the public forum where others may benefit.

•

Join Date: Apr 2004

Posts: 3

Reputation: sproston is an unknown quantity at this point

Rep Power: 0

Solved Threads: 0

sproston

Offline

Newbie Poster

Re: Hijack This Log

Apr 4th, 2004

Many thanks.....here is the new log

Logfile of HijackThis v1.97.7
Scan saved at 16:10:57, on 04/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wapitr.exe
C:\New Setups\Trust Digital Camera\Ulead Photo Express\CalCheck.exe
C:\NEWSET~1\ICQ\ICQ\ICQ.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Joanne\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.worldusa.com"); (C:\Program Files\Netscape\Users\sproston\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\New Setups\YM\Common\ycomp5_1_3_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\New Setups\YM\Common\ycomp5_1_3_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\NEWSET~1\ICQ\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ngbcdlg] "C:\WINDOWS\System32\ngbcdlg.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapitr.exe
O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\AOL 6.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\New Setups\Trust Digital Camera\Ulead Photo Express\CalCheck.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com/uk
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27d13de5...p/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...081.1694444444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...yse/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...yiebio4025.cab

•

Join Date: May 2003

Location: Royal Oak, Michigan

Posts: 864

Reputation: TallCool1 is a jewel in the rough

Rep Power: 9

Solved Threads: 43

TallCool1

Offline

Practically a Posting Shark

Re: Hijack This Log

Apr 4th, 2004

•

Originally Posted by sproston

Here is the new log.

You still have some problems. Remove the following:

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.worldusa.com"); (C:\Program Files\Netscape\Users\sproston\prefs.js)

O4 - HKLM\..\Run: [ngbcdlg] "C:\WINDOWS\System32\ngbcdlg.exe"

O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapitr.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com/uk

~~~~~~~~~~~~~~~~

Removing these is optional, but highly recommended:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27d13de...ip/RdxIE601.cab

-- Michael Rudas

How To Ask Questions The Smart Way (article by Eric Raymond).
Dealing with Malware
My Articles page.
My Best-of-Breed Free Software for Windows list
Other Windows- & Microsoft-related links
The Audio Tech's Page
My blog
The Oak Park Computer Club
PenguiCon 4.0 Open Source & Science Fiction convention, April 21-23, 2006.
Knoppix Linux (CD-bootable) download. information, & support.

•

Join Date: Apr 2004

Posts: 1

Reputation: Learner1 is an unknown quantity at this point

Rep Power: 0

Solved Threads: 1

Learner1

Offline

Newbie Poster

Re: Hijack This Log

Apr 5th, 2004

you can download "Utilities 2004".Run `Reg.editor',Search for every instance of it and delete the key it takes you to.It is sugested to make a back up of every `key'which is deleted JUST IN CASE a wrong key is deleted.