Hijack log [Archive] - The PC Guide Discussion Forums

racerboybmw

12-05-2004, 09:39 PM

If you can read this you know I have issues (seriously). If i can get a reply on what to remove that would be extremely appreaciated.
I have also trojan.startpage I can locate the .dll file but cannot remove.

Logfile of HijackThis v1.97.7
Scan saved at 5:42:33 PM, on 12/5/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.partypoker.com/installstart.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {03A08063-B603-4B34-A12C-C9A409EA15DC} - C:\WINDOWS\system32\blkaga.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\msqsb.dll
O2 - BHO: (no name) - {9A3D3410-A18A-4E17-ACD1-7805B0B35C86} - (no file)
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\msqsb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [wsnikvwl] C:\WINDOWS\System32\mvzdagc.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: PlanetLuck.com (HKLM)
O9 - Extra 'Tools' menuitem: PlanetLuck.com (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix: [url]http://%62%69%67%62%72%2E%63%63?error=[/url]
O13 - Mosaic Prefix: [url]http://%62%69%67%62%72%2E%63%63?error=[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409[/url]
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - [url]http://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1096423760154[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095460518787[/url]
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - [url]http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab[/url]
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://download.yahoo.com/dl/installs/ymail/ymmapi.dll[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - [url]http://download.yahoo.com/dl/installs/yab_af.cab[/url]
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - [url]http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab[/url]
O16 - DPF: {FF521631-31DA-48AC-B4E9-390A7694C906} (EGEGAUTH Class) - [url]http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1030_1_206_1_EN_XP.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{529EF20B-EF9C-4799-BB53-689B78EE5F76}: NameServer = 151.164.14.201 151.164.1.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{529EF20B-EF9C-4799-BB53-689B78EE5F76}: NameServer = 151.164.14.201 151.164.1.8

classicsoftware

12-05-2004, 10:58 PM

First you need the latest version of HJT, get it here (http://www.subratam.org/?page=removal).

Next close all open programs when running HJT. No other programs should be running, like IE,OE, etc.

Repost your log

racerboybmw

12-05-2004, 11:14 PM

Sorry can not do a down load and repost . Freinds PC who will be gone for a few days , I said I would look at it when he gets back. Any thing that can be doen with this one?

Budfred

12-05-2004, 11:27 PM

This is indeed a mess... I suggest that you download and run CWShredder to see if that will at least clean up enough to get it running well enough to clean up the rest... If you can't download on this computer, both HJT and CWShredder are small enough to fit on a floppy... Download on another computer and transfer to this one by floppy....

racerboybmw

12-05-2004, 11:29 PM

How does WS Shredder work? Is it automatic to run or does it require user input to select files to remove?

Budfred

12-05-2004, 11:31 PM

It is CWShredder and it may ask you if it is okay to remove files that it is not sure about... If you are not sure, say no and report back what they were... It will simply fix known CWS infections and you have at least a couple in that log...

racerboybmw

12-05-2004, 11:32 PM

thanks for the answer ( i knew CW Shredder- I just have fat fingers)

Quantax

12-06-2004, 12:18 AM

I would think you should also download and run Ad Aware and Spybot S & D, the links which appear on Budfred's post. Then you would re-run and post the new 1.98 version of HJT.