| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 69646 | 2006-06-07 16:45:00 | i need advice what to do next... here my hijack logs.... | Cead (10513) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 461475 | 2006-06-07 16:45:00 | Can anyone please help me what to do... I don't have any exprience on this kind of stuff about computer... >.< ... and i think this thing hijacked my homepage... advance thank you to anyone ^^ here is the logs from hijack... C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dcomcfg.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\PC Tools AntiVirus\PCTAV.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\SpyNoMore\SNM.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\DIANEI~1\LOCALS~1\Temp\Rar$EX00.000\Hi jackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) R3 - URLSearchHook: (no name) - - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKLM\..\RunOnce: [ws_uninst] C:\DOCUME~1\DIANEI~1\LOCALS~1\Temp\ws_uninst.exe -s O4 - HKLM\..\RunOnce: [ea_cleanup] C:\DOCUME~1\DIANEI~1\LOCALS~1\Temp\ea_cleanup.exe /cleanup O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ Yahoo! Pager] "C:\PROGRA~1\ Yahoo! \MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ChikkaIM] C:\PROGRA~1\Chikka\Chikka.exe O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\ Yahoo! \Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\ Yahoo! \Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe |
Cead (10513) | ||
| 461476 | 2006-06-07 20:26:00 | You have at least 2 baddies but better wait for someone more experianced like Speedy to tell you how to get rid of them. |
kjaada (253) | ||
| 461477 | 2006-06-07 22:09:00 | You need to post the entire log and HijackThis needs to be in its own folder on the hard drive first, not in the temporary files folder. Please try again. |
FoxyMX (5) | ||
| 461478 | 2006-06-07 23:09:00 | By the "entire log" referenced to above, include the header from HJT with the system info . I know, it's confusing . . . wot? |
SurferJoe46 (51) | ||
| 461479 | 2006-06-08 00:09:00 | Cm on Foxy tell us what you mean by entire log.At least 2 very nasty things are listed and more are suspect. | kjaada (253) | ||
| 461480 | 2006-06-08 00:51:00 | Cm on Foxy tell us what you mean by entire log. I meant exactly what I said - post the entire log. The bits missing look like this: Logfile of HijackThis v1.99.1 Scan saved at 15:36:59, on 27/05/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: |
FoxyMX (5) | ||
| 461481 | 2006-06-08 02:03:00 | It does not look as if Speedy is about so I will tell you and hope no one takes offence: 02 BHO Nothing................. and 04HKLM..\run [alcmtr].ALCMTR.exe are baddies In the mean time if you tick them then click fix you may solve the problem until your next boot but if you like to hold on then someone may tell you about other not so bad thingos and give you advice on solutions. |
kjaada (253) | ||
| 461482 | 2006-06-08 02:15:00 | Hi Cead We need to kill this infection : O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100 Download SmitfraudFix (by S!Ri) to your Desktop . . urz . free . fr/Fix/SmitfraudFix . zip" target="_blank">siri . urz . free . fr Extract all the files to your Destop . A folder named SmitfraudFix will be created on your Desktop . Open the SmitfraudFix folder and double-click smitfraudfix . cmd Select option #1 - Search by typing 1 and press Enter This program will scan large amounts of files on your computer for known patterns so please be patient while it works . When it is done, the results of the scan will be displayed and it will create a log named rapport . txt in the root of your drive . This log you can close Reboot your computer in Safe Mode . If the computer is running, shut down Windows, and then turn off the power . Wait 30 seconds, and then turn the computer on . Start tapping the F8 key . The Windows Advanced Options Menu appears . If you begin tapping the F8 key too soon, some computers display a "keyboard error" message . To resolve this, restart the computer and try again . Ensure that the Safe Mode option is selected . Press Enter . The computer then begins to start in Safe mode . Login on your usual account . Open the SmitfraudFix Folder, then double-click smitfraudfix . cmd file to start the tool . Select option #2 - Clean by typing 2 and press Enter . Wait for the tool to complete and disk cleanup to finish . You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter . The tool will also check if wininet . dll is infected . If a clean version is found, you will be prompted to replace wininet . dll . Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter . A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually . . The tool will create a second log named rapport . txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed . Please post that log along with your next reply . Download the trial version of Ewido Security Suite ( . ewido . net/en/download/" target="_blank">www . ewido . net) When installing, under "Additional Options" uncheck "Install Background Guard" and "Install scan via context menu" . Launch Ewido Security Suite (there should be an icon on your desktop doubleclick it) . The program will now go to the main screen . You will need to update ewido to the latest definition files . On the left hand side of the main screen click update and then click on Start Update . The update will start and a progress bar will show the updates being installed . If you have problems with the updater, you can use this link to manually update ewido . . ewido . net/en/download/updates/ . " target="_blank">www . ewido . net Do not run a scan yet . When you have done this, boot into Safe Mode (restart your PC and keep tapping F8 while it restarts) . Run Ewido Security Suite now . Click on Scanner and click Complete System Scan and the scan will begin . During the scan it will prompt you to clean files, click OK . When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK . When the scan is finished, click the Save report button at the bottom of the screen . Save the report to your desktop and close Ewido Security Suite . Please post its log here along with rapport . txt and a new HJT log . |
Pancake (6359) | ||
| 461483 | 2006-06-08 02:54:00 | Thank goodness someone can help. | kjaada (253) | ||
| 461484 | 2006-06-08 03:52:00 | thank you very much pancake.... here the rapport... i did the clean twice... so i think the rapport get replace... but the first rapport i read it and it say sumthing like this "C:\WINDOWS\System32 deleted" n there were like 4-5 of em... SmitFraudFix v2.55 Scan done at 22:11:00.89, Wed 06/07/2006 Run from C:\Documents and Settings\Diane Ignacio\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End here is my new hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 10:39:18 PM, on 6/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\SpyNoMore\SNM.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\Documents and Settings\Diane Ignacio\Desktop\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) R3 - URLSearchHook: (no name) - - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ Yahoo! Pager] "C:\PROGRA~1\ Yahoo! \MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ChikkaIM] C:\PROGRA~1\Chikka\Chikka.exe O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\ Yahoo! \Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\ Yahoo! \Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe also pancake... i used the spynomore to scan my computer just in case... it say that i have trojan, adware, search hijacker, spyware, and tracking cookie... i just want to know if this is any risk to my comp... thank you again pancake your the best. oh by the way, it took me like 10 tries to get to safe mode >.< .... XD |
Cead (10513) | ||
| 1 2 3 | |||||