|
Re: HijackThisLog Analysis - Barny
Date: Friday, 15 October, 2004 2:55 AM
Remember DO NOT run hijackthis.exe inside the zip file. Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).
Here is what you should do.
End the below suspicious process :
C: \ WINDOWS \ System32 \ sisntprf.exe
Remove these search keys:
R3 - Default URLSearchHook is missing
Remove these additional browser plug-in keys (O2...O4):
O2 - BHO: (no name) - {0C9443AC-7EA3-5293-9927-64C06AC3B082} - C: \ WINDOWS \ Gnqsbusa.dll
O3 - Toolbar: Search - {1A176BE2-1413-5941-CFAD-A9201FE5A044} - C: \ WINDOWS \ Gnqsbusa.dll
O4 - HKLM \ .. \ Run: [hoadgbw] C: \ WINDOWS \ kjberup.exe
O4 - HKCU \ .. \ Run: [Ho5qRfM5g] sisntprf.exe
Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https: / / www.spydeleter.com / order2.php?KBID=1062 (file missing)
Reboot the computer and put it to safe mode. Then delete these files from your C: drive.
C: \ WINDOWS \ Gnqsbusa.dll
Original log but with private information removed.
Logfile of HijackThis v1.98.2
Scan saved at 19:43:38, on 14 / 10 / 2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ csrss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ Explorer.EXE
C: \ Program Files \ AVPersonal \ AVGNT.EXE
C: \ Program Files \ MSN Messenger \ MsnMsgr.Exe
C: \ WINDOWS \ System32 \ sisntprf.exe
C: \ Program Files \ Webroot \ Spy Sweeper \ SpySweeper.exe
C: \ WINDOWS \ System32 \ alg.exe
C: \ Program Files \ AVPersonal \ AVGUARD.EXE
C: \ Program Files \ AVPersonal \ AVWUPSRV.EXE
C: \ WINDOWS \ System32 \ wuauclt.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ DOCUME~1 \ ASH~1.ASH \ LOCALS~1 \ Temp \ Rar$EX00.156 \ HijackThis.exe
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: tiscali.co.uk / index_first.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0C9443AC-7EA3-5293-9927-64C06AC3B082} - C: \ WINDOWS \ Gnqsbusa.dll
O3 - Toolbar: Search - {1A176BE2-1413-5941-CFAD-A9201FE5A044} - C: \ WINDOWS \ Gnqsbusa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ System32 \ msdxm.ocx
O4 - HKLM \ .. \ Run: [AVGCtrl] C: \ Program Files \ AVPersonal \ AVGNT.EXE / min
O4 - HKLM \ .. \ Run: [hoadgbw] C: \ WINDOWS \ kjberup.exe
O4 - HKCU \ .. \ Run: [MsnMsgr] "C: \ Program Files \ MSN Messenger \ MsnMsgr.Exe" / background
O4 - HKCU \ .. \ Run: [Ho5qRfM5g] sisntprf.exe
O4 - HKCU \ .. \ Run: [SpySweeper] "C: \ Program Files \ Webroot \ Spy Sweeper \ SpySweeper.exe" / 0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C: \ PROGRA~1 \ MICROS~2 \ OFFICE11 \ REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O9 - Extra ´Tools´ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https: / / www.spydeleter.com / order2.php?KBID=1062 (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - website: v5.windowsupdate.microsoft.com / v5consumer / V5Controls / en / x86 / client / wuweb_site.cab?1097195500029
|
Post your comment