Hijackthis Log file...Please help

Computing.Net > Forums > Security and Virus > Hijackthis Log file...Please help

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Hijackthis Log file...Please help

Name: platinum_saleen
Date: January 7, 2004 at 11:20:41 Pacific
OS: Windows Xp
CPU/Ram: 2.5/256

Comment:

Hello...i ran the Spybot and fixed whatever it came up with, then i downloaded and ran Hijackthis and saved the logfile for review..my wepage was hijacked by royalsearch.net and Easy-Search.net..also all these porn sites keep saving themselves in my favorites ..thanks alot in advance for your suppoort and time in helping me sort this junk out of my pc
Logfile of HijackThis v1.97.7
Scan saved at 2:35:28 PM, on 1/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\windows\system32\msdmxm.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sex-true.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.royalsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sex-true.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.royalsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
O1 - Hosts: 198.65.164.171 ehttp.cc
O1 - Hosts: 198.65.164.168 winlink.biz
O1 - Hosts: 198.65.164.168 winlink.ws
O1 - Hosts: 198.65.164.168 ad45.com
O1 - Hosts: 198.65.164.168 www.ad45.com
O1 - Hosts: 198.65.164.168 ad77.com
O1 - Hosts: 198.65.164.168 www.ad77.com
O1 - Hosts: 198.65.164.168 ad86.com
O1 - Hosts: 198.65.164.168 www.ad86.com
O1 - Hosts: 198.65.164.168 ad25.com
O1 - Hosts: 198.65.164.168 www.ad25.com
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 www.00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 www.8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 www.searchv.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O1 - Hosts: 198.65.164.170 www.search-aid.com
O1 - Hosts: 198.65.164.170 bis.180solutions.com
O1 - Hosts: 198.65.164.170 bisads.180solutions.com
O1 - Hosts: 198.65.164.170 www.orbitexplorer.com
O1 - Hosts: 198.65.164.170 www.sqwire.com
O1 - Hosts: 198.65.164.170 www.traffichog.com
O1 - Hosts: 198.65.164.170 www.commonname.com
O1 - Hosts: 198.65.164.170 allneedsearch.com
O1 - Hosts: 198.65.164.170 www.yellow500.com
O1 - Hosts: 198.65.164.170 www.008i.com
O1 - Hosts: 198.65.164.170 www.opsex.com
O1 - Hosts: 198.65.164.170 www.onlysex.ws
O1 - Hosts: 198.65.164.170 www.7days.ws
O1 - Hosts: 198.65.164.170 www.xsex.ws
O1 - Hosts: 198.65.164.170 www.700k.com
O1 - Hosts: 198.65.164.170 www.hotbookmark.com
O1 - Hosts: 198.65.164.170 www.runsearch.com
O1 - Hosts: 198.65.164.170 runsearch.com
O1 - Hosts: 198.65.164.170 www.search-about.net
O1 - Hosts: 198.65.164.170 go-all.com
O1 - Hosts: 198.65.164.170 go-acct.com
O1 - Hosts: 198.65.164.170 get-faster.com
O1 - Hosts: 198.65.164.170 get-data.net
O1 - Hosts: 198.65.164.170 get-certified.net
O1 - Hosts: 198.65.164.170 get-access.com
O1 - Hosts: 198.65.164.170 000info.com
O1 - Hosts: 198.65.164.170 0-days.net
O1 - Hosts: 198.65.164.170 0-2u.com
O1 - Hosts: 198.65.164.170 0-29.com
O1 - Hosts: 198.65.164.170 alfaporn.com
O1 - Hosts: 198.65.164.170 www.dotcomtoolbar.com
O1 - Hosts: 198.65.164.170 toteen.com
O1 - Hosts: 198.65.164.170 www.find-itnow.com
O1 - Hosts: 198.65.164.170 www.mixedporno.com
O1 - Hosts: 198.65.164.170 eliteteensites.com
O1 - Hosts: 198.65.164.170 start-search.com
O1 - Hosts: 198.65.164.170 www.lookfor.cc
O1 - Hosts: 198.65.164.170 www.hotsearchbox.com
O1 - Hosts: 198.65.164.170 www.smarter.com
O1 - Hosts: 198.65.164.170 www.icansearch.net
O1 - Hosts: 198.65.164.170 ie-search.com
O1 - Hosts: 198.65.164.170 www.search-1.net
O1 - Hosts: 198.65.164.170 swift-look.com
O1 - Hosts: 198.65.164.170 www.swift-look.com
O1 - Hosts: 198.65.164.170 search.lop.com
O1 - Hosts: 198.65.164.170 www.search2525.com
O1 - Hosts: 198.65.164.170 www.sureseeker.com
O1 - Hosts: 198.65.164.170 www.searchmeup.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Owner\Application Data\winlink\winlink.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnect
O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)

