hijack log

  1. 15-06-2005  #1
    gooner
    gooner is offline Newbie

    hijack log

    please can someone tell what files i can and cannot delete in this log file
    many thanks in advance




    Logfile of HijackThis v1.99.1
    Scan saved at 23:33:00, on 14/06/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svhost.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\Services\{39A94D0B-01F4-4AA9-B13A-37A6AC9CBAFC}\SVCHOST.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\waol.exe
    C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe
    C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\GoZilla\ZipZilla\zipzilla.exe
    C:\WINDOWS\System32\msipcsv.exe
    C:\DOCUME~1\keith\LOCALS~1\Temp\hijackthis.zip\hij ackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
    F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe
    O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\GoZilla\GoIEHlp.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
    O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\igrp8obdihmfh3thd.exe
    O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
    O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{39A94D0B-01F4-4AA9-B13A-37A6AC9CBAFC}\SVCHOST.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{39A94D0B-01F4-4AA9-B13A-37A6AC9CBAFC}\SECURITY.EXE
    O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [quicken] C:\WINDOWS\waol.exe
    O4 - HKCU\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
    O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
    O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - Global Startup: LG SyncManager.lnk = ?
    O4 - Global Startup: MSupdater.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Microsoft AntiSpyware helper - {03F9323E-8261-456B-AAA7-BB9AD0382835} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {03F9323E-8261-456B-AAA7-BB9AD0382835} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {0E02B4D4-C42B-4946-BB13-51557B53D694} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0E02B4D4-C42B-4946-BB13-51557B53D694} - (no file) (HKCU)
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...12/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6A8605B6-6667-4AA9-B7EF-C81218303ABD}: NameServer = 194.168.4.100 194.168.8.100
    O20 - AppInit_DLLs: igtcmmx5h1rg.dll
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  2. 17-06-2005  #2
    jephree
    jephree is offline ¨*·.¸ «.·°·..·°·.» ¸.·*¨
    After you get your log cleared up please download SP2 & all subsequent Critical Updates.
  3. 17-06-2005  #3
    gooner
    gooner is offline Newbie
    thanks i will do this as soon as i have cleared up my computer.
  4. 17-06-2005  #4
    HJThis
    HJThis is offline Senior Member
    Save 20% on AVG Internet Security 2012 Suite!
    Hello,gooner & Welcome

    Please change the location of HijackThis.exe.
    Create a new folder in your C: Drive
    Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
    It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
    This way you can undo any changes if something goes wrong

    Press control-alt-delete to get into the task manager and end the follow processes if they exist:
    svhost.exe<---This file do not do this one here-->svchost.exe
    msxmidi.exe
    igrp8obdihmfh3thd.exe
    SECURITY.EXE
    spoolsrv32.exe<---This file do not do this one here--->spoolsv.exe
    MSupdater.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

    Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
    GoZilla

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    These 2 items here if not using or added by you fix them
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/

    F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe

    O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\GoZilla\GoIEHlp.dll

    O4 - HKLM\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
    O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\igrp8obdihmfh3thd.exe
    O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{39A94D0B-01F4-4AA9-B13A-37A6AC9CBAFC}\SVCHOST.EXE
    O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{39A94D0B-01F4-4AA9-B13A-37A6AC9CBAFC}\SECURITY.EXE
    O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - HKCU\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
    O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - Global Startup: MSupdater.exe

    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

    O20 - AppInit_DLLs: igtcmmx5h1rg.dll

    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:
    C:\WINDOWS\System32\svhost.exe<---This file here not this one--->C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\spoolsrv32.exe<---This file here not this one--->C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\GoZilla\<---This folder
    C:\WINDOWS\System32\msxmidi.exe<---This file
    C:\WINDOWS\System32\igrp8obdihmfh3thd.exe<---This file
    C:\WINDOWS\System32\Services\{39A94D0B-01F4-4AA9-B13A-37A6AC9CBAFC}<--This file \SVCHOST.EXE
    c:\eied_s7.cab<--This item
    c:\ex.cab<--This item
    C:\WINDOWS\System32\vbsys2.dll<---This file

    Stell in Safe Mode do a file Search for these if found delete them
    MSupdater.exe
    igtcmmx5h1rg.dll

    Then do a reboot & right away do this here before going online

    Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    1. Change the Download signed ActiveX controls to Prompt
    2. Change the Download unsigned ActiveX controls to Disable
    3. Change the Initialize and script ActiveX controls not marked as safe to Disable
    4. Change the Installation of desktop items to Prompt
    5. Change the Launching programs and files in an IFRAME to Prompt
    6. Change the Navigate sub-frames across different domains to Prompt
    7. When all these settings have been made, click on the OK button.
    8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.

    & then before you come back here do this for me

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/hou.../start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    please make sure you have the time to do this here
    what i am saying is don't start it then stop part way
    this is no good do it all at one time.

    HGD
+ Reply to Thread
« Possible CWS.Home detection - HJT Log | Ive seen quite a few Hijack logs, but this is weird »