Text only | Text with Images

My Board

General => Tech Support => Topic started by: Jeebus on May 24, 2005, 07:08:47 PM

Title: Help my hijack log
Post by: Jeebus on May 24, 2005, 07:08:47 PM
I am always unsure then making changes to system sensitive files.

If someone could check this log and tellme what needs to be fixed (second opinion) I would appreciate it.


Logfile of HijackThis v1.99.1
Scan saved at 8:04:52 PM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\WINDOWS\system32\atlwv32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Winamp\winamp.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\avosq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com)
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {D62AF7AD-07CE-E9A0-FD1B-568C456795DE} - C:\WINDOWS\netdh.dll
O2 - BHO: Class - {EE2EFEB6-458C-9929-89B7-2B57E8D00712} - C:\WINDOWS\d3vt32.dll
O4 - HKLM\..\Run: [atlwv32.exe] C:\WINDOWS\system32\atlwv32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [d3gn32.exe] C:\WINDOWS\system32\d3gn32.exe
O4 - HKLM\..\RunOnce: [ienh32.exe] C:\WINDOWS\system32\ienh32.exe
O4 - HKLM\..\RunOnce: [appyx.exe] C:\WINDOWS\system32\appyx.exe
O4 - HKLM\..\RunOnce: [apiyt.exe] C:\WINDOWS\system32\apiyt.exe
O4 - HKLM\..\RunOnce: [ntzb32.exe] C:\WINDOWS\system32\ntzb32.exe
O4 - HKLM\..\RunOnce: [sdkfn.exe] C:\WINDOWS\system32\sdkfn.exe
O4 - HKLM\..\RunOnce: [ieur32.exe] C:\WINDOWS\ieur32.exe
O4 - HKLM\..\RunOnce: [winpc.exe] C:\WINDOWS\system32\winpc.exe
O4 - HKLM\..\RunOnce: [crhs.exe] C:\WINDOWS\crhs.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://www.pandasoftware.com/activescan/as5/asinst.cab)
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab (http://swgbetareg.station.sony.com/soesysinfo.cab)
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab)
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3gn32.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

Title: Help my hijack log
Post by: E.J.FUDD on May 25, 2005, 11:17:32 PM
O4 - HKLM\..\RunOnce: [crhs.exe] C:\WINDOWS\crhs.exe

thats a lil bugger that needs to be pulled out, there are some extensions,
major geeks has a bit onit.

just get rid of crap..
R3 - Default URLSearchHook is missing

this is usually a hook when ive seen it come up on hijack this..THERE ARE SEVERAL NASTY lil buggers that do this
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\avosq.dll/sp.html#37049
there is also more hidden after this type of input but it is hidden..

so get rid of all this..
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\avosq.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\avosq.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\avosq.dll/sp.html#37049



holy crap batman i think with out research this is a nasty nest of crap....
O2 - BHO: Class - {D62AF7AD-07CE-E9A0-FD1B-568C456795DE} - C:\WINDOWS\netdh.dll
O2 - BHO: Class - {EE2EFEB6-458C-9929-89B7-2B57E8D00712} - C:\WINDOWS\d3vt32.dll
O4 - HKLM\..\Run: [atlwv32.exe] C:\WINDOWS\system32\atlwv32.exe

O4 - HKLM\..\RunOnce: [d3gn32.exe] C:\WINDOWS\system32\d3gn32.exe
O4 - HKLM\..\RunOnce: [ienh32.exe] C:\WINDOWS\system32\ienh32.exe
O4 - HKLM\..\RunOnce: [appyx.exe] C:\WINDOWS\system32\appyx.exe
O4 - HKLM\..\RunOnce: [apiyt.exe] C:\WINDOWS\system32\apiyt.exe
O4 - HKLM\..\RunOnce: [ntzb32.exe] C:\WINDOWS\system32\ntzb32.exe
O4 - HKLM\..\RunOnce: [sdkfn.exe] C:\WINDOWS\system32\sdkfn.exe
O4 - HKLM\..\RunOnce: [ieur32.exe] C:\WINDOWS\ieur32.exe
O4 - HKLM\..\RunOnce: [winpc.exe] C:\WINDOWS\system32\winpc.exe
O4 - HKLM\..\RunOnce: [crhs.exe] C:\WINDOWS\crhs.exe


reformat...thats alot of crap. crippling even if removed.
Title: Help my hijack log
Post by: crypticknight on May 26, 2005, 02:26:00 PM
jeebs just format your hard drive :)
Title: Help my hijack log
Post by: Jeebus on May 26, 2005, 09:04:08 PM
I got it all our manually after about 7 hours.

The reason why I didnt want to reformat is I just ripped most of my cd's into MP3's and also UT2k4 and Doom3 are running from this hard drive, I don't have disc copies of those.

Everything is ok now, better than when that even started...

Thanks for the help though, I wasn't waitinf for replies... it took 3 utilities to remove it, CWShredder, Spybot, and Ad-aware.

I ran Panda Antivirus and those programs in safe mode, and all the stuff that popped up, I manually made sure they were deleted, I cleared all my restore points, and emptied my recycle bin, been running fine for 2 days.
Title: Help my hijack log
Post by: E.J.FUDD on May 26, 2005, 10:02:26 PM
scopin out your hkcu for dangle files or trojan droppers...those droppers are a mother F....  well they are nasty, i had one written in java.

AND JEEBUS.. Delete the Prefetch folder in C:\WINDOWS and Delete Memory.dmp in C:\WINDOWS or was it C:\WINDOWS\System32
 and that lil crhs diddy... everyone keeps talking about downloading a prog called..ABOUT BUSTER to be able to remove it.

i ran..
spy bot,
ccleaner..this mo is awsome, but it will erase all temp information and run through your registry to get rid of stuff thats no longer!...I HIGHLY RECOMMEND THIS

ran hijackthis,
avg anti virus
nortons (but it was screwed thanks to cws..
ran panda titanium
adaware se


and still had files that lingered..i had to go get PILLBOX KILLBOX, to stratigigly kill some files..

HOPE no one finds a file in C:\programs\!submit with about 6 exe's inside on thier hdd.
Title: Help my hijack log
Post by: Balaso on May 27, 2005, 10:14:14 AM
I've had some rather awsome luck with this: http://www.adwareaway.com/ (http://www.adwareaway.com/)
Title: Help my hijack log
Post by: sK_Cookie on May 27, 2005, 01:35:13 PM
one word: BHO

use microsofts antispyware beta to remove all of your BHO's that is caused your about:blank as default website.  It will clean your box right up.
Text only | Text with Images