Sponsored Link

Ads by Google

Response Number 1

Name: hacad
Date: January 7, 2004 at 13:04:09 Pacific

Reply:

Fix the following:
I would advise you use AdAware or Spybot to clean the rest.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sex-true.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.royalsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sex-true.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.royalsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
O1 - Hosts: 198.65.164.171 ehttp.cc
O1 - Hosts: 198.65.164.168 winlink.biz
O1 - Hosts: 198.65.164.168 winlink.ws
O1 - Hosts: 198.65.164.168 ad45.com
O1 - Hosts: 198.65.164.168 www.ad45.com
O1 - Hosts: 198.65.164.168 ad77.com
O1 - Hosts: 198.65.164.168 www.ad77.com
O1 - Hosts: 198.65.164.168 ad86.com
O1 - Hosts: 198.65.164.168 www.ad86.com
O1 - Hosts: 198.65.164.168 ad25.com
O1 - Hosts: 198.65.164.168 www.ad25.com
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 www.00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 www.8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 www.searchv.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O1 - Hosts: 198.65.164.170 www.search-aid.com
O1 - Hosts: 198.65.164.170 bis.180solutions.com
O1 - Hosts: 198.65.164.170 bisads.180solutions.com
O1 - Hosts: 198.65.164.170 www.orbitexplorer.com
O1 - Hosts: 198.65.164.170 www.sqwire.com
O1 - Hosts: 198.65.164.170 www.traffichog.com
O1 - Hosts: 198.65.164.170 www.commonname.com
O1 - Hosts: 198.65.164.170 allneedsearch.com
O1 - Hosts: 198.65.164.170 www.yellow500.com
O1 - Hosts: 198.65.164.170 www.008i.com
O1 - Hosts: 198.65.164.170 www.opsex.com
O1 - Hosts: 198.65.164.170 www.onlysex.ws
O1 - Hosts: 198.65.164.170 www.7days.ws
O1 - Hosts: 198.65.164.170 www.xsex.ws
O1 - Hosts: 198.65.164.170 www.700k.com
O1 - Hosts: 198.65.164.170 www.hotbookmark.com
O1 - Hosts: 198.65.164.170 www.runsearch.com
O1 - Hosts: 198.65.164.170 runsearch.com
O1 - Hosts: 198.65.164.170 www.search-about.net
O1 - Hosts: 198.65.164.170 go-all.com
O1 - Hosts: 198.65.164.170 go-acct.com
O1 - Hosts: 198.65.164.170 get-faster.com
O1 - Hosts: 198.65.164.170 get-data.net
O1 - Hosts: 198.65.164.170 get-certified.net
O1 - Hosts: 198.65.164.170 get-access.com
O1 - Hosts: 198.65.164.170 000info.com
O1 - Hosts: 198.65.164.170 0-days.net
O1 - Hosts: 198.65.164.170 0-2u.com
O1 - Hosts: 198.65.164.170 0-29.com
O1 - Hosts: 198.65.164.170 alfaporn.com
O1 - Hosts: 198.65.164.170 www.dotcomtoolbar.com
O1 - Hosts: 198.65.164.170 toteen.com
O1 - Hosts: 198.65.164.170 www.find-itnow.com
O1 - Hosts: 198.65.164.170 www.mixedporno.com
O1 - Hosts: 198.65.164.170 eliteteensites.com
O1 - Hosts: 198.65.164.170 start-search.com
O1 - Hosts: 198.65.164.170 www.lookfor.cc
O1 - Hosts: 198.65.164.170 www.hotsearchbox.com
O1 - Hosts: 198.65.164.170 www.smarter.com
O1 - Hosts: 198.65.164.170 www.icansearch.net
O1 - Hosts: 198.65.164.170 ie-search.com
O1 - Hosts: 198.65.164.170 www.search-1.net
O1 - Hosts: 198.65.164.170 swift-look.com
O1 - Hosts: 198.65.164.170 www.swift-look.com
O1 - Hosts: 198.65.164.170 search.lop.com
O1 - Hosts: 198.65.164.170 www.search2525.com
O1 - Hosts: 198.65.164.170 www.sureseeker.com
O1 - Hosts: 198.65.164.170 www.searchmeup.com
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
Disable Nwiz.exe in your startup you really do not need it, plus you can bring it back if you do.

