 Email This Page to Someone |
 Footslog's Web Boards
 Cyber safety
 Hijack results ???Good / Bad???
|
| next newest topic | next oldest topic |
| Author | Topic: Hijack results ???Good / Bad??? |
|
Josh1 Administrator |
posted April 26, 2006 03:11 PM
 
Okay sorry it took so long I just want to make sue that we get everything deleted. I have never used this program so just have this program fix or delete the entries. "services32" = "C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe" [null data] If you do not use system mechanic then I would delete it or reinstall it. As it appears to be missing data to start up properly You may have to delete these in safe mode, once you do that post a hijack this scan and then give us the results. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
Josh1 Administrator |
posted April 25, 2006 01:42 PM
I will review the results and then get back to you. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
wood6978 Member |
posted April 21, 2006 09:31 AM
Here you go!...I hope this works! I hope this is it! Once again...Thank you for your time. Corey "Silent Runners.vbs", revision 44, http://www.silentrunners.org/
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} HKLM\Software\Microsoft\Active Setup\Installed Components\ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ HKLM\System\CurrentControlSet\Control\Session Manager\ HKLM\Software\Classes\PROTOCOLS\Filter\ HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Active Desktop is disabled at this entry: HKCU\Control Panel\Desktop\
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"AFE4B1D0918722F8" -> launches: "c:\progra~1\greatr~1\Gpl Admin Jugs.exe" [file not found]
Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ HKLM\Software\Microsoft\Internet Explorer\Toolbar\
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): Missing lines (compared with English-language version): HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe" ["America Online, Inc."]
HKLM\System\CurrentControlSet\Control\Print\Monitors\
IP: Logged |
|
Josh1 Administrator |
posted April 18, 2006 02:07 PM
Try this and then give us the results http://www.silentrunners.org/sr_scriptuse.html ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
wood6978 Member |
posted April 14, 2006 10:42 PM
It looks like it didn't help. Also it looks like my friend can't get his virus software to install. He just realized that it hasn't been working for quite a while. Logfile of HijackThis v1.99.1 Running processes: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com IP: Logged |
|
Skit Junior Member |
posted April 11, 2006 02:31 PM
That is a nasty one you got there. Read through this and download the tool and run it and report back with a fresh Hijackthis log. http://www.simplytech.it/ETRemover/index_e.htm Skit IP: Logged |
|
Josh1 Administrator |
posted April 11, 2006 02:15 PM
Okay you will need to boot into safe mode to do so go here http://www.service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052 409420406?OpenDocument&src=sec_doc_nam read the instructions then boot into safe mode. Surfside kick is not running upon startup but it is still in the registry, and in your Internet. Boot into safe mode, right click Internet Explorer, look for view files, and then view objects, now you are looking at your plug ins if you see anything that says damaged delete it if you see surfside kick delete it. And we have another problem that I did not see before you have a downloader on your machine. So after you delete all the plug ins go to hijack this and then delete these C:\Program Files\Common Files\Windows\services32.exe After you delete these run the virus scans, Spybot and Adaware, then reboot in safe mode and then do another hijack log. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
wood6978 Member |
posted April 10, 2006 08:10 PM
Logfile of HijackThis v1.99.1 Scan saved at 8:07:00 PM, on 4/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll IP: Logged |
|
Josh1 Administrator |
posted April 09, 2006 03:33 PM
I don’t see anything in there that is bad, run another hijack scan. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
wood6978 Member |
posted April 08, 2006 09:43 PM
Process PID CPU Description Company Name System Idle Process 0 85.94 Interrupts n/a 1.56 Hardware Interrupts DPCs n/a Deferred Procedure Calls System 4 smss.exe 456 Windows NT Session Manager Microsoft Corporation csrss.exe 512 Client Server Runtime Process Microsoft Corporation winlogon.exe 544 Windows NT Logon Application Microsoft Corporation services.exe 592 1.56 Services and Controller app Microsoft Corporation svchost.exe 772 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 832 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 904 Generic Host Process for Win32 Services Microsoft Corporation wscntfy.exe 1964 Windows Security Center Notification App Microsoft Corporation svchost.exe 984 Generic Host Process for Win32 Services Microsoft Corporation LEXBCES.EXE 1208 LexBce Service Lexmark International, Inc. LEXPPS.EXE 1260 LEXPPS.EXE Lexmark International, Inc. spoolsv.exe 1244 Spooler SubSystem App Microsoft Corporation svchost.exe 1392 Generic Host Process for Win32 Services Microsoft Corporation acsd.exe 1424 AOL Connectivity Service America Online, Inc. cisvc.exe 1464 Content Index service Microsoft Corporation snmp.exe 1544 SNMP Service Microsoft Corporation svchost.exe 1692 Generic Host Process for Win32 Services Microsoft Corporation wdfmgr.exe 1740 Windows User Mode Driver Manager Microsoft Corporation alg.exe 1996 Application Layer Gateway Service Microsoft Corporation lsass.exe 612 LSA Shell (Export Version) Microsoft Corporation explorer.exe 1620 Windows Explorer Microsoft Corporation hpsysdrv.exe 432 hpsysdrv Hewlett-Packard Company lxbbbmgr.exe 452 Lexmark X74-X75 Button Manager Lexmark International, Inc. lxbbbmon.exe 1816 Lexmark X74-X75 Button Monitor Lexmark International, Inc. qttask.exe 932 QuickTime Task Apple Computer, Inc. PopupStopper.exe 1036 iolo technologies, LLC wmplayer.exe 2736 7.81 Windows Media Player Microsoft Corporation procexp.exe 3700 Sysinternals Process Explorer Sysinternals procexp.exe 1144 1.56 Sysinternals Process Explorer Sysinternals windows.exe 724 1.56 services32.exe 2348 realsched.exe 3624 RealNetworks Scheduler RealNetworks, Inc. firefox.exe 748 Firefox Mozilla Corporation IP: Logged |
|
Josh1 Administrator |
posted April 06, 2006 01:35 PM
Alright open up Process Explorer, then go to File save as save the file open up Notepad and then copy the results of the file you just saved in your reply. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
Josh1 Administrator |
posted April 05, 2006 01:57 PM
I am sorry I have been quite busy and I did not get to look at how to view the processes that are running in a text format. I will look tomorrow in the mean time, delete these Yea you still have surf side kick showing up in the registry R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll You may need to run the Adaware, Spybot and Windows Defender scans in safe mode, to boot into safe mode read this http://www.service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052 409420406?OpenDocument&src=sec_doc_nam
Also make sure you update the definitions in Adaware and Spybot, also run the Trend Micro Spyware scan here http://www.trendmicro.com/spyware-scan/ So delete the items then update Adaware and Spybot, run the virus scans reboot your system in safe mode, run Adaware and Spybot deleting anything that may be found, after the scans run a hijack scan, and if the same items appear as what I have told you to delete in that scan, then delete them. Reboot normally and then run a hijack scan. I forgot to add open up Adaware go to scan now then customize then tweak, check the write protect system files after repair, and check the one above it also. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief [This message has been edited by Josh1 (edited April 05, 2006).] IP: Logged |
|
wood6978 Member |
posted April 04, 2006 09:53 PM
Logfile of HijackThis v1.99.1 Scan saved at 9:51:24 PM, on 4/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll IP: Logged |
|
Josh1 Administrator |
posted April 04, 2006 02:07 PM
Yes, this program shows process, (applications that are running) in real time and, different processes are shown in different colors, red in when a process stops, and is unloaded and green is when one starts. System Idle process is like a timer that will tell how idle the CPU is. CSRSS is the process that performs most of the graphical commands in Windows. Services.exe is the process that starts and stops Windows services, and procexp.exe is the process for Process Explorer. Svchost.exe is the process that handles process executed from DLL files. This process could also be a Trojan depending on how it is running, and where it is running and through what DLL’s which can be found out by using Process Explorer, but this method is complex, and I don’t think this pertains to you, you are using Service Pack two of XP and that issue has been fixed. I think there is a way to show in a text format with Process Explorer what is running, let me find out how to do that (some time tomorrow) and I will get back to you with that. Run the hijack scan again and post the results. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
wood6978 Member |
posted April 03, 2006 12:30 AM
not good news Everytime I try to run the rootkit revealer.....my computer shut off!....Oh boy. Now what IP: Logged |
|
wood6978 Member |
posted April 03, 2006 12:11 AM
svchost.exe runs when I duplicate the problem thanks, IP: Logged |
|
wood6978 Member |
posted April 03, 2006 12:05 AM
The first blank one is System Idle Process the second is system. also csrss.exe Client Server runtime process ------------------ IP: Logged |
|
wood6978 Member |
posted April 02, 2006 11:57 PM
On the top there is a blank line that's running at about 80 but the description is blank. 1.54 Hardware Interrupts That seems about it. I hope this helps.
thanks, ------------------ IP: Logged |
|
Josh1 Administrator |
posted March 30, 2006 02:20 PM
Sounds like it got deleted then came right on back, meaning that some software that is not supposed to be on your system still is. Download Process Explorer http://www.sysinternals.com/ntw2k/freeware/procexp.shtml, this is the task manager that windows has, on steroids open the program and tell us what you see running. Then download a rootkit reveler http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx run the program and let us know the results. Also go here http://www.trendmicro.com/spyware-scan/ and run the Spyware scan, this scan will not charge for any removal. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
wood6978 Member |
posted March 30, 2006 08:27 AM
Oh yeah, By the way...I deleted those three of the four items that you spoke about in a previous post (3/14). Then I run the scan again.....They come right back!!!!! And I think I've noticed somthing else....The scan now only reveals a short list it's not even a full screen long. there's no scroll bar? Am I too far gone? thanks, IP: Logged |
|
wood6978 Member |
posted March 30, 2006 07:55 AM
Hey, I don't know what happened...I thought I posted something the other day but it's not on here. Oh, well....here's the deal..I did the scanspyware for the surfer side kick (It is seriously kicking my butt, I'm just about to bring my PC in), but when I do the free trial version it says it found about 400 items but I have to purchase the software. I can't clean it up without purchasing. I'm just about to the end of my rope here. What are you thinking. Ya know...I guess it wouldn't be as bad if it opens up a new window, but this beast changes what's currently in your browser AND there's no back button either. AAARRRGGGHHHH!!! I hate you surfer sidekick Please Help!!!! Thanks, IP: Logged |
|
Josh1 Administrator |
posted March 16, 2006 01:41 PM
Okay the Not Applicable most likely means that SurfSidekick is not made by a company, thus this webpage has no company is can provide. Download URL means that you cannot download the software itself, because this software is bundled or inside other software. And if this product were downloadable, because it is Spyware this website does not include the URL, so you do not get infected. Well the analyses says that this software is Adaware, so for the category it should be categorized as such, why is nit not? I don’t know. You are welcome for the help, let us know if you need anymore help. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
wood6978 Member |
posted March 15, 2006 07:28 PM
I'm going to download that software and perform the scan. But hey,.....Are you aware of what further down the page?.......It says it's not applicable (NA) for Surf Side Kick under "Company Description and Category"...FYI.....What's that all about? Thank, IP: Logged |
|
Josh1 Administrator |
posted March 14, 2006 01:58 PM
Hey Corey, lets get rid of that problem; go here http://www.scanspyware.net/info/SurfSideKick.htm for removal instructions let us know if you need any help with that removal. Alright when you say “there somewhere that I can go to see what I should have every time in the registry” now do you mean you would like to see a clean registry and then compare it with yours? You are very welcome for the help, and you are welcome all the time no matter how long or short it may be. Okay this entry, this look a little strange its not even a common name, and delete them C:\WINDOWS\win32107-180180387.exe And use the removal instructions for the sidekick. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
wood6978 Member |
posted March 13, 2006 08:35 PM
Hello Again, This surfsidekick keeps popping up IE. I keep deleting thee corresponding item in the registry but still keeps coming back. Thanks, IP: Logged |
|
wood6978 Member |
posted March 13, 2006 07:23 AM
I've deleted that previous stuff. I've been using party poker since about Nov. with no problems. The Back Web thing seems to have disappeared..  Thank you Thank you!.. Now, My Popup blocker can't seem to keep up. Is there somewhere that I can go to see what I should have every time in the registry. You have been so helpful and I hate to overstay my welcome. Everytime.
Logfile of HijackThis v1.99.1 Running processes: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/ IP: Logged |
|
wood6978 Member |
posted March 12, 2006 12:39 AM
No the Back web has been for quite a long time now. I was just asking ....hoping that it may be something common and easy to fix. You know...(just click this....this ). Thanks, IP: Logged |
|
Josh1 Administrator |
posted March 11, 2006 03:12 PM
Yea you still got some junk on there but not as much. Do you use or know what Blue Security is? So delete these O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU Okay the back web problem, it could be a spyware problem or it could be a legitimate problem. This is what is known as a false positive. Did that backweb problem appear after you deleted the firs stuff in the hijack this log? ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
wood6978 Member |
posted March 10, 2006 07:33 PM
Here's the results. It's still acting really weird. I also have an invalid backweb application i.d. 1940576. Any ideas as to how I would get rid of that?
Running processes: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/ IP: Logged |
|
Josh1 Administrator |
posted March 09, 2006 03:17 PM
Make sure you run the online virus scan in that article you read. You can download Microsoft Antispyware program, you can find that in that article I posted. Also make sure you lock your host file, and use the XP firewall, and then install another firewall. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
Josh1 Administrator |
posted March 08, 2006 06:28 PM
Yea this has a lot of WinMX on here, do you have that program WinMX, or any P2P application, if so then delete it. Then delete these R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) Your P2P application has to go, did you run the virus scan? After you delete all this run it again, and post the results. ------------------ For every problem, there is a solution. Please give what you can to the Hurricane relief http://www.microsoft.com/mscorp/citizenship/giving/relief.asp IP: Logged |
|
wood6978 Member |
posted March 08, 2006 05:26 PM
OK.....So I've got a buddy whose computer just took a dump. I've done a scan with ADware and found somewhere around 207 critical objects. I Deleted them and I'm still having problems. His Spybot S&D won't download anymore updates. I then tried several other scan programs on your "How to combat spyware" section....then after three failed attemps (same situation with updates and not finding anything) with three different programs. So I guess my searching around on what to do I decided to run the HIJACK THIS and then paste it....Does the following tell anything that could be helpful to me? ************** Running processes: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/ IP: Logged |
All times are CT (US) | next newest topic | next oldest topic |
  |
|
Contact Us | Footslog Home
The information presented on FootsloG.com is copyrighted as a collective work. FootsloG.com is free for personal use (non-commercial). Any other use FootsloG.com, including copying or reproducing any portion of this web site is strictly prohibited without the express written consent of FootsloG.com. If you have any questions about the usage term please contact us via email: webmaster@footslog.com.