0

can anyone help here is the hijack log. i am having all sorts of pop-ups and crap


Logfile of HijackThis v1.99.1
Scan saved at 11:23:24 AM, on 7/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\elfudcg.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINDOWS\System32\humrpr.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\Nhkzrx.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\vbaadmin.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program

Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} -

C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} -

C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [inqj] C:\WINDOWS\inqj.exe
O4 - HKLM\..\Run: [ncr] C:\WINDOWS\ncr.exe
O4 - HKLM\..\Run: [dih] C:\WINDOWS\dih.exe
O4 - HKLM\..\Run: [lwhwdkp] C:\WINDOWS\lwhwdkp.exe
O4 - HKLM\..\Run: [fon] C:\WINDOWS\fon.exe
O4 - HKLM\..\Run: [dcn] C:\WINDOWS\dcn.exe
O4 - HKLM\..\Run: [hazkfqr] C:\WINDOWS\hazkfqr.exe
O4 - HKLM\..\Run: [spupkt] C:\WINDOWS\spupkt.exe
O4 - HKLM\..\Run: [wzspkv] C:\WINDOWS\wzspkv.exe
O4 - HKLM\..\Run: [fwzmvef] C:\WINDOWS\fwzmvef.exe
O4 - HKLM\..\Run: [nojut] C:\WINDOWS\nojut.exe
O4 - HKLM\..\Run: [kfwnqtwt] C:\WINDOWS\kfwnqtwt.exe
O4 - HKLM\..\Run: [oletov] C:\WINDOWS\oletov.exe
O4 - HKLM\..\Run: [sxehef] C:\WINDOWS\sxehef.exe
O4 - HKLM\..\Run: [kbip] C:\WINDOWS\kbip.exe
O4 - HKLM\..\Run: [clubgr] C:\WINDOWS\clubgr.exe
O4 - HKLM\..\Run: [ninmt] C:\WINDOWS\ninmt.exe
O4 - HKLM\..\Run: [ipenwbcf] C:\WINDOWS\ipenwbcf.exe
O4 - HKLM\..\Run: [zgr] C:\WINDOWS\zgr.exe
O4 - HKLM\..\Run: [oxytwf] C:\WINDOWS\oxytwf.exe
O4 - HKLM\..\Run: [kfsxejav] C:\WINDOWS\kfsxejav.exe
O4 - HKLM\..\Run: [ufsnkh] C:\WINDOWS\ufsnkh.exe
O4 - HKLM\..\Run: [pkz] C:\WINDOWS\pkz.exe
O4 - HKLM\..\Run: [pwbiz] C:\WINDOWS\pwbiz.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteskg32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\humrpr.exe reg_run
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Nhkzrx.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [43oj3mQ] vbaadmin.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [vzypre] c:\windows\system32\elfudcg.exe r
O4 - HKLM\..\RunOnce: [bfgtoolbar]

"C:\Program Files\bfgtoolbar\"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft

AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe"

-turbo
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

(no file)
O14 - IERESET.INF:
O15 - Trusted Zone: http://www.hesiinet.com (HKLM)
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunes

Setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.real.com/05884f4089c79a231020/netzip/RdxIE601.cab
O16 - DPF: {5C4EB11A-2078-432E-92FE-0CB2ACD6D071} (m2wFTPClient.M2WFTPControl) -

http://mail.arabia.com/mail/FTP/m2wFTPClient.CAB
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) -

http://www.spybouncer.com/downloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?110

1841999984
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) -

http://www.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -

http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) -

http://www.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) -

http://www.worldwinner.com/games/v48/haunted/haunted.cab
O16 - DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} (WSpell Spelling Checker Control) -

http://www.placepro.com/students/wspell.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) -

http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -

http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =

Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Unknown owner -

C:\Altiris\AClient\AClient.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

2
Contributors
1
Reply
2
Views
12 Years
Discussion Span
Last Post by DMR
0

Hi kingdawiyd, welcome to the site. :)

You've got quite a few infections in that log, but you need to take care of a couple of things before we can work on it:

1. The formatting of the log you posted has strange line breaks and spacings in it, which makes it rather difficult to read. Have a look at some of the other threads here to see how a properly-posted log should look and post another log whose formatting resembles those.


2. You indicated that you edited your post to remove personal information. That's certainly OK, but if you removed entire lines/entries from your log in doing so, you will need to not do that when you post your next log. We need to see as much information as possible in order to identify and remove all of the infections you have. If want to protect information such as your name or your IP address, just replace that specific information with asterisks, but leave everything else as is.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.