Response Number 2

Name: iceblue
Date: January 7, 2004 at 13:28:55 Pacific

Reply:

Have Hjt fix these as well.
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnect
O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
But make sure that you download and run a new update of CWShredder.exe
CWShredder.exe
and click �Open� and 'Fix' ; or 'Scan' and �Next�;
(obtain a new version for each run; there is a recent update)
Make sure that you click 'Next' and don't just scan only.
For the full story on CWS:
New address: http://www.merijn.org/cwschronicles.html
Rescan with HijackThis and repost:
The bottom half of your log is missing.

Response Number 3

Name: platinum_saleen
Date: January 7, 2004 at 13:33:51 Pacific

Reply:

thanks for your speedy response..i deleted the entries you said were bad..i then restarted my computer and ran spybot, it found nothing..i then ran Hijackthis agian and found the entries i listed below...the one's you told me to delete still came back!!!please help...thanks again for the good work you guys are doing to help people out!!
Logfile of HijackThis v1.97.7
Scan saved at 1:24:24 PM, on 1/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\windows\system32\msdmxm.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sex-true.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.royalsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sex-true.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.royalsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html
O1 - Hosts: 66.98.142.163 auto.search.msn.com
O1 - Hosts: 66.98.142.163 search.msn.com
O1 - Hosts: 66.98.142.163 msn.com
O1 - Hosts: 66.98.142.163 www.msn.com
O1 - Hosts: 66.98.142.163 yahoo.com
O1 - Hosts: 66.98.142.163 www.yahoo.com
O1 - Hosts: 66.98.142.163 google.com
O1 - Hosts: 66.98.142.163 www.google.com
O1 - Hosts: 66.98.142.163 thenun.com
O1 - Hosts: 66.98.142.163 www.thehun.com
O1 - Hosts: 66.98.142.163 thehun.net
O1 - Hosts: 66.98.142.163 www.thehun.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Owner\Application Data\winlink\winlink.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnect
O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Response Number 4

Name: VKS1
Date: January 7, 2004 at 15:24:04 Pacific

Reply:

It's a new worm or virus. Go to <Symantec.com> (or McAffee) and update your virus definitions. Run a complete computer scan.
Also...there is a new worm being sent as a .zip file with a subject line: with the words "PAYPAL.COM" in it. DO NOT OPEN THE FILE. DELETE IT!

Response Number 5

Name: VKS1
Date: January 7, 2004 at 15:35:44 Pacific

Reply:

Check this out on Symantec.com (Click on latest threats) It sounds just like your problem
W32.Bizten
Discovered on: January 06, 2004
Last Updated on: January 06, 2004 10:57:39 AM
W32.Bizten is a Trojan horse that modifies the Internet Explorer home page and adds URLs to your Favorites list without your permission.

http://vil.mcafee.com/vil/RAT10566.asp antivirius thehun.net	auto search msn response system32 hosts hijackthis log file location
See More

Response Number 6

Name: sxshep
Date: January 7, 2004 at 15:56:47 Pacific

Reply:

Did you run CW Shredder yet?
It should take care of a lot of the problems.

