#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    3
    Rep Power
    0

    Unhappy Can any body plz scan my Hijackthis log file


    Hi,
    My System has been hijacked by some program from net. Now I am not able to set my homepage. It's automatically set to some http://casebiz.com site. Also some unwanted links are added to my favourite list. I downloaded hijackthis and ran it. But I am not able to figure out which process i need to delete or not.

    I am pasting the contents of Hijackthis.log. Can any body plz scan this file and help me?

    Thanks in advance.

    Ranjan

    Logfile of HijackThis v1.97.7
    Scan saved at 9:57:56 AM, on 5/26/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\IBM\IBM Agent Controller\bin\RAServer.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    c:\sysadmin\python23\python.exe
    C:\WINNT\system32\cmd.exe
    c:\sysadmin\temp\angz.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\satyaranjan\hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B202CC01-9FEC-4D70-8D0E-1A52B886D880}: NameServer = 192.168.1.201
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Aug 2003
    Posts
    2,491
    Rep Power
    20
    Hey ranjansatya,

    Run HijackThis, place a checkmark next to the following items. Close ALL other windows and browsers except HijackThis. Click "fix checked".

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

    Reboot to complete the removal process.

    Consider installing Spywareblaster and Spywareguard (links below).

    Tom
    HijackThis
    Ad-aware
    Spybot Search & Destroy
    SpywareBlaster
    SpywareGuard
    Housecall Online A/V Scan

    Please read the stickys at the top of the forum before posting!
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    3
    Rep Power
    0
    Hi Tom,
    Thanks for your prompt reply. I tried whatever you explained and restarted the computer. But those registry entries are still there. I am again sending the new hijackThis log.

    Plz help me..
    Thanks in advance.

    Ranjansatya


    Logfile of HijackThis v1.97.7
    Scan saved at 10:19:07 AM, on 5/30/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\IBM\IBM Agent Controller\bin\RAServer.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\svchost.exe
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\satyaranjan\hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B202CC01-9FEC-4D70-8D0E-1A52B886D880}: NameServer = 192.168.1.201
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Aug 2003
    Posts
    2,491
    Rep Power
    20
    Ok please copy the contents of the quote box to notepad:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "System"=-
    [-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
    [-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
    [-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

    hit save as
    give it the name clear.reg
    under the filename set file types to all files.
    save it to the desktop.

    After done double click the clear.reg
    when asked to merge say yes

    reboot

    then find this file:
    system32.dll
    its probably in one of two locations:
    c:\windows\system32\system32.dll
    c:\windows\system\system32.dll
    and delete it.

    Delete the file ONLY! Do not touch anything else in the system32 folder.


    Then fix these with hijackthis:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cashsearch.biz/redir.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

    Credit goes to shadowwar for the reg fix!

    Tom
    HijackThis
    Ad-aware
    Spybot Search & Destroy
    SpywareBlaster
    SpywareGuard
    Housecall Online A/V Scan

    Please read the stickys at the top of the forum before posting!
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    3
    Rep Power
    0
    Hi Tom,

    Thanks very much for your help.
    My system is now running fine..

    Thanks,
    ranjan
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Aug 2003
    Posts
    2,491
    Rep Power
    20
    Good work ranjan!

    You need to update to SP4 and get all other Critical Windows Updates!

    Please Update Windows and Internet Explorer. Download each critical update one by one, rebooting when necessary..
    http://v4.windowsupdate.microsoft.com/

    Installing Spywareblaster and Spywareguard will help keep you clean! Links are in my signature below.

    Tom
    HijackThis
    Ad-aware
    Spybot Search & Destroy
    SpywareBlaster
    SpywareGuard
    Housecall Online A/V Scan

    Please read the stickys at the top of the forum before posting!

IMN logo majestic logo threadwatch logo seochat tools logo