hijack log...please help me get rid of them...

Question

xan8oulis 0 Newbie Poster

20 Years Ago

first of all a big HI to all of the people in the forum!its nice to b in the company now...
if i could get rid of those search engines too, it would b great!!!
please take a look!

Logfile of HijackThis v1.98.2
Scan saved at 1:36:52 πμ, on 15/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\greg\LOCALS~1\Temp\Rar$EX00.188\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=543
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\3v8f46ieb1jyky.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Road Iso] C:\PROGRA~1\Mp3Acid\bird peak.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\186901.exe
O4 - HKLM\..\Run: [fzfmuxlmyn] C:\WINDOWS\System32\afktzc.exe
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sp] C:\sp.exe
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://ultimateplugin.com/tl7000.dll
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: Domain = aueb.gr
O17 - HKLM\System\CCS\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: NameServer = 195.251.255.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: Domain = aueb.gr
O17 - HKLM\System\CS1\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: NameServer = 195.251.255.142
O17 - HKLM\System\CS2\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: Domain = aueb.gr
O17 - HKLM\System\CS2\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: NameServer = 195.251.255.142
O20 - AppInit_DLLs: zsjzgb36mnnzp.dll

windows-virus

3 Contributors
6 Replies
166 Views
4 Days Discussion Span
Latest Post 20 Years Ago Latest Post by crunchie

dlh6213 27 Posting Maven

20 Years Ago

Before you fix anything with HJT, you need to put it in a permanent folder so that it can save backups in case something goes wrong. Right now you're running it from a temp folder. Put it in a folder like this -- C:\hjt\HijackThis.exe

Your Windows and Internet Explorer both need to updated as well. Before upgrading to SP2, review this thread:
http://www.daniweb.com/techtalkforums/thread10031.html

dlh6213 27 Posting Maven

20 Years Ago

That link should have directed you to the top thread in the Windows NT/2000/XP/2003 forum (discussing SP2).

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

xan8oulis 0 Newbie Poster · Answer 1 · 2004-09-15T20:53:36+00:00

i think i did it right this time ha? but when i want to follow the link i just cant!
i also when i try to use the search ability, the window wont open...HEPL!

Logfile of HijackThis v1.98.2
Scan saved at 5:31:17 μμ, on 15/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\msiexec.exe
C:\hijack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=543
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.betaholics.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=543
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\3v8f46ieb1jyky.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Road Iso] C:\PROGRA~1\Mp3Acid\bird peak.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\186901.exe
O4 - HKLM\..\Run: [fzfmuxlmyn] C:\WINDOWS\System32\afktzc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://ultimateplugin.com/tl7000.dll
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: Domain = aueb.gr
O17 - HKLM\System\CCS\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: NameServer = 195.251.255.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: Domain = aueb.gr
O17 - HKLM\System\CS1\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: NameServer = 195.251.255.142
O20 - AppInit_DLLs: zsjzgb36mnnzp.dll

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 2 · 2004-09-17T17:27:45+00:00

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=543

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\3v8f46ieb1jyky.dll

O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\186901.exe
O4 - HKLM\..\Run: [fzfmuxlmyn] C:\WINDOWS\System32\afktzc.exe
O4 - Global Startup: winlogin.exe

O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://ultimateplugin.com/tl7000.dll
-DirectPlugin Dialer
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
-7AdPower Dialer

O20 - AppInit_DLLs: zsjzgb36mnnzp.dll

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\186901.exe-file
C:\WINDOWS\System32\afktzc.exe-file
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe-file

Reboot normally.

Download CWShredder from here & run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including Internet Explorer, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Reboot after doing this & post another log please.

xan8oulis 0 Newbie Poster · Answer 3 · 2004-09-19T09:06:53+00:00

good morning guys and thanks for everything!
i`ve tried to do what u told me to, and here are the results:

Logfile of HijackThis v1.98.2
Scan saved at 5:57:59 πμ, on 19/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.betaholics.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Road Iso] C:\PROGRA~1\Mp3Acid\bird peak.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.greg-search.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: Domain = aueb.gr
O17 - HKLM\System\CCS\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: NameServer = 195.251.255.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: Domain = aueb.gr
O17 - HKLM\System\CS1\Services\Tcpip\..\{62972474-AC67-4353-9A2D-A4064560D00D}: NameServer = 195.251.255.142
O20 - AppInit_DLLs: zsjzgb36mnnzp.dll

i have to make two remarks tho, firstly is that when i tried to delete the file winlogin.exe the following message came up, "unable to delete the file O4 - Global Startup: winlogin.exe" and it continued..."the file may be in use!use task manager to shut down the program and run hijackrthis again to delete the file"
the problem is that when i opened the task manager the only file that seemed like winlogin.exe was winlogon.exe and of course i didnt delete it coz i didnt know the consequenses!
and another thing,when i try to reach the page of windows-update the same search page keeps popping up!and my nerves are breaking down with this situation! PLEASE HELP ME!!!
doing a format would help the situation?but what can i do to protect my self from that happening again???

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 4 · 2004-09-19T17:04:51+00:00

Run hijackthis & go to config\misc tools\delete a file on reboot & either browse to winlogin.exe, or paste it's full path into the line. Reboot & check to see if it is still there. If it is, Download moveonboot from here & the file(s) you choose will be deleted on reboot. Simply right click on the file & choose delete on reboot.

MoveOnBoot allows you to copy, move or delete files on the next system boot. This comes in very handy, if you need to replace or delete files which are locked by other applications, loaded into memory or cannot be changed until next system boot. You could manually enter a line to the wininit files, but using MoveOnBoot is much simpler, since the program can be integrated into shell - it creates the "Copy/Move/Delete on boot" context menu item.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O4 - HKLM\..\Run: [Road Iso] C:\PROGRA~1\Mp3Acid\bird peak.exe
O4 - Global Startup: winlogin.exe

O15 - Trusted Zone: *.greg-search.com

O20 - AppInit_DLLs: zsjzgb36mnnzp.dll

Click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run this uninstaller:
http://members.rogers.com/rjmac/new_uninstall.exe

Reboot after doing the above then post a fresh log please.