Need Help Analyzing HiJack This log

By LAKelley2
Feb 13, 2005
Topic Status:
Not open for further replies.
  1. My son's computer has gone bonkers. I've run spybot s&d, AdawareSE, MS Antispyware, Symantec, etc.... All with and without safemode and with system restore disabled. Msconfig, regedit are disabled... will not come up or will come up for a few seconds and disappear. He also runs AOL IM and was receiving suspicious IM's popping up unsolicited from his own screen name. We uninstalled AOL IM. I've been working on this for 2 days and cannot figure it out! All I've read in web is about HiJack This, so I downloaded and now need help with reading the logs. Please!!!! I'm not totally computer illiterate <sp?>, but do not want to delete things I know nothing about.

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Put Hijackthis in a permanent directory of its own, e.g. c:\Program Files\HJT, NOT in Temp or on the desktop.
    With System Restore OFF, boot in safe mode.
    Press ctrl/alt/del and in Taskmanager try to STOP: MSNGMSNGR32.EXE (This is a fake)

    Next, run HJT on its own, and let it 'fix' if still there:
    C:\WINDOWS\system32\MSNGMSNGR32.EXE
    R3 - Default URLSearchHook is missing
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
    O4 - HKLM\..\Run: [Microsoft Instant Messenger] MSNGMSNGR32.EXE
    O4 - HKCU\..\RunOnce: [Microsoft Instant Messenger] MSNGMSNGR32.EXE
    O15 - Trusted Zone: http://*.windowsupdate.com

    When done, delete C:\WINDOWS\system32\MSNGMSNGR32.EXE
    Empty your Temp directory, delete all temp. internet files and cookies.
    Go to www.getfirefox.com and install Firefox. Use that for browsing from now on.
    Use IE only for Windows-updates, NOTHING else.
  3. LAKelley2

    LAKelley2 Newcomer, in training Topic Starter

    Fixes Worked

    Thanks realblackstuff... the computer seems to be working properly now. This is what I did:

    I put HJT in its own folder.
    Turned System Restore OFF and booted in safe mode.
    I could not get to the Taskmanager, so could not stop MSNGMSNGR32.exe.
    I can HJT and the only thing that showed up from the list of things to fix you gave me was: 02 - BHO PCTools Site Guard.
    I did a search for MSNGMSNGR32.EXE on computer and deleted all instances.
    I also did a search in regedit for MSNGMSNGR32.exe and found 2 instances and deleted them (I know, I know)
    I found two other files in the registry that I had written down as suspicious... NVMsnW and MsVBdll... know anything about these files?
    I emptied Temp directory, etc.
    Rebooted in normal mode
    Downloaded Firefox (nice... thanks)
    Reran HJT in normal mode and found two other items to be fixed from your list:
    R3 - Default URLSearchHook is missing
    and
    015 - Trusted Zone: <can't put the URL in... it's the microsoft one>
    I went ahead and had HJT "fix" them.

    Msconfig now works from start-->run and everything else seems to be working.

    I'm assuming I should now turn System Restore back on??

    I've attached the last HJT log from the scan I ran after I did all of the above.

    Thank you SO MUCH for your help!!!!
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Run HJT again and let it fix:
    R3 - Default URLSearchHook is missing
    O15 - Trusted Zone: http://*.windowsupdate.com
    NEVER trust ANYONE for O15 !!!

    Both NVMsnW and MsVBdll are baddies. Remove from your Registry, note the extensions if any (.pif and/or .dll most likely) and delete all occurrences from your PC.

    When done, you can switch System Restore back on.
    Enjoy.
  5. LAKelley2

    LAKelley2 Newcomer, in training Topic Starter

    Thanks!

    realblackstuff - Thanks, I really appreciate the help! Everythings working great! Now if I can keep the kid from downloading everything in sight, I think I'll be able to keep my sanity :approve:
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.