also @ TechSpot: Windows 8 Release Preview leaked, Microsoft may raise OEM prices

TechSpot
Collaborate in the cloud with Office, Exchange, SharePoint, and Lync.
Microsoft Office 365. Pay-as-you-go starting at $8/user/month. Begin your free trial now.

hijack this log, pls tell me what to fix

Discussion in 'Virus and Malware Removal' started by maximus600, Mar 8, 2005.

Thread Status:
Not open for further replies.

  1. maximus600 Newcomer, in training

    my comp is very screwed up i need some help deleting the things that i need to could someone please reply or send an email to max_mcconchie69@hotmail.com telling me what i need to fix which wuld be appreciated.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:11:05 PM, on 8/03/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\winwt32.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\sistray.EXE
    C:\WINNT\System32\khooker.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\PCI Audio Applications\Mixer.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\WINNT\system32\appxg32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows TaskAd\WinTaskAd.exe
    C:\Program Files\Windows TaskAd\WinSched.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Documents and Settings\Remy Gorgolon\Application Data\iatr.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\Documents and Settings\Remy Gorgolon\My Documents\Max\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fesns.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {7BA9C52F-3A0D-2815-6A75-5375F628455D} - C:\WINNT\d3ym.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Microsoft Update] apjxzjm.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [addlb.exe] C:\WINNT\system32\addlb.exe
    O4 - HKLM\..\Run: [apiel.exe] C:\WINNT\system32\apiel.exe
    O4 - HKLM\..\Run: [Microsoft Update Machine] crxvymk.exe
    O4 - HKLM\..\Run: [Configuration Loader] svschost.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [appxg32.exe] C:\WINNT\system32\appxg32.exe
    O4 - HKLM\..\Run: [fvvelxdbb] C:\WINNT\System32\gzcpgwt.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
    O4 - HKLM\..\Run: [block buster] C:\Documents and Settings\Remy Gorgolon\Local Settings\Temp
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] apjxzjm.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] crxvymk.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] svschost.exe
    O4 - HKCU\..\Run: [Microsoft Update] apjxzjm.exe
    O4 - HKCU\..\Run: [Aoia] C:\Documents and Settings\Remy Gorgolon\Application Data\iatr.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] crxvymk.exe
    O4 - HKCU\..\Run: [Configuration Loader] svschost.exe
    O4 - HKCU\..\Run: [nsdriver] C:\WINNT\system32\nssys32.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted IP range: 67.19.178.84
    O15 - Trusted IP range: 67.19.178.84 (HKLM)
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\dioccvhj.exe
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...d639ebbf2e73:e135dfcf3e8658d4c1290992e9c18074
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
    O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://67.72.100.27/dialerhost/download/NqnUWJyI/sexsoftware.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://advnt01.com/dialer/internazionale_ver4.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{81480E50-7D25-4D07-B9F8-D71769BA749D}: NameServer = 192.189.54.17 203.8.183.1
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISEXEng - Unknown owner - C:\WINNT\system32\angelex.exe
    O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe
    O23 - Service: Remote Procedure Call (RPC) Helper (%AF夶À¨) - Unknown owner - C:\WINNT\system32\winwt32.exe
    maximus600, Mar 8, 2005
    #1

  2. RealBlackStuff Newcomer, in training

    What are you, a masochist? Half your log is about CRAP. You have to be a LOT more responsible WHERE you serve!
    I think you should update your Antivirus program, which dates from 2002!
    If money is an issue, try the free AVG from www.grisoft.com ==>> UNinstall the old AV first!!

    Boot in Safe Mode.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
    winwt32.exe
    winampa.exe
    appxg32.exe
    WinTaskAd.exe
    WinSched.exe
    iatr.exe
    internat.exe
    WebRebates1.exe
    WebRebates0.exe
    apjxzjm.exe
    addlb.exe
    apiel.exe
    crxvymk.exe
    svschost.exe ==>> watch the SPELLING <<==
    mslaugh.exe
    appxg32.exe
    gzcpgwt.exe
    nssys32.exe
    angelex.exe

    Next, UNinstall anything to do with this crap:
    C:\Program Files\Windows TaskAd\WinTaskAd.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe

    Next, run HJT on its own and let it 'fix':
    Running processes:
    C:\WINNT\system32\winwt32.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINNT\system32\appxg32.exe
    C:\Program Files\Windows TaskAd\WinTaskAd.exe
    C:\Program Files\Windows TaskAd\WinSched.exe
    C:\Documents and Settings\Remy Gorgolon\Application Data\iatr.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fesns.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fesns.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {7BA9C52F-3A0D-2815-6A75-5375F628455D} - C:\WINNT\d3ym.dll
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Microsoft Update] apjxzjm.exe
    O4 - HKLM\..\Run: [addlb.exe] C:\WINNT\system32\addlb.exe
    O4 - HKLM\..\Run: [apiel.exe] C:\WINNT\system32\apiel.exe
    O4 - HKLM\..\Run: [Microsoft Update Machine] crxvymk.exe
    O4 - HKLM\..\Run: [Configuration Loader] svschost.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [appxg32.exe] C:\WINNT\system32\appxg32.exe
    O4 - HKLM\..\Run: [fvvelxdbb] C:\WINNT\System32\gzcpgwt.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
    O4 - HKLM\..\Run: [block buster] C:\Documents and Settings\Remy Gorgolon\Local Settings\Temp
    O4 - HKLM\..\RunServices: [Microsoft Update] apjxzjm.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] crxvymk.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] svschost.exe
    O4 - HKCU\..\Run: [Microsoft Update] apjxzjm.exe
    O4 - HKCU\..\Run: [Aoia] C:\Documents and Settings\Remy Gorgolon\Application Data\iatr.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] crxvymk.exe
    O4 - HKCU\..\Run: [Configuration Loader] svschost.exe
    O4 - HKCU\..\Run: [nsdriver] C:\WINNT\system32\nssys32.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

    ALL lines with O15 - Trusted ...
    ALL lines with O16 - DPF ...

    Unless these IP-addresses are from your ISP, also 'fix:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{81480E50-7D25-4D07-B9F8-D71769BA749D}: NameServer = 192.189.54.17 203.8.183.1

    O23 - Service: ISEXEng - Unknown owner - C:\WINNT\system32\angelex.exe
    O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe
    O23 - Service: Remote Procedure Call (RPC) Helper (%AF夶À¨) - Unknown owner - C:\WINNT\system32\winwt32.exe

    When done, delete the highlighted bold files. When a directory-name is bold, delete everything in it, including that directory itself.
    You MUST clean your Temp directory as well.
    RealBlackStuff, Mar 8, 2005
    #2
Thread Status:
Not open for further replies.