Reply

Join Date: May 2004
Posts: 5
Reputation: newtodagame is an unknown quantity at this point 
Solved Threads: 0
newtodagame's Avatar
newtodagame newtodagame is offline Offline
Newbie Poster

Hijackthis logfile

 
0
  #1
Jul 19th, 2004
If someone could look over my logfile and tell me what to do I would really appreciate it. For some reason my default homepage for internet explorer keepz resetting to some other website instead of google. Thanks.



Logfile of HijackThis v1.97.7
Scan saved at 8:47:08 AM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\javaay32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\winxf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nowna.dll/sp.html#20635
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nowna.dll/index.html#20635
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nowna.dll/index.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nowna.dll/sp.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nowna.dll/index.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nowna.dll/sp.html#20635
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6E90692E-55AC-1995-F69B-76F46F229340} - C:\WINDOWS\javach32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winxf.exe] C:\WINDOWS\winxf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [javaay32.exe] C:\WINDOWS\system32\javaay32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...?1085602759770
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
Reply With Quote Quick reply to this message  
Join Date: Dec 2003
Posts: 6,439
Reputation: DMR will become famous soon enough DMR will become famous soon enough 
Solved Threads: 363
Team Colleague
DMR's Avatar
DMR DMR is offline Offline
Wombat At Large

Re: Hijackthis logfile

 
0
  #2
Jul 19th, 2004
- Have HJT fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nowna.dll/sp.html#20635
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nowna.dll/index.html#20635
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nowna.dll/index.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nowna.dll/sp.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nowna.dll/index.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nowna.dll/sp.html#20635
O2 - BHO: (no name) - {6E90692E-55AC-1995-F69B-76F46F229340} - C:\WINDOWS\javach32.dll
O4 - HKLM\..\Run: [winxf.exe] C:\WINDOWS\winxf.exe
O4 - HKLM\..\RunOnce: [javaay32.exe] C:\WINDOWS\system32\javaay32.exe


Reboot into safe mode and delete:

nowna.dll
javach32.dll
winxf.exe
javaay32.exe


Delete all Cookies and Temp/Temporary Internet files (including "offline content", empty the Recycle Bin, and reboot normally.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Reply With Quote Quick reply to this message  
Join Date: May 2004
Posts: 5
Reputation: newtodagame is an unknown quantity at this point 
Solved Threads: 0
newtodagame's Avatar
newtodagame newtodagame is offline Offline
Newbie Poster

Re: Hijackthis logfile

 
0
  #3
Jul 21st, 2004
I followed the instructions but for some reason everytime i reboot the files just keep coming back. Im a bit frustrated. ONE MORE TIME GUYS. new logfile someone help me out here.



Logfile of HijackThis v1.97.7
Scan saved at 1:58:11 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ntjf32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\javaay32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uxxpy.dll/sp.html#20635
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://uxxpy.dll/index.html#20635
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://uxxpy.dll/index.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uxxpy.dll/sp.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uxxpy.dll/index.html#20635
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uxxpy.dll/sp.html#20635
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13C42846-63E9-C5EC-42B4-DB2AD1F9C009} - C:\WINDOWS\mfces.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ntjf32.exe] C:\WINDOWS\ntjf32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [javaay32.exe] C:\WINDOWS\system32\javaay32.exe
O4 - HKLM\..\RunOnce: [netit.exe] C:\WINDOWS\netit.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...?1085602759770
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
Reply With Quote Quick reply to this message  
Join Date: Dec 2003
Posts: 6,439
Reputation: DMR will become famous soon enough DMR will become famous soon enough 
Solved Threads: 363
Team Colleague
DMR's Avatar
DMR DMR is offline Offline
Wombat At Large

Re: Hijackthis logfile

 
0
  #4
Jul 21st, 2004
OK- some of the really evil malware programs hide multiple copies of pieces of themselves on your system, and will be able to "repair" themselves if every single bit of them isn't surgically removed. Let me do a little research and get back to you in a few hours.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Reply With Quote Quick reply to this message  
Join Date: Dec 2003
Posts: 6,439
Reputation: DMR will become famous soon enough DMR will become famous soon enough 
Solved Threads: 363
Team Colleague
DMR's Avatar
DMR DMR is offline Offline
Wombat At Large

Re: Hijackthis logfile

 
0
  #5
Jul 21st, 2004
Umm... I just noticed that your log doesn't show any anti-virus programs running. You need to get yourself over to either Trend Micro or Panda Software and run the (free) online virus scan they offer before we go any further. You also need to get and install an anti-virus package that will constantly monitor and protect your system. AVG has a free version; you can also look at products from Symantec (Norton) and McAfee.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exploit facebook fake gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirecting reliability report research risk rogueantivirus samhain sans scareware school search security sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted usa virus viruses war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC