Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hijackthis Logfile -- Could use some help!

Status
Not open for further replies.

ninedayswonder

Technical User
Jan 11, 2004
1
US
My IE6 got hijacked. I have run Spybot, Adware and Bazooka. Unable to correct so far with these tools. Tried Hijackthis and here is my HijackThis logfile.

Could sure use some suggestions as to what does not belong that is affecting the search feature.

Thanks,

ninedayswonder.


Logfile of HijackThis v1.97.7
Scan saved at 6:12:29 PM, on 1/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kazaa\kazaa.exe
C:\WINDOWS\jqmvnpgc.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kelsey\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\Im6um.dll
O2 - BHO: (no name) - {ABAA3BDA-4FCB-CEF0-B232-CFA8E0245441} - C:\WINDOWS\system32\vbrqdqar.dll
O2 - BHO: (no name) - {da7c8092-f25f-46fb-b426-905dc8aea916} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKLM\..\Run: [ocvlnkoz] C:\WINDOWS\jqmvnpgc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Kelsey\Application Data\DownloadPlus.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B31EA48D-72A4-4B72-8531-131338449DDF}: NameServer = 216.127.92.38
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38


Thanks again for any help you can offer.
 
Hi

First you should go to the Control Panel add/remove programs and uninstall Kazaa and P2P Networking, which was installed with Kazaa, and then run "kazaabegone" or you will continue to have logs like these.....check out this link :-


It's your choice

Then close all browser windows - run hijackthis and tick to fix :-

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\Im6um.dll

O2 - BHO: (no name) - {ABAA3BDA-4FCB-CEF0-B232-CFA8E0245441} - C:\WINDOWS\system32\vbrqdqar.dll

O2 - BHO: (no name) - {da7c8092-f25f-46fb-b426-905dc8aea916} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe

O4 - HKLM\..\Run: [ocvlnkoz] C:\WINDOWS\jqmvnpgc.exe

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B31EA48D-72A4-4B72-8531-131338449DDF}: NameServer = 216.127.92.38
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38


Reboot then find and delete :-

C:\WINDOWS\System32\Keyhost.exe - file
C:\WINDOWS\jqmvnpgc.exe - file

steam
 
C:\WINDOWS\jqmvnpgc.exe
This one looks like the Swen.A virus. Make sure you have up to date ANtivirus. Do a full scan. Try an online virus scanner:

C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\Im6um.dll
O2 - BHO: (no name) - {ABAA3BDA-4FCB-CEF0-B232-CFA8E0245441} - C:\WINDOWS\system32\vbrqdqar.dll
O2 - BHO: (no name) - {da7c8092-f25f-46fb-b426-905dc8aea916} - (no file)
O4 - HKLM\..\Run: [ocvlnkoz] C:\WINDOWS\jqmvnpgc.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{B31EA48D-72A4-4B72-8531-131338449DDF}: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com

O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
Instructions to kill this one here:

Instructions to kill this:
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Kelsey\Application Data\DownloadPlus.exe

Virtual Bouncer removal instructions:
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

Once you clear these up, repost and we'll review it again.


 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top