Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

reddben

1 Message

9213

June 12th, 2006 03:00

hijack this log. please check

i have this as my home page and cant get it off, and also have another dodgy program that no protection programs can fix.
 
 
Logfile of HijackThis v1.99.1
Scan saved at 3:48:07 p.m., on 12/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\msi\pc alert iii\aservice.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\itunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EzButton System V1.0\EzButton.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ben\Desktop\Stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V1.0\EzButton.exe
O4 - Global Startup: PC Alert III.lnk = C:\Program Files\MSI\PC Alert III\alert.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server/connectcomputer/nshelp.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Redd.local
O17 - HKLM\Software\..\Telephony: DomainName = Redd.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Redd.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Redd.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: PC Alert Service (AlertService) - Unknown owner - c:\program files\msi\pc alert iii\aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
 

bamajim

10.4K Posts

June 12th, 2006 11:00

redben

1. please repost your HJT log at the link below

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

2. Please go here

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

And Download SmitFraudFix by S!ri

Extract all the archive content to your desktop

  • Search:
    • Double-click smitfraudfix.cmd
    • Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Open that file, Ctrl+A to copy, and post a copy of that log and your Highjackthis log at the link provided above

 

Do Not run option 2 until instructed to do so


Thanks

bamajim

Training at Malware Removal University

bamajim

10.4K Posts

June 12th, 2006 15:00

sl380

We need to see a Hijackthis log also

It can be downloaded here

Go here and download Hijackthis

http://dsvs.org/5/HijackThis.exe

And then post both logs at the link below, thanks

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

and include a description of the problem along with your log


Please do not be tempted to "fix" on your own. Hijackthis is a very powerful tool, if used incorrectly can cause system problems


bamajim

Training at Malware Removal University

sl380

18 Posts

June 12th, 2006 15:00

bamajim, I have been having the same trouble with Titan. I followed your links and did the smit thing.Here is the log. Now what do I do? Thanks!
 
SmitFraudFix v2.59
Scan done at  9:22:41.84, Mon 06/12/2006
Run from C:\Documents and Settings\Bruce\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\alexaie.dll FOUND !
C:\WINDOWS\alxie328.dll FOUND !
C:\WINDOWS\alxtb1.dll FOUND !
C:\WINDOWS\about_spyware_bg.gif FOUND !
C:\WINDOWS\about_spyware_bottom.gif FOUND !
C:\WINDOWS\as.gif FOUND !
C:\WINDOWS\as_header.gif FOUND !
C:\WINDOWS\bg.gif FOUND !
C:\WINDOWS\box_1.gif FOUND !
C:\WINDOWS\box_2.gif FOUND !
C:\WINDOWS\box_3.gif FOUND !
C:\WINDOWS\BTGrab.dll FOUND !
C:\WINDOWS\button_buynow.gif FOUND !
C:\WINDOWS\button_freescan.gif FOUND !
C:\WINDOWS\close-bar.gif FOUND !
C:\WINDOWS\dlmax.dll FOUND !
C:\WINDOWS\download_box.gif FOUND !
C:\WINDOWS\features.gif FOUND !
C:\WINDOWS\footer_back.gif FOUND !
C:\WINDOWS\footer_back.jpg FOUND !
C:\WINDOWS\header_1.gif FOUND !
C:\WINDOWS\header_2.gif FOUND !
C:\WINDOWS\header_3.gif FOUND !
C:\WINDOWS\header_4.gif FOUND !
C:\WINDOWS\infected.gif FOUND !
C:\WINDOWS\main_back.gif FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\rf.gif FOUND !
C:\WINDOWS\rf_header.gif FOUND !
C:\WINDOWS\scan_btn.gif FOUND !
C:\WINDOWS\security-center-bg.gif FOUND !
C:\WINDOWS\security-center-logo.gif FOUND !
C:\WINDOWS\security_center_caption.gif FOUND !
C:\WINDOWS\sep_hor.gif FOUND !
C:\WINDOWS\sep_vert.gif FOUND !
C:\WINDOWS\spacer.gif FOUND !
C:\WINDOWS\spacer.gif' FOUND !
C:\WINDOWS\spyware-detected.gif FOUND !
C:\WINDOWS\star.gif FOUND !
C:\WINDOWS\star_gray.gif FOUND !
C:\WINDOWS\star_gray_small.gif FOUND !
C:\WINDOWS\star_small.gif FOUND !
C:\WINDOWS\susp.exe FOUND !
C:\WINDOWS\ts.gif FOUND !
C:\WINDOWS\ts_header.gif FOUND !
C:\WINDOWS\v.gif FOUND !
C:\WINDOWS\warning_icon.gif FOUND !
C:\WINDOWS\warning-bar-ico.gif FOUND !
C:\WINDOWS\win_logo.gif FOUND !
C:\WINDOWS\x.gif FOUND !
C:\WINDOWS\ZServ.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\adobepnl.dll FOUND !
C:\WINDOWS\system32\alxres.dll FOUND !
C:\WINDOWS\system32\bridge.dll FOUND !
C:\WINDOWS\system32\dailytoolbar.dll FOUND !
C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\qjrkvy.exe FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\runsrv32.exe FOUND !
C:\WINDOWS\system32\tcpservice2.exe FOUND !
C:\WINDOWS\system32\thlwin32.dll FOUND !
C:\WINDOWS\system32\txfdb32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll  FOUND !
C:\WINDOWS\system32\users32.exe FOUND !
C:\WINDOWS\system32\winflash.dll FOUND !
C:\WINDOWS\system32\wstart.dll FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bruce\Application Data
C:\Documents and Settings\Bruce\Local Settings\Application Data\TitanShield FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Bruce\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"=" https://admin.instantservice.com/htmlclient/images/spacer.gif"
"SubscribedURL"=" https://admin.instantservice.com/htmlclient/images/spacer.gif"
"FriendlyName"=""
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
 

Was this post helpful?

View All

0 events found

No Events found!

Top