« previous next »
Pages: [1]

Author Topic: Analysis of Highjack registry  (Read 2177 times)

Offline robert0614

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Analysis of Highjack registry
« on: April 03, 2005, 01:08:38 PM »
Can anyone let me know which of these I need to remove from my registry Please!!!!  

Logfile of HijackThis v1.99.1
Scan saved at 1:52:45 PM, on 04/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker.exe
C:\Program Files\Security iGuard\Security iGuard.exe
C:\Program Files\Security iGuard\Security iGuard.exe
C:\Program Files\Security iGuard\Security iGuard.exe
C:\Program Files\Security iGuard\Security iGuard.exe
C:\WINDOWS\System32\ifkmuu.exe
C:\WINDOWS\System32\calc.exe
C:\Program Files\Netscape\Netscape 6\Netscp.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\d2iailqq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\d2iailqq.slt\prefs.js)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho13.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\system32\mtc2608.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765723548} - C:\WINDOWS\system32\wer3548.dll
O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll
O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSrc.dll
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O4 - HKLM\..\Run: [ifkmuu] c:\windows\system32\ifkmuu.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A68ABBDC-88CA-4516-BFFF-1DBC4C6A9D10} - C:\WINDOWS\system32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A68ABBDC-88CA-4516-BFFF-1DBC4C6A9D10} - C:\WINDOWS\system32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {C6329153-C3F1-4ABE-98E1-47C0EB2304A9} - C:\WINDOWS\system32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C6329153-C3F1-4ABE-98E1-47C0EB2304A9} - C:\WINDOWS\system32\wldr.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0D1460B0-6453-4C2A-A895-A57EFBA73CC8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0D1460B0-6453-4C2A-A895-A57EFBA73CC8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6D2DC1E3-B6E1-48E4-A221-8F9EF84E5B69} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D2DC1E3-B6E1-48E4-A221-8F9EF84E5B69} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A68ABBDC-88CA-4516-BFFF-1DBC4C6A9D10} - C:\WINDOWS\system32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A68ABBDC-88CA-4516-BFFF-1DBC4C6A9D10} - C:\WINDOWS\system32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C6329153-C3F1-4ABE-98E1-47C0EB2304A9} - C:\WINDOWS\system32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C6329153-C3F1-4ABE-98E1-47C0EB2304A9} - C:\WINDOWS\system32\wldr.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Analysis of Highjack registry
« Reply #1 on: April 03, 2005, 02:55:18 PM »
Access your Add/Remove programs and remove if found
Search Toolbar
Tubby/ADV ‘Advanced Search
Sidefind
MBKWBar

Restart your computer if anything removed

If there was no entry for sidefind or it would not uninstall
Try the following
Copy and paste these instructions too a Notpad file and leave it on your desktop

Close down all browser windows, including this one
Go to START>>RUN>>
Copy and paste the bolded line below into the Open field and hit OK

C:\Program Files\\Sidefind\update\sidefind.exe /remove

If you get a prompt to proceed with the uninstall
Click YES>>>next prompt click YES again

Afterwards
If you purposely installed Security iGuard and have not payed for it
I would uninstall it as it's on the Rogue list>>Bogus
Read more info at the below link
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Restart the computer if you opt to remove it

Post back a fresh Hijackthis log afterwards and let me know what you were able to Remove
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline robert0614

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Analysis of Highjack registry
« Reply #2 on: April 03, 2005, 06:30:22 PM »
Thnax, I think I removed it already so it couldn't find it when I did like you suggested.  Anyway here is the registry (Should I get rid of all he 02?'s:



Logfile of HijackThis v1.99.1
Scan saved at 7:24:32 PM, on 04/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\SpyFighter\SpyFighter.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Netscape\Netscape 6\Netscp.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=11258
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\d2iailqq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\d2iailqq.slt\prefs.js)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho13.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\system32\mtc2608.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765723548} - C:\WINDOWS\system32\wer3548.dll
O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll
O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSrc.dll
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [SpyFighter] "C:\Program Files\SpyFighter\SpyFighter.exe" complete
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0D1460B0-6453-4C2A-A895-A57EFBA73CC8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0D1460B0-6453-4C2A-A895-A57EFBA73CC8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6D2DC1E3-B6E1-48E4-A221-8F9EF84E5B69} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D2DC1E3-B6E1-48E4-A221-8F9EF84E5B69} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A68ABBDC-88CA-4516-BFFF-1DBC4C6A9D10} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A68ABBDC-88CA-4516-BFFF-1DBC4C6A9D10} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C6329153-C3F1-4ABE-98E1-47C0EB2304A9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C6329153-C3F1-4ABE-98E1-47C0EB2304A9} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Analysis of Highjack registry
« Reply #3 on: April 03, 2005, 07:31:06 PM »
Please Print this out or save these instructions to a Notepad file and save it to your Desktop