Shep

Response Number 7

Name: hacad
Date: January 7, 2004 at 17:51:31 Pacific

Reply:

Sorry should have directed you to take care of the registry entries as well.
See link for removing royalsearch or royal pain in the ass as I refer to it.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100865
or
http://vil.nai.com/vil/content/v_100865.htm
YOU WILL HAVE TO LOOK AT YOUR C:\ AND C:\WINDOW DIRECTORIES FOR .exe FILES THAT DO NOT LOOK FAMILIAR TO YOU IF YOU DO A PROPERTIES ON THEM AND THEY HAVE $ IN ANY OF THE DESCRIPTORS THEN DELETE THE FILES.
Unfortunately these things place and hide files all over your pc so unless you get into the registry and delete ALL the reminants they tend to come back.
As listed before C:\, C:\windows and some even in program files you will probably find a royal search folder in your program files directory or even you temp directory.

Response Number 8

Name: platinum_saleen
Date: January 7, 2004 at 18:16:39 Pacific

Reply:

Thank you all so much for the needed help i deleted the rest of the entries you said were bad after running Hijackthis..i then did the online scan Rav Antivirius..i then downloaded and ran CW Shredder and that did the final touches of my problem i was having...My computer is back to were it was before CLEAN of these junk worms and Trojan viruses...WHY can't these poeple use their powers for good and evil and stop writing these Viruses..Anyway thank you all for the help and SPEEDY responses..Happy new year to all!!!

Response Number 9

Name: iceblue
Date: January 7, 2004 at 23:29:20 Pacific

Reply:

hmmm..
I would post a new log to make sure it is CLEAN !
But do have a happy new year !

Response Number 10

Name: iceblue
Date: January 8, 2004 at 00:08:41 Pacific

Reply:

It would be very advisable to run these full time on your system.
Spywareblaster
SpywareGuard
BTW, the reason for the CWShredder.exe
treatment is because there were CoolWebSearch hijackers on your system.
There are twenty something variants and the Shredder removes the lot and all associated files.
* This also helps to clean up the log so we can get a better look at it, and anything that might be hiding. It also saves you from fix checking what can be hundreds of 01 entries. So its a serious productivity tool all round.
Check it out at: CoolWebSearch Chronicles
hth
iceblue

Response Number 11

Name: platinum_saleen
Date: January 8, 2004 at 08:05:13 Pacific

Reply:

Hello..here is my Hijackthis log after cleaning it up with..Spybot, Hijackthis, CW shredder. My computer has been running fine so far, it also removed all the porn URL's from my favorites folder..
Logfile of HijackThis v1.97.7
Scan saved at 8:02:39 AM, on 1/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMJB.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Response Number 12

Name: iceblue
Date: January 8, 2004 at 10:04:57 Pacific

Reply:

ouch! First, please take Hijack out of a temp folder >> permanent directory.
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe
Then: enjoy the rest of the day.
Your log is clean.
iceblue

Sponsored Link

Ads by Google

Destination email domain ...

Virus of some kind bkdr_...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Hijackthis Log file...Please help

Help Globofind-HiJackThis Log File

Summary

www.computing.net/answers/security/help-globofindhijackthis-log-file/18129.html

hijackthis log file help

Summary

www.computing.net/answers/security/hijackthis-log-file-help/10066.html

hijackthis log file problem

Summary

www.computing.net/answers/security/hijackthis-log-file-problem/13957.html

From the Geek Dictionary
LNBK - Acronym for loose nut behind keyboard. Used by IT and computer technicians ...

Ask a Question!

Weekly Poll
Do you believe in Video Game Addiction?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
need to reinstall home and student word

Ram problem

i cant play games online

XP Home activation loop

Microphone not working

All Awaiting Reply

Tom's News
Queues in Manhattan Form as DROID Launches

Report: $99 iPhone 3GS in Time For the Holidays

Game Boy, Ball Gets Into Toy Hall of Fame

iPhone Developer Stealing Private Info

Nintendo: There is No Wii HD

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE