Hijack log. Help needed please!

Dev Shed Forums Sponsor:

Stop making mediocre tutorials.The best tutorials are video! Camtasia Studio makes it easy to create engaging, buzz-building screen videos at any size, in any popular format. Download the free trial!

November 3rd, 2004, 04:26 AM

euandj

Registered User

Join Date: Nov 2004

Posts: 6

Time spent in forums: < 1 sec
Reputation Power: 0

Hijack log. Help needed please!

When I click on the IE icon - the hourglass appears - and then nothing! Computer very slow too. Have tried spybot, Adaware - but this virus aint going anyware!
Hijack log is as below. All help much appreciated!

Logfile of HijackThis v1.98.2
Scan saved at 8:38:14 PM, on 11/3/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\COMMON\FSMA32.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\COMMON\FSMB32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\BACKWEB\4476822\PROGRAM\FSBWSYS.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\COMMON\FCH32.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\BACKWEB\4476822\PROGRAM\FSPEX.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\COMMON\FAMEH32.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\ANTI-VIRUS\FSGK32.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\FWES\PROGRAM\FSDFWD.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\ANTI-VIRUS\FSSM32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\NOCACHE.EXE
C:\PROGRAM FILES\ALTOSOFTWARE\ALTOBLOCKALL\NETDETECT.EXE
C:\PROGRAM FILES\180SOLUTIONS\SAIS.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\ANTI-VIRUS\FSAV32.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\COMMON\FSM32.EXE
C:\WINDOWS\APPLICATION DATA\ASUS.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\FSGUI\FSGUIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\HJT\WINZIP\WZQKPICK.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Wininit] c:\windows\system\wininit.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [rtvNoCache] C:\WINDOWS\NOCACHE.EXE /run
O4 - HKLM\..\Run: [controlkids] C:\Program Files\Control Kids\controlkids.exe
O4 - HKLM\..\Run: [Alto Block All NetDetect Agent] "C:\PROGRAM FILES\ALTOSOFTWARE\ALTOBLOCKALL\netdetect.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [nszkp] C:\WINDOWS\nszkp.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\PROGRAM FILES\F-SECURE ANTI-VIRUS\Common\FSMA32.EXE
O4 - HKCU\..\Run: [Asib] C:\WINDOWS\Application Data\asus.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\HJT\WinZip\WZQKPICK.EXE
O4 - Global Startup: F-Secure Anti-Virus 2005.lnk = C:\Program Files\F-Secure Anti-Virus\backweb\4476822\Program\fspex.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31be387b42cfd0c9dd06/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

November 4th, 2004, 05:10 PM

Tom Myboy

Contributing User

Join Date: Aug 2003

Posts: 2,491

Time spent in forums: 3 Days 20 h 13 m 41 sec
Reputation Power: 13

Hi euandj,

You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.

If you have any questions before starting the fix, please don't hesitate to ask!

Please move or unzip HijackThis to a permanent folder such as C:\HJT It is important that it is in it's own folder as it will make important backups of what we will fix.

Please open My Computer > double-click your C:\ drive > click: File > New > Folder > name it HJT and put HijackThis into that folder.

Next...

Please go to Start > Control Panel > Add/Remove programs and remove:

180solutions
SIDEFIND

You are running two antivirus programs F-secure and AVG please remove one of them. They will conflict if both programs are running. Please keep in mind that support for AVG6 will end in December. AVG7 free edition should be out this month.

Logoff your internet connection. Please press Ctrl-Alt-Delete and open Task Manager. End the following process by selecting it and pressing the End Process button and clicking Yes to the confirmation message:

NOCACHE.EXE
SAIS.EXE
ASUS.EXE

Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O4 - HKLM\..\Run: [Wininit] c:\windows\system\wininit.exe
O4 - HKLM\..\Run: [rtvNoCache] C:\WINDOWS\NOCACHE.EXE /run
O4 - HKLM\..\Run: [Alto Block All NetDetect Agent] "C:\PROGRAM FILES\ALTOSOFTWARE\ALTOBLOCKALL\netdetect.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [nszkp] C:\WINDOWS\nszkp.exe
O4 - HKCU\..\Run: [Asib] C:\WINDOWS\Application Data\asus.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31be387b42cfd0c9dd06/netzip/RdxIE601.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

This resource hog can be safely fixed:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Next...

Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck hide extensions for known file types.
Uncheck the Hide Protected Operating System Files option.
Click Yes to confirm.
Click OK.

Search for and delete the following files:

c:\windows\system\wininit.exe
C:\WINDOWS\NOCACHE.EXE
C:\WINDOWS\nszkp.exe
C:\WINDOWS\Application Data\asus.exe

Search for and delete the following folders:

C:\PROGRAM FILES\SIDEFIND < the entire sidefind folder
C:\PROGRAM FILES\ALTOSOFTWARE < the entire altosoftware folder
c:\program files\180solutions < the entire 180solutions folder

Next....

Open My Computer, browse to C:\Temp folder and delete all files and folders in it.

Open My Computer, browse to C:\Windows\Temp folder and delete all files and folders in it.

Open Internet Explorer click Tools > Internet Options > General. Check "delete all offline content", click "Delete Files" then Click OK.

Empty your Recycle Bin.

Reboot normally.

Next...

Download Stinger. Save it to your Desktop. Double-click it to start it. Make sure all of your drives are listed in the "Directories to scan" box (C:\ D:\ E:\, etc.). Click the Scan Now button and let it remove anything it finds.

http://vil.nai.com/vil/stinger/

Next...

Perform an onlne virus scan from this site:

Trend Micro Housecall - Again, select all of your drives to be scanned. Please check "Auto clean" before scanning.

http://housecall.trendmicro.com/

If you can, copy and paste the report logs from the scans into your next post along with a fresh HijackThis log.

Tom

__________________
HijackThis
Ad-aware
Spybot Search & Destroy
SpywareBlaster
SpywareGuard
Housecall Online A/V Scan
Please read the stickys at the top of the forum before posting!

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: