0

heres my log file from my scan


Logfile of HijackThis v1.97.7
Scan saved at 11:27:06, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\ctfmon.exe
C:\Documents and Settings\lee\Desktop\aiepk2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\lee\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://s7.invisionfree.com/Xxplosive/index.php?act=idx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://s7.invisionfree.com/Xxplosive/index.php?act=idx
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [CTFMON.EXE] C:\WINDOWS\ctfmon.exe .
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\lee\Desktop\aiepk2.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Search.vbs
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: 550Access Toolbar Serach - C:\Program Files\550AccessToolbar\550accessmenusearch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.derbytechsys.com/remote/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.dikai.com/em-meuk.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C878ED15-B3D5-4B61-9671-62D37782D29B}: NameServer = 217.79.111.7

please can somebody tell me what i need to delete and how

thanks

2
Contributors
4
Replies
5
Views
13 Years
Discussion Span
Last Post by caperjack
0

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

0

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll

O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

O4 - Global Startup: Search.vbs


O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binari...dtc32_EN_XP.cab

O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://dload.ipbill.com/del/loader.cab
-Coulomb Dialer Variant

O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab

O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.dikai.com/em-meuk.exe


Now reboot into safe mode and delete the following files and folders if found .

C:\Program Files\ClearSearch ... delete folder


C:\WINDOWS\System32\automove.exe ...delete file

O4 - Global Startup: Search.vbs ..delete file


to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log,you can just copy and paste the log here ,makes reading it easier than scroling around the code !!thanks

0

this is what i have now!

I wasnt sure how to do the whole "safe mode" reboot :rolleyes:

is this any better?

Logfile of HijackThis v1.97.7
Scan saved at 13:27:08, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\ctfmon.exe
C:\Documents and Settings\lee\Desktop\aiepk2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\lee\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://s7.invisionfree.com/Xxplosive/index.php?act=idx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://s7.invisionfree.com/Xxplosive/index.php?act=idx
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [CTFMON.EXE] C:\WINDOWS\ctfmon.exe .
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\lee\Desktop\aiepk2.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: 550Access Toolbar Serach - C:\Program Files\550AccessToolbar\550accessmenusearch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.derbytechsys.com/remote/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C878ED15-B3D5-4B61-9671-62D37782D29B}: NameServer = 217.79.111.7

btw..

i keep finding that "xxx toolbar" when i use spysweeper and never can get rid of it, I dont go on porn sites or anything to do with "xxx" so where is this coming from?

0

To get to safe mode ,
To get into the Windows 2000 / XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.

did you miss fixing this one and uninstalling it ! if so follow the fix /delete directions again!

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

Fix these 2 also
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.