hjl help

Question

LOSTWORLD 0 Newbie Poster

19 Years Ago

hi i'm suffering from browser hijacks
such as sloutch.com here is my log if any help is given it would be greatly recieved thanks

Logfile of HijackThis v1.99.0
Scan saved at 12:41:55 PM, on 1/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Vet\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Vet\VetTray.exe
C:\WINNT\System\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\wsxsvc\wsxsvc.exe
C:\WINNT\System32\vmss\vmss.exe
C:\WINNT\system32\defragfat32abc.exe
C:\WINNT\system32\svchostings.exe
C:\WINNT\qfoqbq.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pcworld.idg.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tjstartup] C:\WINNT\System\svchost.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\system32\defragfat32abc.exe
O4 - HKLM\..\Run: [Start Upping] svchostings.exe
O4 - HKLM\..\Run: [cXsost0Y2] C:\WINNT\qfoqbq.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\WINNT\iWeatherBug\MiniBug.exe 1
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\RunServices: [Start Upping] svchostings.exe
O4 - HKCU\..\Run: [Washer] C:\Documents and Settings\grieve\Desktop\Lachlan\wolf 3d\TC\ww\New Folder\Windows washer 4.7 + crack\washer.exe /0
O4 - HKCU\..\Run: [Start Upping] svchostings.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Documents and Settings\grieve\Desktop\Lachlan\wolf 3d\TC\ww\New Folder\Windows washer 4.7 + crack\washidx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://pcworld.idg.com.au
O15 - Trusted Zone: *.msn.com
O16 - DPF: ConferenceRoom Java Client - http://irc.webmaster.com:8000/java/cr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://au.creative.com/support/register/OCXs/CtORWebClientNoMFC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A58E3176-5A6E-4D54-B3FA-F5A457AE7259}: NameServer = 203.21.66.2,203.21.66.10
O19 - User stylesheet: (file missing)
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)

windows-virus

2 Contributors
1 Reply
87 Views
13 Hours Discussion Span
Latest Post 19 Years Ago Latest Post by dlh6213

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

dlh6213 27 Posting Maven Team Colleague · Answer 1 · 2005-01-07T15:33:25+00:00

You need to go to Windows Update to get the Critcal Updates for your system as soon as possible.

Using Task Manager, end the process on these:
wsxsvc.exe
vmss.exe
defragfat32abc.exe
svchostings.exe
qfoqbq.exe

Go to Add/Remove Programs in your Control Panel and remove (if found):
WeatherBug
180solutions

Close all browser windows, scan with HJT, and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\system32\defragfat32abc.exe
O4 - HKLM\..\Run: [Start Upping] svchostings.exe
O4 - HKLM\..\Run: [cXsost0Y2] C:\WINNT\qfoqbq.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\WINNT\iWeatherBug\MiniBug.exe 1
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\RunServices: [Start Upping] svchostings.exe
O4 - HKCU\..\Run: [Start Upping] svchostings.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe (file missing)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A58E3176-5A6E-4D54-B3FA-F5A457AE7259}: NameServer = 203.21.66.2,203.21.66.10
O19 - User stylesheet: (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)

If you don't wish to have pcworld as your Home Page, have HJT fix these as well:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pcworld.idg.com.au
O14 - IERESET.INF: START_PAGE_URL=http://pcworld.idg.com.au

Reboot into Safe Mode and go to:

C:\WINNT\System32\wsxsvc and delete wsxsvc.exe
C:\WINNT\System32\vmss and delete vmss.exe
C:\WINNT\system32 and delete defragfat32abc.exe
C:\WINNT and delete qfoqbq.exe
C:\WINNT and delete the iWeatherBug folder
C:\program files and delete the 180solutions folder

Do a search for msinfo.exe, delete it, and let us know where it was located

While still in Safe Mode, go to Start, Run, and type in regedit, click OK and the registry editor will open.

Before you edit the registry, you should make a backup. At the top of the Registry window, click on the Registry menu, click Export Registry File. In the Export range panel, click All, then save your registry as Backup.

(Look in the Name and Data columns for the following and delete any found)
Go to HKEY_LOCAL_MACHINE, SOFTWARE, Microsoft, Windows, CurrentVersion, Run
defragfat32abc.exe,
svchostings.exe

Go to HKEY_LOCAL_MACHINE, SOFTWARE, Microsoft, Windows, CurrentVersion, RunServices
svchostings.exe

HKEY_CURRENT_USER, Software, Microsoft, Windows, CurrentVersion, Run
svchostings.exe

Close the registry editor.

This is not related to your problem, but you probably don't need CTsvcCDA.EXE (http://www.liutilities.com/products/wintaskspro/processlibrary/ctsvccda/)

I'm not sure about this one, anyone else know? R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm

Reboot normally, close all browser windows, scan with HJT, and post a new log please.