help pls again
Hi all,
got hit by the searchbar thingy again ,
can anyone direct me what to deleete in hijack this?
Logfile of HijackThis v1.97.7
Scan saved at 12:29:55, on 17/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Administrator\デスクトップ\Hijack This\HijackThis.exe
F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O1 - Hosts: 172.16.0.111 ser00
O1 - Hosts: 172.16.0.112 ser01
O1 - Hosts: 172.16.0.113 ser02
O1 - Hosts: 172.16.0.114 ser03
O1 - Hosts: 172.16.0.122 ser05
O1 - Hosts: 172.16.0.123 ser06
O1 - Hosts: 172.31.0.101 SV02N
O1 - Hosts: 172.28.0.100 SV01S
O1 - Hosts: 172.27.0.100 SV01SS
O1 - Hosts: 172.29.0.2 TTC09
O1 - Hosts: 172.29.0.10 TTC10
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\IndicatorUtility\IndicatorUty.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: jpeg.dll
O4 - Startup: LGPL.txt
O4 - Startup: libpng1.dll
O4 - Startup: license.txt
O4 - Startup: msvcp60.dll
O4 - Startup: msvcrt.dll
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: README.txt
O4 - Startup: scores.dat
O4 - Startup: SDL.dll
O4 - Startup: SDL_image.dll
O4 - Startup: SDL_mixer.dll
O4 - Startup: truckdismount.dat
O4 - Startup: truckdismount.exe
O4 - Startup: uninst.exe
O4 - Startup: zlib.dll
O4 - Global Startup: NTUSER.DAT
O4 - Global Startup: NTUSER.DAT.LOG
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.fmworld.net/biz/index.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs.chat.yahoo.co.jp/v45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10497be59b7623c58915/netzip/RdxIE601_ja.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
thank you for your help
hanasuke
got hit by the searchbar thingy again ,
can anyone direct me what to deleete in hijack this?
Logfile of HijackThis v1.97.7
Scan saved at 12:29:55, on 17/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Administrator\デスクトップ\Hijack This\HijackThis.exe
F0 - syst>m.ini: Shell=
F0 - R >ystem.ini: Shel>=
F0 - R >ystem.ini: UserInit=
O1 - Hosts: 172.16.0.111 ser00
O1 - Hosts: 172.16.0.112 ser01
O1 - Hosts: 172.16.0.113 ser02
O1 - Hosts: 172.16.0.114 ser03
O1 - Hosts: 172.16.0.122 ser05
O1 - Hosts: 172.16.0.123 ser06
O1 - Hosts: 172.31.0.101 SV02N
O1 - Hosts: 172.28.0.100 SV01S
O1 - Hosts: 172.27.0.100 SV01SS
O1 - Hosts: 172.29.0.2 TTC09
O1 - Hosts: 172.29.0.10 TTC10
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\IndicatorUtility\IndicatorUty.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: jpeg.dll
O4 - Startup: LGPL.txt
O4 - Startup: libpng1.dll
O4 - Startup: license.txt
O4 - Startup: msvcp60.dll
O4 - Startup: msvcrt.dll
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: README.txt
O4 - Startup: scores.dat
O4 - Startup: SDL.dll
O4 - Startup: SDL_image.dll
O4 - Startup: SDL_mixer.dll
O4 - Startup: truckdismount.dat
O4 - Startup: truckdismount.exe
O4 - Startup: uninst.exe
O4 - Startup: zlib.dll
O4 - Global Startup: NTUSER.DAT
O4 - Global Startup: NTUSER.DAT.LOG
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.fmworld.net/biz/index.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs.chat.yahoo.co.jp/v45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/10497be59b7623c58915/netzip/RdxIE601_ja.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
thank you for your help
hanasuke
0
This discussion has been closed.
Comments
Which searchbar? The big blue one again? Maybe you need to stop visiting whichever sites are giving it to you, or start using Firebird or Opera for your browser.
If you have the Omegsearch toobar again, pleae download Omegakiller 1.2 from our Security Downloads page (link in my signature.)
Also, run HJT in SAFE MODE, and fix:
O4 - Startup: jpeg.dll
O4 - Startup: LGPL.txt
O4 - Startup: libpng1.dll
O4 - Startup: license.txt
O4 - Startup: msvcp60.dll
O4 - Startup: msvcrt.dll
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: README.txt
O4 - Startup: scores.dat
O4 - Startup: SDL.dll
O4 - Startup: SDL_image.dll
O4 - Startup: SDL_mixer.dll
O4 - Startup: truckdismount.dat
O4 - Startup: truckdismount.exe
O4 - Startup: uninst.exe
O4 - Startup: zlib.dll
O4 - Global Startup: NTUSER.DAT
O4 - Global Startup: NTUSER.DAT.LOG
Then, stay in safe mode, locate those files, and quarantine them.
Reboot normally, and check things out. Let us know if it worked. Then seriously consider not visiting the sites that you think are infecting you, switch browsers if you really must visit them. If you keep getting "hit" after not taking our advice, we will stop feeling sorry for you.
Dexter...
thanks all for your replies
Please consider using a different browser like Firebird to avoid getting hijacked so easily, and consider modifying yoru internet habits to avoid places that give you this crap.
Dexter...