Ad:

Viruses, Spyware and other Nasties Discussion Thread
Marked Solved
Views: 3259

Page 1
2
Next

You are currently viewing page 1 of this multi-page discussion thread

Jul 8th, 2005

Help with Highjackthis log

Expand Post »

Hello, I just recently got Highjackthis and was wondering if someone could help me in what I should do in regards to this log. :o

Logfile of HijackThis v1.98.0
Scan saved at 11:41:18 AM, on 7/9/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\intel32.exe
C:\Program Files\Funcom\Anarchy Online\client.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff Holder.JEFFSCOMP\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\DOCUME~1\JEFFHO~1.JEF\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\DOCUME~1\JEFFHO~1.JEF\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {D479C3B3-273A-439F-A5D6-FDDCE2DC325E} - C:\WINDOWS\system32\amfl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe"

/L ElbyCDFL
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\JEFFHO~1.JEF\LOCALS~1\Temp\se.dll,DllInstall
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: text/html - {BCAC5015-24C8-4B66-A602-D1A2D3327D4F} -

C:\WINDOWS\system32\amfl.dll
O18 - Filter: text/plain - {BCAC5015-24C8-4B66-A602-D1A2D3327D4F} -

C:\WINDOWS\system32\amfl.dll

Similar Threads

HighJackThis File Log, Help Needed. in Viruses, Spyware and other Nasties
highjackthis log file... do help me in Viruses, Spyware and other Nasties
HJT log help in Viruses, Spyware and other Nasties
Needed help - HJT Log in Viruses, Spyware and other Nasties
Can someone please help me with my highjackthis.log in Viruses, Spyware and other Nasties

Fiendforeva

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

8 posts
since Jul 2005

Permalink

Jul 8th, 2005

Re: Help with Highjackthis log

Hi Fiendforeva, welcome to the site.

The log you posted definitely shows signs of infections, but there are a few things you need to take care of before we can begin to work onit:

1. Logfile of HijackThis v1.98.0

The log entry above indicates that you are using a very old version (1.98.0) of HijackThis. Please download the latest version (1.99.1) and post the log it generates.

http://www.stevewolfonline.com/Downl...HijackThis.exe

Once downloaded, create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

2. C:\Program Files\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis. Before actually fixing problems with HijackThis, you should close all other open programs, especially your web browser and Windows Explorer. HijackThis cannot fully perform its fixes while any instances of your web browser are open.

3. The log you did post has odd line breaks and the like in it, which makes it difficult to read. Make sure the new log you post doesn't come out "fractured" like that.

DMR

Team Colleague

Reputation Points: 221

Solved Threads: 369

Wombat At Large

Offline

6,439 posts
since Dec 2003

Permalink

Jul 9th, 2005

Re: Help with Highjackthis log

Alright, I got the new version of HJT, closed all windows, I think I got it right this time. And thank you for the fast reply :mrgreen:

Logfile of HijackThis v1.99.1
Scan saved at 4:11:26 PM, on 7/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jeff Holder.JEFFSCOMP\Desktop\highjack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEFFHO~1.JEF\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEFFHO~1.JEF\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {AC041E98-2B0B-4F4B-B30A-9347102B4C14} - C:\WINDOWS\system32\amfl.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\JEFFHO~1.JEF\LOCALS~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {9A8BBFF4-F181-4333-9D0D-BC403740D165} - C:\WINDOWS\system32\amfl.dll
O18 - Filter: text/plain - {9A8BBFF4-F181-4333-9D0D-BC403740D165} - C:\WINDOWS\system32\amfl.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Last edited by DMR; Jul 9th, 2005 at 11:39 pm.

Fiendforeva

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

8 posts
since Jul 2005

Permalink

Jul 9th, 2005

Re: Help with Highjackthis log

hmmm, Sorry about the strange line breaks again, it looked alright in the preview..

Fiendforeva

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

8 posts
since Jul 2005

Permalink

Jul 9th, 2005

Re: Help with Highjackthis log

Quote originally posted by Fiendforeva ...

hmmm, Sorry about the strange line breaks again, it looked alright in the preview..

I edited the post to clean up the formatting a bit.

That log looks very short on content for a normal XP computer, and it's missing a lot of entries that appeared in the first log you posted. Did your latest log come from a scan done while booted into Safe Mode? If so, you need to do a scan while booted normally and post that log.

DMR

Team Colleague

Reputation Points: 221

Solved Threads: 369

Wombat At Large

Offline

6,439 posts
since Dec 2003

Permalink

Jul 10th, 2005

Re: Help with Highjackthis log

No, I wasn't in safe mode, But I have tinkered with my computer alot, removed this and that, disabled and whatnot...Havn't had problems so far. and from my first post I have ran spybot search and destroy, Adaware, and registry mechanic, so they might of found some of the problems. but i still have a nasty spyware making very hard navigate the web

Fiendforeva

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

8 posts
since Jul 2005

Permalink

Jul 10th, 2005

Re: Help with Highjackthis log

Try using the following programs:

Ewido
CounterSpy
TrojanHunter
Ad-Aware

Make sure to get the latest definitions/updates for these and run these in Safe Mode.

frenemy

Reputation Points: 10

Solved Threads: 5

Unverified User

Offline

70 posts
since Jun 2005

Permalink

Jul 10th, 2005

Re: Help with Highjackthis log

I just rebooted normally, not in safe mode, closed all explorer windows, and all programs, scanned again, and the logfile came out identical. =\ I hope i havn't removed something i shouldn't have :o Mainly i was just trying to clean useless stuff up, and get rid of annoying startup programs and the like.

Fiendforeva

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

8 posts
since Jul 2005

Permalink

Jul 10th, 2005

Re: Help with Highjackthis log

For that, please use CCleaner

frenemy

Reputation Points: 10

Solved Threads: 5

Unverified User

Offline

70 posts
since Jun 2005

Permalink

Jul 10th, 2005

Re: Help with Highjackthis log

Quote originally posted by Fiendforeva ...

Mainly i was just trying to clean useless stuff up, and get rid of annoying startup programs and the like.

OK- I just needed to check; that's the shortest log I've ever seen from an XP system.

That said, every single entry in the log except the last one indicates the "about:blank" infection. Please follow the removal instructions in my first post in this thread, and give us a new log after that.

DMR

Team Colleague

Reputation Points: 221

Solved Threads: 369

Wombat At Large

Offline

6,439 posts
since Dec 2003

Page 1
2
Next

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

This thread is currently closed and is not accepting any new replies.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Aurora popups!

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: svchos1at.exe // svchoms1at.exe

DaniWeb Message

Cancel Changes

User Name
Password