News:

Why yes, yes it is still online!
-Balaso

Help my hijack log

Started by Jeebus, May 24, 2005, 07:08:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Jeebus

May 24, 2005, 07:08:47 PM
I am always unsure then making changes to system sensitive files.

If someone could check this log and tellme what needs to be fixed (second opinion) I would appreciate it.


Logfile of HijackThis v1.99.1
Scan saved at 8:04:52 PM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\WINDOWS\system32\atlwv32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Winamp\winamp.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\avosq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {D62AF7AD-07CE-E9A0-FD1B-568C456795DE} - C:\WINDOWS\netdh.dll
O2 - BHO: Class - {EE2EFEB6-458C-9929-89B7-2B57E8D00712} - C:\WINDOWS\d3vt32.dll
O4 - HKLM\..\Run: [atlwv32.exe] C:\WINDOWS\system32\atlwv32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [d3gn32.exe] C:\WINDOWS\system32\d3gn32.exe
O4 - HKLM\..\RunOnce: [ienh32.exe] C:\WINDOWS\system32\ienh32.exe
O4 - HKLM\..\RunOnce: [appyx.exe] C:\WINDOWS\system32\appyx.exe
O4 - HKLM\..\RunOnce: [apiyt.exe] C:\WINDOWS\system32\apiyt.exe
O4 - HKLM\..\RunOnce: [ntzb32.exe] C:\WINDOWS\system32\ntzb32.exe
O4 - HKLM\..\RunOnce: [sdkfn.exe] C:\WINDOWS\system32\sdkfn.exe
O4 - HKLM\..\RunOnce: [ieur32.exe] C:\WINDOWS\ieur32.exe
O4 - HKLM\..\RunOnce: [winpc.exe] C:\WINDOWS\system32\winpc.exe
O4 - HKLM\..\RunOnce: [crhs.exe] C:\WINDOWS\crhs.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3gn32.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

E.J.FUDD

May 25, 2005, 11:17:32 PM #1
O4 - HKLM\..\RunOnce: [crhs.exe] C:\WINDOWS\crhs.exe

thats a lil bugger that needs to be pulled out, there are some extensions,
major geeks has a bit onit.

just get rid of crap..
R3 - Default URLSearchHook is missing

this is usually a hook when ive seen it come up on hijack this..THERE ARE SEVERAL NASTY lil buggers that do this
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\avosq.dll/sp.html#37049
there is also more hidden after this type of input but it is hidden..

so get rid of all this..
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\avosq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\avosq.dll/sp.html#37049



holy crap batman i think with out research this is a nasty nest of crap....
O2 - BHO: Class - {D62AF7AD-07CE-E9A0-FD1B-568C456795DE} - C:\WINDOWS\netdh.dll
O2 - BHO: Class - {EE2EFEB6-458C-9929-89B7-2B57E8D00712} - C:\WINDOWS\d3vt32.dll
O4 - HKLM\..\Run: [atlwv32.exe] C:\WINDOWS\system32\atlwv32.exe

O4 - HKLM\..\RunOnce: [d3gn32.exe] C:\WINDOWS\system32\d3gn32.exe
O4 - HKLM\..\RunOnce: [ienh32.exe] C:\WINDOWS\system32\ienh32.exe
O4 - HKLM\..\RunOnce: [appyx.exe] C:\WINDOWS\system32\appyx.exe
O4 - HKLM\..\RunOnce: [apiyt.exe] C:\WINDOWS\system32\apiyt.exe
O4 - HKLM\..\RunOnce: [ntzb32.exe] C:\WINDOWS\system32\ntzb32.exe
O4 - HKLM\..\RunOnce: [sdkfn.exe] C:\WINDOWS\system32\sdkfn.exe
O4 - HKLM\..\RunOnce: [ieur32.exe] C:\WINDOWS\ieur32.exe
O4 - HKLM\..\RunOnce: [winpc.exe] C:\WINDOWS\system32\winpc.exe
O4 - HKLM\..\RunOnce: [crhs.exe] C:\WINDOWS\crhs.exe


reformat...thats alot of crap. crippling even if removed.
yea though i walk through the valley of death i shall fear no evil for i tread upon the bones of its forefathers

crypticknight

May 26, 2005, 02:26:00 PM #2
jeebs just format your hard drive :)

Jeebus

May 26, 2005, 09:04:08 PM #3
I got it all our manually after about 7 hours.

The reason why I didnt want to reformat is I just ripped most of my cd's into MP3's and also UT2k4 and Doom3 are running from this hard drive, I don't have disc copies of those.

Everything is ok now, better than when that even started...

Thanks for the help though, I wasn't waitinf for replies... it took 3 utilities to remove it, CWShredder, Spybot, and Ad-aware.

I ran Panda Antivirus and those programs in safe mode, and all the stuff that popped up, I manually made sure they were deleted, I cleared all my restore points, and emptied my recycle bin, been running fine for 2 days.

E.J.FUDD

May 26, 2005, 10:02:26 PM #4 Last Edit: May 26, 2005, 10:10:39 PM by E.J.FUDD
scopin out your hkcu for dangle files or trojan droppers...those droppers are a mother F....  well they are nasty, i had one written in java.

AND JEEBUS.. Delete the Prefetch folder in C:\WINDOWS and Delete Memory.dmp in C:\WINDOWS or was it C:\WINDOWS\System32
 and that lil crhs diddy... everyone keeps talking about downloading a prog called..ABOUT BUSTER to be able to remove it.

i ran..
spy bot,
ccleaner..this mo is awsome, but it will erase all temp information and run through your registry to get rid of stuff thats no longer!...I HIGHLY RECOMMEND THIS

ran hijackthis,
avg anti virus
nortons (but it was screwed thanks to cws..
ran panda titanium
adaware se


and still had files that lingered..i had to go get PILLBOX KILLBOX, to stratigigly kill some files..

HOPE no one finds a file in C:\programs\!submit with about 6 exe's inside on thier hdd.
yea though i walk through the valley of death i shall fear no evil for i tread upon the bones of its forefathers

Balaso

May 27, 2005, 10:14:14 AM #5
I've had some rather awsome luck with this: http://www.adwareaway.com/
MURPHEY'S LAW: Anything that can go wr...+\#&\% Bus Error -- Core Dumped

sK_Cookie

May 27, 2005, 01:35:13 PM #6
one word: BHO

use microsofts antispyware beta to remove all of your BHO's that is caused your about:blank as default website.  It will clean your box right up.
User actions
Print
Go Up Pages1