Hijack This Logs

owen · #1 (**permalink**) 30-06-2004, 07:39 PM

If you are having trouble with a Browser Hijacker or other problem, by all means post a Hijack This Log to the forum. Hijack This is a program that is used to help us solve quite a lot of problems with computers. It provides us with information about the services running on your computer (to help us detect viruses etc.), startup entries and other information about your browser and computer. It will not tell us every single thing about your computer or invade your privacy at all, just key characteristics to help us solve your problem quickly, so there is no need to worry.

Hijack This can be downloaded from here and instructions for posting a log can be found at this page.

You may sometimes be asked to disable System Restore. You will see a link at the bottom of this page on how to do that.

You may also be asked to change the way you view files by showing Hidden Files and Folders. Again there is a link at the foot of this page with instructions.

Finally if asked to boot into Safe Mode, click here for advice.
__________________________

Before posting a log

Before posting a log, it is a good idea to clear out your system in advance so that most of the spyware will be removed beforehand and the people who help you can explain how to remove the remaining problems. You can clear out your system using the programs below:

CWShredder- Please do not run CWShredder before posting a log. Please only run CWShredder when advised CoolWebShredder will help you remove the majority of Browser Hijackers (Browser Hijackers are a type of spyware that change your default home and search pages). Download CWShredder by clicking on the Red CWShredder writing above or click here. To let CWShredder begin the removal process, Run CWShredder and Click "Fix" and click "Ok" to any prompts you may get. CWShredder will now go through the removal process.

Spybot- Search And Destroy- Spybot S&D will remove the majority of spyware from your system. It is an excellent program with a large database of spyware. Download Spybot S&D by clicking Spybot- Search And Destroy in red writing above or click
here. Run the file you downloaded and install Spybot Search And Destroy. Once installed follow these instructions:

1. Go to Start>Programs>Spybot- Search and Destory and click Spybot- S&D
2. When the Program has loaded, you need to update its database first so in the left hand panel click Update. Then click Search For Updates at the top.
3. If any updates are found click Download Updates and allow Spybot to download the updates. If you have trouble updating change the mirror using the button next to Search For Updates.
4. Now you need to Scan with Spybot. Click Search And Destroy in the Left hand panel and then click Check For Problems at the top.
5. Spybot will begin scanning your system. When the scan is finished ensure that there is a checkmark next to all the problems and click "Fix Selected Problems" at the top. This will remove the Spyware from your system.

Ad-aware- Ad-aware is another program for detecting and removing spyware. It is important to have both Ad-aware and Spybot- S&D installed because if one misses a piece of spyware then it is likely the other will detect it. To download Ad-aware, click the link above or click here. Run the file you downloaded and install Ad-aware. Once installed follow these instructions:

1. Go to Start>Programs>Lavasoft Ad-aware SE Personal and click Ad-aware SE Personal
2. When the Program has loaded, you need to update its database first so at the bottom click "Check For Updates" next to the Start button. Click Connect to check for updates. If Ad-aware detects any, it will confirm that you want to download it. Click Ok and it will download and install the update.
3. Click Finish when it has updated. Now we need to Scan and remove Spyware. Click Start at the bottom. Then click "Perform Smart System Scan" and then click Next.
4. Ad-aware will then scan your system for Spyware. When it has finished it will tell you how many objects it has found. Simply click Next and it will list everything it has found.
5. Put a checkmark next to all entries (or right click one entry and click "Select All Objects"). Then click Next. Ad-aware will confirm that you want to remove the selected entries, simply click Ok and Ad-aware will remove the entries.

Now post a Hijack This log to the forum after you have followed all the instructions above. You should update and scan with these programs once a week

__________________________

Preventing it returning

After your problem has been resolved on the forum, it is an absoulute MUST to do the following steps to prevent the problem returning. Click on the link to get access to the software or webpage that I'm referring to.

1. Visit Windows Update
Pay a visit to Windows Update and scan for and download ALL Critical Updates and Service Packs. New updates are usually released monthly so check back to Windows Update every month.

2. Clean Up and Speed Up-
It is important that after you have had a spyware/virus infection that you clean up your PC (this includes cleaning out usage tracks, temporary files, emptying the recycle bin, etc). It is so important because during the installation and uninstallation of spyware (and most programs), many temporary or useless files are left behind. If you accidently run one of these files, you could end up with the problem returning. See the link above for lots of information on clearing out your PC and improving your PCs performance and general speed.

3. Consider an alternative browser or tighten IE settings-
Internet Explorer is installed on most systems and used by the majority of people, so of course its going to be a prime target for malware and hackers. To make the matters worse, Internet Explorer is very vulnerable to hijacks and the automatic installation of programs. This is how a lot of spyware enters your PC in the first place. So unless you secure Internet Explorer, you are seriously at risk. There is risk with any Internet browser, but even when IE is secured, there are still risks. IE can still be exploited as long as installed on your system, you don't necessarily have to use it, so this shows the importance of securing it. Here are five steps to take to Secure IE:

Install Sun Java instead of using MS Java VM. Get from www.java.com. Sun Java is much more secure.
Scroll up and read about Windows Updates (number 1). This is essential to patch newly discovered flaws in Internet Explorer.
Scroll down and read about Spyware Blaster (number 7. This is important so that nasty sites can't exploit your machine.
Take a look at the article here. Scroll down to the "If you have to use MSIE" section and have a read of the information about the recommended security settings in IE. A program is also mentioned called IESPYADS, its is worth downloading and installing this.

If you wish to use an alternative browser that is perhaps more secure than IE, consider Mozilla Firefox, Mozilla, Opera or Netscape.

4. Download Antivirus Software-
If you haven't already got Antivirus software, you should download and install AVG Antivirus. It is freeware and is updated nearly every 2 days (sometimes more frequently if there are a lot of new viruses) and in my opinion, is better than some Antivirus software such as Norton. Antivirus software will prevent viruses infecting your system and it is important that you update it every two days or every week at the most.

5. Download a Firewall-
If you haven't already got a firewall, it is Very important that you download one. Firewalls will prevent unauthorised access to your computer and stop data leaking out of your computer. You may think that it won't happen to you, but Hackers don't care who you are, what you do, where you live or what you had for tea last Sunday on your holiday in the Lake District, they want your data. Firewalls will keep these sneaks out and one of the best is Sunbelt Kerio Personal Firewall, which happens to be freeware.

6. Spyware Scanners-
It is important that as well as having real time spyware protection, you have a spyware scanning application. If you have not already downloaded one mentioned earlier in this thread, it is a good idea to download Spybot Search And Destroy and Ad-aware. They are both spyware scanners and will search for a remove spyware. It is recommended that you have both, because one will pick up entries that the other misses. It is even a good idea to download these if you have other programs such as ASE, Spysweeper, Pest Patrol, etc, because one spyware scanner will not pick up everything. Please remember to update your spyware scanners weekly/fortnightly.

7. Prevent Spyware slipping through Internet Explorer-
Quite a lot of spyware slips through Internet Explorer if your settings are not tight enough. Spyware Blaster will help you prevent spyware slipping through and installing tracking cookies. Simply run it via Start> Programs> Spyware Blaster and click Enable All Protection and it will protect you. It doesn't even have to be open! Remember to update weekly/fortnightly.

8. Constant Spyware Protection-
It is important to have constant spyware protection. Spyware Guard works like an antivirus program but detects Spyware instead. It will constantly protect your system. Check for updates monthly.

All Of these steps are very important and it is HIGHLY recommended that you download all of the programs mentioned for your own safety. Remember to Update everything (including Windows using Windows Update)! It is also a good idea to perform weekly/fortnightly scans with Spybot S&D, Ad-aware and your antivirus software.

And last of all, please remember, that common sense is your greatest tool. Without it, spyware and other related Malware would rule!

Nirvana · #2 (**permalink**) 01-07-2004, 03:10 AM

Am I stupid, or is this version out of date?

owen · #3 (**permalink**) 01-07-2004, 08:23 AM

Give me chance Nirvana! I'll update my posts tonight in light of the new version of Hijack This.

Nirvana · #4 (**permalink**) 02-07-2004, 08:01 PM

Owen, could you delete the part in your otherwise excellent post about using CWShredder before posting a HJT log. There are currently three or four strains of CoolWebSearch about which need special fixes before CWShredder will work. Running CWShredder first will temporarily fix them, but only until reboot or in some cases for 24 hours before they return.

Running CWShredder before posting for advice will effectively make them invisible so we can't see what we're dealing with. It's much better to be able to identify CWS before we advise.

Example here http://www.d-a-l.com/help/showthrea...03&page=1&pp=10

owen · #5 (**permalink**) 02-07-2004, 08:04 PM

I've updated the Hijack This bit in case you haven't noticed, and yes D-A-L told me about this yesterday so I'll modify it. I'll do the same on WU.

Nirvana · #6 (**permalink**) 02-07-2004, 10:26 PM

Cheers Owen, appreciate it.

Sacha · #7 (**permalink**) 10-07-2004, 06:23 PM

Hi, I am helping my cousin to fix his PC. I have done most things but I am still get a couple of small problems. Firstly, upon connection to the internet or Outlook express, another internet page appears which takes me to a website for spyware removal and opens up another couple of pop ups. Secondly, upon startup Norton Antivirus auto protect is disabled. I have posted my log below :-

Logfile of HijackThis v1.97.7
Scan saved at 18:15:25, on 10/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\netclnc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\Ltmoh.exe
C:\WINDOWS\System32\qttask.exe
F:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\dhu.exe
C:\WINDOWS\System32\IEserv.exe
C:\Documents and Settings\Mark.MARKY\Application Data\dtea.exe
C:\WINDOWS\System32\dmyg.exe
f:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\FinePixViewer\QuickDCF.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\sdfjje.exe
F:\VRTS and Patches\VRTS and Patches and Apps\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whufc.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {000277A3-7D84-406a-9799-D12A81594693} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {48FA6503-E549-7B9E-8652-64550DA6294F} - C:\WINDOWS\System32\aiii.dll
O2 - BHO: (no name) - {4FF96254-B13D-0ECE-8653-64550DD52945} - C:\WINDOWS\System32\xosjqc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] f:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LtMoh] C:\WINDOWS\System32\Ltmoh.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "f:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Update Clinic] svsipconfig.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] dhu.exe
O4 - HKLM\..\Run: [Microsoft IT Update] IEserv.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O4 - HKLM\..\RunServices: [Microsoft Update Clinic] svsipconfig.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] dhu.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] IEserv.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] dhu.exe
O4 - HKCU\..\Run: [Microsoft IT Update] IEserv.exe
O4 - HKCU\..\Run: [Rtlm] C:\Documents and Settings\Mark.MARKY\Application Data\dtea.exe
O4 - HKCU\..\Run: [Rkq] C:\WINDOWS\System32\dmyg.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {441650BD-4859-11D5-97E2-000086341980} (calc Control) - http://www.cdvmm.com/calcp1.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...073.1766319444
O16 - DPF: {A0EB6CA1-B26C-475D-A342-9257C5420A0D} (SFUtility Class) - http://searchfst.com/update/searchfast.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65B32997-008E-4B9C-9EAA-642599F3A516}: NameServer = 158.152.1.43 158.152.1.58

The system is XP Pro and I appreciate any help.

Thanks

Sacha

owen · #8 (**permalink**) 10-07-2004, 06:26 PM

Could you start your own Thread please

Sacha · #9 (**permalink**) 10-07-2004, 06:28 PM

I apologize. I'm new to this. Where do I post a new thread ?

D-A-L · #10 (**permalink**) 10-07-2004, 08:31 PM

In this section sacha but you need to start your own post...