PDA

View Full Version : HSA Log File Help

Volturius115
30 Apr 2005, 9:38pm
here is the log file :)

Logfile of HijackThis v1.99.1
Scan saved at 4:36:24 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\SYSTEM32\WINS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\netnw32.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntmx32.exe
C:\WINDOWS\System32\rnvlaa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\You\Desktop\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://64.124.210.131/index.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {9DE1545A-6CDE-C52E-C2EE-15ABB18D6F1A} - C:\WINDOWS\system32\iegi32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ntmx32.exe] C:\WINDOWS\system32\ntmx32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rnvlaa.exe
O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [Workstation Services] wrkstn.exe
O4 - HKLM\..\RunServices: [Microsoft Macro Protection Subsystems] msmacroprot32.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe
O4 - HKLM\..\RunServices: [Windows Debugger] windbg.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [Windows USB controler] winusb.exe
O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKCU\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.**********'http://sexmaxx.com/freegalleries.htm';}
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MEDIAWHIZ8.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=e685f42af16b4ae133fb6395c0ae1826074370b6ef2ab58c7b394a46b7785ed02dcd1d18afd71cf37a3273507e405440345a19b4981e02e4ec71b0834b3328:522a1c137ec85ca995271ab95b94951b
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.16/ttinst.cab
O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://download.bigwebportal.com/toolbar2/winenc32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{762497DC-2430-49A1-8AF3-77CB9AC54C9A}: NameServer = 206.72.209.27 206.72.209.56
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O21 - SSODL: systemie - {0A58DEAE-BFC9-4A7F-85F4-6C3F8AE732F3} - sysie.dll (file missing)
O21 - SSODL: systemp - {13C16E5A-A482-4B3D-8442-18E53BDEDA42} - systemp.dll (file missing)
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Cnfjgckb.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client (nwclntf) - Unknown owner - C:\WINDOWS\SYSTEM\winlogon.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\SYSTEM32\WINS\svchost.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
O23 - Service: Network Security Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\netnw32.exe

please tell me what to delete
Dexter
1 May 2005, 12:50am
Welcome to Short-Media. If you are not sure how to do some of the things I tell you, check the links I provide for instructions. You may want to print these instructions out for easy reference, or copy and paste to Notepad. Do not leave your browser open while performing these fixes.

Please make sure that HijackThis.exe is in its own folder, as explained here. (http://www.short-media.com/forum/showpost.php?p=172584&postcount=2) I can see from your log file that yours is installed on your desktop, which is not a good place for it, read the explanantion why inthe link I just gave you.

Set your system to Show Hidden Files and folders. (http://www.short-media.com/forum/showpost.php?p=172588&postcount=3)

For Windows XP or ME, Disable System Restore. (http://www.short-media.com/forum/showpost.php?p=172591&postcount=4)


PULL THE POWER PLUG ON YOUR COMPUTER. Do not use the Start menu or the front power switch to shut your computer down. This step is called a HARD BOOT, and prevents files from renaming themselves during a soft boot.

Wait a few seconds, and plug the power cord back in. When it starts up, boot into Safe Mode (http://www.short-media.com/forum/showpost.php?p=175908&postcount=6).

Make sure that all Internet Explorer or any other browser windows or internet applications are closed. Do not have any other unnecessary programs running.


Run Hijack This. FIX THE FOLLOWING (place a checkmark beside the entries, and then press the Fix Checked button) :

**************


R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://64.124.210.131/index.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aowmm.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

F1 - win.ini: run=fntldr.exe

O2 - BHO: (no name) - {9DE1545A-6CDE-C52E-C2EE-15ABB18D6F1A} - C:\WINDOWS\system32\iegi32.dll


O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)

O4 - HKLM\..\Run: [ntmx32.exe] C:\WINDOWS\system32\ntmx32.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rnvlaa.exe

O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe

O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe

O4 - HKLM\..\RunServices: [Workstation Services] wrkstn.exe

O4 - HKLM\..\RunServices: [Microsoft Macro Protection Subsystems] msmacroprot32.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe

O4 - HKLM\..\RunServices: [Windows Debugger] windbg.exe

O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe

O4 - HKCU\..\RunServices: [Windows USB controler] winusb.exe

O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe

O4 - HKCU\..\RunServices: [Microsoft--Updates] sxvhost.exe

O4 - Startup: PowerReg Scheduler V3.exe

O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.**********'http://sexmaxx.com/freegalleries.htm';}

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

l
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clicks
pring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MEDIAWHIZ8.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=e685f42af16b4ae133fb6395c0ae1826074370b6ef2ab58c7b394a46b7785ed02dcd1d18afd71cf37a3273507e405440345a19b4981e02e4ec71b0834b3328:522a1c137ec85ca995271ab95b94951b
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.16/ttinst.cab
O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://download.bigwebportal.com/toolbar2/winenc32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{762497DC-2430-49A1-8AF3-77CB9AC54C9A}: NameServer = 206.72.209.27 206.72.209.56

O19 - User stylesheet: (file missing)

O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll

O21 - SSODL: systemie - {0A58DEAE-BFC9-4A7F-85F4-6C3F8AE732F3} - sysie.dll (file missing)

O21 - SSODL: systemp - {13C16E5A-A482-4B3D-8442-18E53BDEDA42} - systemp.dll (file missing)

O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Cnfjgckb.dll


O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\SYSTEM32\WINS\svchost.exe" /service (file missing)

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

O23 - Service: Network Security Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\netnw32.exe


**************

Exit HJT.

Stay in Safe mode, manually locate the following files from the entries above, and quarantine them: (http://www.short-media.com/forum/showpost.php?p=173532&postcount=5)


**************
C:\WINDOWS\aowmm.dll

fntldr.exe (you will have to do a search for this file, it is probably in your Windows directory or your Windows\System32 directory, if you cannot find it, do a search)

C:\WINDOWS\system32\iegi32.dll


C:\PROGRAM FILES\YOURSI~1\ysb.dll (file missing) (YOURSI~1 = a folder with a longer name but begins with "YOURSI")

C:\WINDOWS\system32\ntmx32.exe

C:\WINDOWS\System32\rnvlaa.exe

32RUNdll.exe (do a search on this one)

sxvhost.exe (do a search on this one)

wrkstn.exe (do a search on this one)

msmacroprot32.exe (do a search on this one)

regscan.exe (do a search on this one)

windbg.exe (do a search on this one)

videosd32.exe (do a search on this one)

winusb.exe (do a search on this one)

32RUNdll.exe (do a search on this one)

sxvhost.exe (do a search on this one)

C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll (again, anything with a "~1" is a longer named directory starting with the shown letters.)

C:\WINDOWS\System32\Cnfjgckb.dll

C:\WINDOWS\zeta.exe

C:\WINDOWS\netnw32.exe

**************


Then, go into C: -> Windows -> Downloaded Program Files, and delete everything in there. Anything you really need will be re-downloaded on demand when you visit the website that needs them.

Then, PULL THE POWER PLUG ON YOUR COMPUTER. Do another hard boot. Boot up normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review. If things looks clean, re-enable your system restore and set a new restore point.

Many of the files in your log are virus related, so you either do not have anti-virus installed, or your antivirus is out of date or disabled. I urge yo to get your anti-virus properly installed or updated. Please review this thread for anti-virus suggestions. (http://www.short-media.com/forum/showthread.php?t=12261)

Please post your follow up log, I have a feeling this one will need some more work. :)

Dexter...