| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 58087 | 2005-05-21 06:09:00 | help with "startsearches" hijack please | davisman101 (8171) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 357198 | 2005-05-21 06:09:00 | Can someone please anylize my hijack this result for me and tell me what ones to check?most of them keep coming back. Logfile of HijackThis v1.99.1 Scan saved at 1:07:29 AM, on 5/21/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\shnlog.exe C:\WINDOWS\system32\msole32.exe C:\WINDOWS\popuper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\intmonp.exe C:\WINDOWS\system32\intmon.exe C:\Program Files\GameSpy Arcade\Aphex.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.startsearches.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/ F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe N3 - Netscape 7: user_pref("browser.search.defaultengine", "www.google.com); (C:\Documents and Settings\matt\Application Data\Mozilla\Profiles\default\xyawscay.slt\prefs.j s) O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp666A.tmp O3 - Toolbar: & Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\ Yahoo! \COMPAN~1\Installs\cpn\ycomp5_3_ 12_0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: & Yahoo! Search - file:///C:\Program Files\ Yahoo! \Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\ Yahoo! \Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\ Yahoo! \Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\ Yahoo! \Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\ Yahoo! \Messenger\yhexbmes0521.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Microsoft AntiSpyware helper - {17897145-F463-4420-AE9D-43B37D8BBFE0} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {17897145-F463-4420-AE9D-43B37D8BBFE0} - (no file) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe thanks |
davisman101 (8171) | ||
| 357199 | 2005-05-21 06:48:00 | Tick the following and click on fix. Then reboot. C:\WINDOWS\system32\shnlog.exe C:\WINDOWS\system32\msole32.exe C:\WINDOWS\popuper.exe C:\WINDOWS\system32\intmonp.exe C:\WINDOWS\system32\intmon.exe These are parts of a trojan. securityresponse.symantec.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.startsearches.net R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.startsearches.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/ F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe This looks like a trojan securityresponse.symantec.com O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto This looks suss O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe Remove this O9 - Extra button: Microsoft AntiSpyware helper - {17897145-F463-4420-AE9D-43B37D8BBFE0} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {17897145-F463-4420-AE9D-43B37D8BBFE0} - (no file) (HKCU) |
Speedy Gonzales (78) | ||
| 357200 | 2005-05-21 07:03:00 | And C:\Program Files\GameSpy Arcade\Aphex.exe N3 - Netscape 7: user_pref("browser.search.defaultengine", "www.google.com); (C:\Documents and Settings\matt\Application Data\Mozilla\Profiles\default\xyawscay.slt\prefs.j s) O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp666A.tmp O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll thanks |
pctek (84) | ||
| 357201 | 2005-05-21 07:20:00 | I have found it helpful to temporarily turn off system restore while you are making these fixes especially if they continue to reappear | kumaraguy (4464) | ||
| 357202 | 2005-05-21 16:52:00 | hey hey this all worked.thanks alot.this was a big headache.everything is fine now.thanks again. | davisman101 (8171) | ||
| 357203 | 2005-05-21 18:08:00 | Well Done Speedy & pctek & others, you guys are doing a damn good job. Heaps of people have come to this site for help from all over the world recently and left happy. (^__^) |
zqwerty (97) | ||
| 357204 | 2005-05-21 21:56:00 | Good to hear its running better :) Thanx Z |
Speedy Gonzales (78) | ||
| 1 | |||||