Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

MHSmooth13

1 Message

936

January 18th, 2004 15:00

Another HijackThis file

My Spyware guard keeps popping up everytime I turn on my computer because something keeps trying to change my IE homepage. Adaware didnt catch it. Heres my Hijackthis log file:

Logfile of HijackThis v1.97.7
Scan saved at 11:45:13 AM, on 1/18/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\MSMGT.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Matt\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/bls0_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21s1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dcs0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/flts0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zs0_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grs0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/ts0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://yog49.games.scd.yahoo.com/yog/y/posg_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pys1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/ss0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sds0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvs0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37268.9832523148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFADB32D-26D5-4A63-A857-194F561F5FD0}: NameServer = 205.188.146.146
O19 - User stylesheet: c:\windows\system.css
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

Thanks a lot!

  -Matt

ChrisRLG

2 Intern

 • 

3.9K Posts

January 18th, 2004 19:00

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Then delete the old copy of hijackthis so you can't use it please.

Then check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O19 - User stylesheet: c:\windows\system.css
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

Then reboot to safe mode (F8 at boot) and delete the following files

C:\WINDOWS\System32\Userinit.exe
C:\WINDOWS\MSMGT.exe

Then reboot and post a fresh log for me to check.

Was this post helpful?

View All

No Events found!

Top