nemethjames1's HiJack This log

If you're under attack by spyware, adware, malware or the likes, post your HiJack This! log here for analysis.

Moderator: 127.0.0.1

Postby nemethjames1 » Thu Sep 30, 2004 5:07 pm

Logfile of HijackThis v1.97.7
Scan saved at 9:38:49 PM, on 9/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Hmonitor\hmonitor.exe
C:\Documents and Settings\Whitey\Desktop\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymgyv.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ymgyv.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ymgyv.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {0C301385-1FF8-2AB2-77F1-C59281F2D383} - C:\WINDOWS\Wxtjgcno.dll
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\ELITEB~1.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\ELITEB~1.DLL
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winkyk32.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CmTWO.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... pote_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... flash.cab..




is this what you ment cyberacharya?
nemethjames1
Desktop Support
 
Posts: 105
Joined: Sat Sep 04, 2004 2:04 am
Location: santa rosa california

Postby tater salad » Thu Sep 30, 2004 5:51 pm

ya that is what he ment..but i am not good with those so i wont give any advice for those...... on thing i can help you with is the ad-ware go to lavasoft .com and download ad-aware and then do a google search for spybot search and destroy and download it. run them both.
User avatar
tater salad
End-Loser
End-Loser
 
Posts: 79
Joined: Wed Sep 22, 2004 8:07 pm
Location: spanaway

Postby virus » Thu Sep 30, 2004 7:41 pm

Yeah for Spybot.....it's fricken awesome.
User avatar
virus
Level 3 Tech
 
Posts: 215
Joined: Sat Sep 18, 2004 11:14 am

Postby tater salad » Thu Sep 30, 2004 9:42 pm

hey for the ad aware prob. check your quarintine it probably has ad ware in it that is still working. also you can download mozila firefox and it has a built in popup blocker .
User avatar
tater salad
End-Loser
End-Loser
 
Posts: 79
Joined: Wed Sep 22, 2004 8:07 pm
Location: spanaway

Postby 127.0.0.1 » Thu Sep 30, 2004 9:46 pm

These lines look suspicious because of the default search URL
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-ex

These lines look suspicious to me, unless you have the “EliteBar” installed on purpose
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\ELITEB~1.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\ELITEB~1.DLL

These are the ones that really stuck out to me.
And yes I would suggest you run spybot and ad-aware
User avatar
127.0.0.1
Mod
Mod
 
Posts: 1200
Joined: Sun Aug 15, 2004 11:07 pm
Location: East Lansing, MI

Postby nemethjames1 » Thu Sep 30, 2004 11:46 pm

yea i wend and deleted just about everything i didn want, including that eliete bar, so far it seems to be ok... no ad's anyways... but adaware didnt do it, and i also deleted all quarintend and same thing... but i'll see if it still acts up...
nemethjames1
Desktop Support
 
Posts: 105
Joined: Sat Sep 04, 2004 2:04 am
Location: santa rosa california

Postby nemethjames1 » Fri Oct 01, 2004 1:18 am

If you are seeing this page, your browser settings prevent you from automatically redirecting to a new URL.
Please click here to continue.



this is what i get when i go to my ebay or try to sell something on there... and a few other sites, how can i fix this?
nemethjames1
Desktop Support
 
Posts: 105
Joined: Sat Sep 04, 2004 2:04 am
Location: santa rosa california

Postby 127.0.0.1 » Sat Oct 02, 2004 6:38 pm

nemethjames1 wrote:If you are seeing this page, your browser settings prevent you from automatically redirecting to a new URL.
Please click here to continue.



this is what i get when i go to my ebay or try to sell something on there... and a few other sites, how can i fix this?

If your using IE, I know there is a way to set your browser back to the default settings, try to do this because your browser should be able to redirect to another page automatically by default. I can't tell you exactly how to do it, because right now im using my win2k machine with IE 6, well I'll tell you how to do it in this version (it shouldn't be to different in XP)
go to tools, internet options, click the advanced tab, then click the restore defaults button. If restoring defaults doesn't fix your problem then you can go back to that same window and make sure you have the appropriate settings checked.
User avatar
127.0.0.1
Mod
Mod
 
Posts: 1200
Joined: Sun Aug 15, 2004 11:07 pm
Location: East Lansing, MI

Postby 9soccer99 » Tue Oct 19, 2004 8:05 pm

These lines look suspicious because of the default search URL

yea they do
User avatar
9soccer99
n00b
n00b
 
Posts: 33
Joined: Fri Oct 15, 2004 7:50 pm
Location: Sac City!! California


Return to HiJack This

Who is online

Users browsing this forum: No registered users and 1 guest

cron