HiJack me! My turn!

NiGHTSNiGHTS San Diego Icrontian
edited May 2004 in Spyware & Virus Removal
Thanks in advance, you guys do great work, as tedious as this might be. Of course,...if you're sitting in front of a computer bored to death I'm sure this is a welcome sight. :)

Logfile of HijackThis v1.97.7
Scan saved at 11:50:55 AM, on 5/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microangelo\muamgr.exe
C:\WINDOWS\System32\msrexe.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\sstray.exe
C:\PROGRA~1\ANTIBU~1\deletedoesbalm.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\ABIT\ABITEQ\abiteq.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\My Documents\My Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = NiGHTS
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://forums.dodhq.net/forumdisplay.php?s=&forumid=81
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A8F35AF2-DE3A-7995-E8BA-95FF00B03BB4} - C:\PROGRA~1\THUNKM~1\WayGrid.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: File Bend Film - {BC96962A-5909-0C6F-C942-7BD2F778D411} - C:\PROGRA~1\THUNKM~1\WayGrid.dll
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Glue Save] C:\PROGRA~1\ANTIBU~1\deletedoesbalm.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Comments

  • shwaipshwaip bluffin' with my muffin Icrontian
    edited May 2004
    remove these in safe mode (using hijack this):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://forums.dodhq.net/forumdisplay.php?s=&forumid=81
    O1 - Hosts: 216.40.230.4 desktop.kazaa.com
    O1 - Hosts: 216.40.230.4 alpha.kazaa.com
    O2 - BHO: (no name) - {A8F35AF2-DE3A-7995-E8BA-95FF00B03BB4} - C:\PROGRA~1\THUNKM~1\WayGrid.dll
    O3 - Toolbar: File Bend Film - {BC96962A-5909-0C6F-C942-7BD2F778D411} - C:\PROGRA~1\THUNKM~1\WayGrid.dll
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKLM\..\Run: [Glue Save] C:\PROGRA~1\ANTIBU~1\deletedoesbalm.exe

    then manually delete the following:
    (folder)c:\program files\thunkm~1 (it's a folder that starts with thunkm)
    (folder)c:\program files\antibu~1 (starts with anitbu)
    (file)C:\WINDOWS\System32\msrexe.exe
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    These 2 are fine. Don't delete them.

    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited May 2004
    whoops, meant to get rid of ctfmon.
  • NiGHTSNiGHTS San Diego Icrontian
    edited May 2004
    In reading the sticky notes in this forum, I would like to apologize with my above post. I failed to both specify what I was looking for, and what I was hoping to accomplish, while looking like an ass at the same time. I appreciate, however, that you went ahead and looked at my post, as well as responded. This service that the few of you do daily for those of us like myself who are clueless as to using HiJack this, or are just not sure what direction to move when cleaning up their computer is incredible. Truly unselfish and generous. Again, I apologize for the somewhat demanding first post I made, and appreciate that despite this, you've taken the time to give me a general idea of what to get rid of.

    P.S. - Short Media is amazing, I don't think I could find a better word to describe this entire site...unless I made a word up or something.
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited May 2004
    don't worry about it...i only get kinda irked when new people show up, post a log without specifying what's wrong, and then leave w/o telling us it worked or thanking us.
  • ArmoArmo Mr. Nice Guy Is Dead,Only Aqua Remains Member
    edited May 2004
    what exactly is omega search? lol i mean i see at least 3 new threads a day for it but i dont know what it is, i do know i dont want it lol :)
  • NiGHTSNiGHTS San Diego Icrontian
    edited May 2004
    Worked like a charm, thanks Shwaip. What is msrexe.exe anyway? Those other things looked really suspicious, one was a .bin file and the others were a mix of exe's and bins and whathaveyou. Thanks again.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited May 2004
    NiGHTS - don't worry about it - you're a regular member, and part of the community. It's when, like Shwaip said, people just come in out of the blue, post a log without saying a word, and then never post again that gets a bit tiresome :)
  • MaatMaat
    edited May 2004
    Armo wrote:
    what exactly is omega search? lol i mean i see at least 3 new threads a day for it but i dont know what it is, i do know i dont want it lol :)

    lol, you defiently dont want it, it auto sets your homepage to its home site, adds a search toolbar with catagories like sex and gambling and adds a bunch of favorites

    also, it seems like everytime you reboot it resets your homepage

    a real pain :thumbsdow :mean:
Sign In or Register to comment.