Hijack Log - HELP - Free Antivirus Forum

Hijack Log - HELP

BullGuard Antivirus Forum > General Security > Spyware > Hijack Log - HELP

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

speer
New Member

Date Joined Aug 2004
Total Posts : 1

Posted 8-13-2004 12:29 (GMT +1)

So I have the newest, updated versions for Norton AntiVirus, Spyware Doctor, and Lavasoft Ad-Aware. Of course, I'm still hijacked.

Logfile of HijackThis v1.98.0
Scan saved at 7:11:56 PM, on 8/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\LINKSYS\Configuration Utility\PRISMSTA.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Speer\Desktop\HiJackThis_Last.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F4E0EEE-BFCA-4A3B-AC05-07146D789C03} - C:\WINNT\system32\ddapnl.dll
O2 - BHO: (no name) - {BDB80B03-7286-40B2-9A67-CF35EE015F02} - C:\WINNT\system32\ddapnl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\LINKSYS\Configuration Utility\PRISMSTA.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12ee51d9cfedb46c7805/netzip/RdxIE601.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Filter: text/html - {BDA34DBA-42B9-4611-A04A-7587AFE0AB7A} - C:\WINNT\system32\ddapnl.dll
O20 - AppInit_DLLs: NVDESK32.DLL
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINNT\system32\Eaokoe32.dll

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13599

Posted 8-13-2004 6:38 (GMT +1)

Hey speer

Download: http://www.webmasterfree.com/regcleaner.html

Cwshredder: http://www.spywareinfo.com/~merijn/downloads.html
http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

Unzip to own folder, update if needed

Leave the programs.

Disable system restore: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam

Reboot to safe mode- F8

Start-run, type:regedit

Find- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
check for a key called-HOMEOldsp, if present- delete it.
And if you have some files in searchpage/searchbar which end with …\sp delete them
Go to Edit in registry and type - HOMEOldsp. Click-Find Next, delete it-if present.
Use F3 for search more, if you find more- delete them.

Same procedure with-About:blank

Close Registry.

Run Hijackthis, close all other windows, put a checkmark to these and fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {1F4E0EEE-BFCA-4A3B-AC05-07146D789C03} - C:\WINNT\system32\ddapnl.dll
O2 - BHO: (no name) - {BDB80B03-7286-40B2-9A67-CF35EE015F02} - C:\WINNT\system32\ddapnl.dll

O18 - Filter: text/html - {BDA34DBA-42B9-4611-A04A-7587AFE0AB7A} - C:\WINNT\system32\ddapnl.dll

Show hidden files-

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

Find and delete:

C:\DOCUME~1\Speer\LOCALS~1\Temp\sp.html<<<<Empty Temp Folder

C:\WINNT\system32\ddapnl.dll

Run Cwshredder,disconnect to the net, close all other windows-fix.

Run The regcleaner

And Adware:
Go to Start > Programs > Lavasoft and click on AdAware 6 to open the program

Look at the icons on the top right of the page and click on the ‘world’ and let AdAware update the spyware reference list

Once the update is finished click on the ‘Gear’ icon (second from the left) to access the preferences/settings window

In the "General" window make sure the following are selected:

Automatically save log-file

Automatically quarantine objects prior to removal

Safe Mode (always request confirmation)

Click on the "Scanning" button on the left and select :

Scan Within Archives

Scan Active Processes

Scan Registry

Deep Scan Registry

Scan my IE favorites for banned URL’s

Scan my Hosts file

Under ‘Click here to select drives + folders, choose:

All of your hard drives

Click on the "Advanced" button on the left and select:

Include additional process information

Include additional file information

Include environment information

Include additional object details

Click the "Tweak" button and select:

Under the "Scanning Engine":

Unload recognized processes during scanning

Include basic Ad-aware settings in logfile

Include additional Ad-aware settings in logfile

Under the ‘Cleaning Engine’:

Let Windows remove files in use at next reboot

Click on "Proceed" to save the settings.

Click -Start- and on the next screen choose "Activate in-depth Scan" at the bottom of the page and then choose:

Use Custom Scanning Options

Click -Next- and AdAware will scan your hard drive(s) with the options you have selected.

After scan,put a checkmark to all what it find, then click "finish"

Reboot, run this scanner: http://www.mwti.net/antivirus/free_utilities.asp

Take one of the first seven links, activate all, in settings

And post new log

Forum Information

Currently it is Friday, November 21, 2008 1:01 AM (GMT +1)
There are a total of 63.950 posts in 15.824 threads.
In the last 3 days there were 33 new threads and 166 reply posts. View Active Threads