943,663 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Hijack This Log
Ad:
Permalink
Apr 4th, 2004
0

Hijack This Log

Expand Post »
Hi, I want to get rid of this www.lookfor.cc search pop up thing. I've run Ad-aware and set the settings to how it said on aother post, then I've run the 'Hijack This' program and done the scan, I've fixed a couple of files which I know that should be fixed, but I'm not sure on the rest of the log, this is how it stands now:


Logfile of HijackThis v1.97.7
Scan saved at 14:36:34, on 04/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wapitr.exe
C:\New Setups\Trust Digital Camera\Ulead Photo Express\CalCheck.exe
C:\AOL 6.0\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joanne\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.worldusa.com"); (C:\Program Files\Netscape\Users\sproston\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\New Setups\YM\Common\ycomp5_1_3_0.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\winfg\winfg32.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\winfg\mssearch.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\winfg\msiesh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\New Setups\YM\Common\ycomp5_1_3_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\NEWSET~1\ICQ\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ngbcdlg] "C:\WINDOWS\System32\ngbcdlg.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapitr.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O4 - HKLM\..\RunOnce: [KB826939] rundll32.exe apphelp.dll,ShimFlushCache
O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\AOL 6.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\New Setups\Trust Digital Camera\Ulead Photo Express\CalCheck.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com/uk
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27d13de5...p/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...081.1694444444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...yse/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...yiebio4025.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBB8DECB-AE57-485C-875B-4F60FE72BECE}: NameServer = 195.93.48.134


Please can you advise on what to do now, many thanks for your help
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
sproston is offline Offline
3 posts
since Apr 2004
Permalink
Apr 4th, 2004
0

Re: Hijack This Log

You have a CoolWebSearch infection. Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Reboot after doing this & post another log please.
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,163 posts
since Feb 2004
Permalink
Apr 4th, 2004
0

Re: Hijack This Log

Many thanks.....here is the new log

Logfile of HijackThis v1.97.7
Scan saved at 16:10:57, on 04/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wapitr.exe
C:\New Setups\Trust Digital Camera\Ulead Photo Express\CalCheck.exe
C:\NEWSET~1\ICQ\ICQ\ICQ.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Joanne\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.worldusa.com"); (C:\Program Files\Netscape\Users\sproston\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\New Setups\YM\Common\ycomp5_1_3_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\New Setups\YM\Common\ycomp5_1_3_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\NEWSET~1\ICQ\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ngbcdlg] "C:\WINDOWS\System32\ngbcdlg.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapitr.exe
O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\AOL 6.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\New Setups\Trust Digital Camera\Ulead Photo Express\CalCheck.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com/uk
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27d13de5...p/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...081.1694444444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...yse/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...yiebio4025.cab
Reputation Points: 10
Solved Threads: 0
Newbie Poster
sproston is offline Offline
3 posts
since Apr 2004
Permalink
Apr 4th, 2004
0

Re: Hijack This Log

Quote originally posted by sproston ...
Here is the new log.
You still have some problems. Remove the following:

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.worldusa.com"); (C:\Program Files\Netscape\Users\sproston\prefs.js)

O4 - HKLM\..\Run: [ngbcdlg] "C:\WINDOWS\System32\ngbcdlg.exe"

O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapitr.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com/uk

~~~~~~~~~~~~~~~~

Removing these is optional, but highly recommended:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27d13de...ip/RdxIE601.cab
Team Colleague
Reputation Points: 149
Solved Threads: 45
Practically a Posting Shark
TallCool1 is offline Offline
865 posts
since May 2003
Permalink
Apr 5th, 2004
0

Re: Hijack This Log

you can download "Utilities 2004".Run `Reg.editor',Search for every instance of it and delete the key it takes you to.It is sugested to make a back up of every `key'which is deleted JUST IN CASE a wrong key is deleted.
Reputation Points: 10
Solved Threads: 1
Newbie Poster
Learner1 is offline Offline
1 posts
since Apr 2004
Permalink
Apr 5th, 2004
0

Re: Hijack This Log

Many thanks, Crunchie and Tallcool1
Reputation Points: 10
Solved Threads: 0
Newbie Poster
sproston is offline Offline
3 posts
since Apr 2004

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: IE6 has been constantly hijacked by ....
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Hijacked





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC