Need Help Analyzing HiJack This log

By LAKelley2 ยท 4 replies
Feb 13, 2005
  1. My son's computer has gone bonkers. I've run spybot s&d, AdawareSE, MS Antispyware, Symantec, etc.... All with and without safemode and with system restore disabled. Msconfig, regedit are disabled... will not come up or will come up for a few seconds and disappear. He also runs AOL IM and was receiving suspicious IM's popping up unsolicited from his own screen name. We uninstalled AOL IM. I've been working on this for 2 days and cannot figure it out! All I've read in web is about HiJack This, so I downloaded and now need help with reading the logs. Please!!!! I'm not totally computer illiterate <sp?>, but do not want to delete things I know nothing about.

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Put Hijackthis in a permanent directory of its own, e.g. c:\Program Files\HJT, NOT in Temp or on the desktop.
    With System Restore OFF, boot in safe mode.
    Press ctrl/alt/del and in Taskmanager try to STOP: MSNGMSNGR32.EXE (This is a fake)

    Next, run HJT on its own, and let it 'fix' if still there:
    R3 - Default URLSearchHook is missing
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
    O4 - HKLM\..\Run: [Microsoft Instant Messenger] MSNGMSNGR32.EXE
    O4 - HKCU\..\RunOnce: [Microsoft Instant Messenger] MSNGMSNGR32.EXE
    O15 - Trusted Zone: http://*

    When done, delete C:\WINDOWS\system32\MSNGMSNGR32.EXE
    Empty your Temp directory, delete all temp. internet files and cookies.
    Go to and install Firefox. Use that for browsing from now on.
    Use IE only for Windows-updates, NOTHING else.
  3. LAKelley2

    LAKelley2 TS Rookie Topic Starter

    Fixes Worked

    Thanks realblackstuff... the computer seems to be working properly now. This is what I did:

    I put HJT in its own folder.
    Turned System Restore OFF and booted in safe mode.
    I could not get to the Taskmanager, so could not stop MSNGMSNGR32.exe.
    I can HJT and the only thing that showed up from the list of things to fix you gave me was: 02 - BHO PCTools Site Guard.
    I did a search for MSNGMSNGR32.EXE on computer and deleted all instances.
    I also did a search in regedit for MSNGMSNGR32.exe and found 2 instances and deleted them (I know, I know)
    I found two other files in the registry that I had written down as suspicious... NVMsnW and MsVBdll... know anything about these files?
    I emptied Temp directory, etc.
    Rebooted in normal mode
    Downloaded Firefox (nice... thanks)
    Reran HJT in normal mode and found two other items to be fixed from your list:
    R3 - Default URLSearchHook is missing
    015 - Trusted Zone: <can't put the URL in... it's the microsoft one>
    I went ahead and had HJT "fix" them.

    Msconfig now works from start-->run and everything else seems to be working.

    I'm assuming I should now turn System Restore back on??

    I've attached the last HJT log from the scan I ran after I did all of the above.

    Thank you SO MUCH for your help!!!!
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Run HJT again and let it fix:
    R3 - Default URLSearchHook is missing
    O15 - Trusted Zone: http://*
    NEVER trust ANYONE for O15 !!!

    Both NVMsnW and MsVBdll are baddies. Remove from your Registry, note the extensions if any (.pif and/or .dll most likely) and delete all occurrences from your PC.

    When done, you can switch System Restore back on.
  5. LAKelley2

    LAKelley2 TS Rookie Topic Starter


    realblackstuff - Thanks, I really appreciate the help! Everythings working great! Now if I can keep the kid from downloading everything in sight, I think I'll be able to keep my sanity :approve:
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...