Download and save too desktop FixBinet.exe
Don't run it yet

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=11258

O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho13.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D74632608} - C:\WINDOWS\system32\mtc2608.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765723548} - C:\WINDOWS\system32\wer3548.dll

O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [SpyFighter] "C:\Program Files\SpyFighter\SpyFighter.exe" complete
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O9 - Extra button: Microsoft AntiSpyware helper - {6D2DC1E3-B6E1-48E4-A221-8F9EF84E5B69} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D2DC1E3-B6E1-48E4-A221-8F9EF84E5B69} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A68ABBDC-88CA-4516-BFFF-1DBC4C6A9D10} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A68ABBDC-88CA-4516-BFFF-1DBC4C6A9D10} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C6329153-C3F1-4ABE-98E1-47C0EB2304A9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C6329153-C3F1-4ABE-98E1-47C0EB2304A9} - (no file) (HKCU)



After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

If you now have SpyFighter installed, Remove that too
You can read why from the same link I supplied
earlier in the Rogue list

Afterwards
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, or use the link for a more detailed explanation

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Find and delete these files or folders if found
C:\WINDOWS\System32\srvc32.exe <-file
C:\WINDOWS\System32\spoolsrv32.exe <-file, don't delete anything else because it looks similiar
C:\WINDOWS\system32\mtc2608.dll
C:\WINDOWS\system32\wer3548.dll
C:\WINDOWS\dlmax.dll

C:\Program Files\SideFind <-folder
C:\Program Files\MBKWBar <-folder
C:\Program Files\SpyFighter <-folder
C:\Program Files\Security iGuard <-folder

Stay in safe mode
Run the FixBinet.exe tool by Symantec's
Let it scan your drive and fix what it finds
Let me know if it finds anything

Restart back to Normal mode

If you want a couple of free Spyware Cleaners
I very much recommend you now do the following
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

After that
Download and Install Spybot S&D 1.3
After installation--SEARCH FOR UPDATES
Check and Download all updates
Then:
Check for Problems>>Let it finish the scan---FIX everything in RED
Should be checked by default

Restart the computer to finish the cleaning process

Post back a fresh Hijackthis log
« Last Edit: April 03, 2005, 07:32:23 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline robert0614

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Analysis of Highjack registry
« Reply #4 on: April 04, 2005, 09:59:43 PM »
Thank you so much and here is my new registry.  

Logfile of HijackThis v1.99.1
Scan saved at 10:58:23 PM, on 04/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\SpyFighter\SpyFighter.exe
C:\Program Files\Netscape\Netscape 6\Netscp.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\d2iailqq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\d2iailqq.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll
O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSrc.dll
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0D1460B0-6453-4C2A-A895-A57EFBA73CC8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0D1460B0-6453-4C2A-A895-A57EFBA73CC8} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Analysis of Highjack registry
« Reply #5 on: April 04, 2005, 10:45:25 PM »
Look for these files and delete them if found

C:\t.exe
C:\n.exe
C:\m.exe

C:\WINDOWS\System32\srvc32.exe
C:\WINDOWS\System32\spoolsrv32.exe


Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe

O9 - Extra button: Microsoft AntiSpyware helper - {0D1460B0-6453-4C2A-A895-A57EFBA73CC8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0D1460B0-6453-4C2A-A895-A57EFBA73CC8} - (no file) (HKCU)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

I still see SpyFighter installed, did you get persuaded to purchase it????

Both Spybot and Ad-Aware have free versions
Did you install them both??
« Last Edit: April 04, 2005, 11:13:21 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline robert0614

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Analysis of Highjack registry
« Reply #6 on: April 06, 2005, 08:29:16 PM »
Hello,
     I did get rid of it I just had to figure out how to do it which I did.  I have spybot still installed and will use it.  Thank you for all your help, I appreciate it a lot.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Analysis of Highjack registry
« Reply #7 on: April 06, 2005, 08:33:23 PM »
Woops, sorry, I didn't ask to see a fresh Hijackthis log, can you post one please
Let's make sure your clean

Did you install the OemjiSearchPlus toolbar on purpose,
It's optional, Im just curious
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Analysis of Highjack registry
« Reply #8 on: April 06, 2005, 08:35:53 PM »
Ad-Aware is a great free spyware removal tool also

Is spybot right up to date??
Can you open Spybot>>Click HELP>>ABOUT>>
Let me know latest detection date and Spybot version, thanks
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »