please help me check the hijack log file
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: please help me check the hijack log file

  1. #1
    Junior Member
    Join Date
    Mar 2004

    please help me check the hijack log file

    Some sort of spyware changed my homepage etc. It also changed the registry. I corrected them. But once the IE runs again, they come back again. I used the hijackthis scanning the system in safe mode. I think there must be some program running with IE. I am not sure which one is it. So I attach the log file here and hope you guys could give me any clues. Thanks a lot.

  2. #2
    Senior Member
    Join Date
    Aug 2003
    You have the latest, greatest new hijack out that is proving to be very difficult to fix. Deleting the BHO's will not do it, there is a mutating .dll with 2 matching executables that have to be killed, and when you try to boot into safe mode, the .dll's disappear, only to reappear on the next reboot. (or the one after that, or the one after that)

    PM Grinler, I'm not sure how often he comes around any more, but he has been working with some others to develop a fix for it.


  3. #3
    Senior Member
    Join Date
    Dec 2003
    Pacific Northwest

    edit: groovicus is on top of this new hijack, if that don't work here's some more info about how to read your log etc.

    Soda_Popinsky wrote a great tutorial on this very subject. It is easy to follow and I have used it twice. It is located on the link below. The threads at AO are packed with a wealth of info. To access them, just use the search engine on the main page. Also, using frequently will assist you as well.

    Some additional info:

    Here’s the run down: The ole hijacking, as it is called. There are free downloads that can and will eradicate your computer of these critters.

    “CWShredder” is a tool to remove Coolwebsearch Here’s a link to a site to download it:

    Additionally, if you don’t already have some software to combat other malware types you need to download some of those programs as well. Adaware and Spybot S & D are two such programs and I would use them both.

    You might also consider using another browser. Opera, Mozilla, Firefox by Mozilla, Netscape, Slim Browser, etc.

    Connection refused, try again later.

  4. #4
    Junior Member
    Join Date
    Mar 2004
    I forgot another thing: there is a Home Search Assistant entry showing up in the Add/Remove Programs Explore. If click the remove botton of it, it shows
    "unable to open:".
    Is there anyway to uninstall this program first?

  5. #5
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Huson Mt.
    Originally posted here by march
    I forgot another thing: there is a Home Search Assistant entry showing up in the Add/Remove Programs Explore. If click the remove botton of it, it shows
    "unable to open:".
    Is there anyway to uninstall this program first?
    Yes......but one of them I know is not really recomended.
    1. Boot up in Safe Mode and then try to delete the program with the Add/Remove program.
    2. Go into your main storage (c: disk) to program files, find the folder this program is in and run the uninstall right from there. (It should have its own uninstall application)
    3. In your program files, delete the folder that this program is stored in. (this is the one that is not really recommended, because it does not remove any .dll's or registry entries that may be associated with the program. It can cause you to lock up and or spontaniously reboot when ever another program is directed to use the deleted program.)

    There are probably other, better methods, but I can't think of any at present, or don't know them.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  6. #6
    Regal Making Handler
    Join Date
    Jun 2002
    I'm very susspicious of this item:O4 - HKLM\..\RunServices: [Video Process] sysconf.exe

    I'm thinking Agobot worm........????
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  7. #7
    Senior Member
    Join Date
    May 2004

    HijackThis log tutorial

    Here u will find a comprehensive 'HijackThis log tutorial' that will help u a lot .

    Excuse me, is there an airport nearby large enough for a private jet to land?

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Ok, I had a little time to look at your log, so let's see if we can kill this. You have a bit of a variant of this, so I'll do my best.

    Control-alt-delete end task on these tasks:


    Please put HijackThis in its own folder. It likes to make backups,
    and it is best to keep them all in one place.

    *Click My Computer, then C:\
    *In the menu bar, File->;New->;Folder.

    That will create a folder named New Folder.

    * Right click on the file and select 'rename'
    * Rename to something like 'HJT' , and put your Hijackthis in there.


    Put a checkmark next to the following in HijackThis. Make sure all other windows and browsers are closed before clicking on “Fix Checked”

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gefhn.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gefhn.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gefhn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gefhn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gefhn.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gefhn.dll/sp.html#96676
    O2 - BHO: (no name) - {A9B24A9A-6451-6CEB-5B79-6F6736741E63} - C:\WINDOWS\system32\iexm32.dll
    O4 - HKLM\..\Run: [ntxt.exe] C:\WINDOWS\system32\ntxt.exe
    O4 - HKLM\..\RunOnce: [winie32.exe] C:\WINDOWS\winie32.exe
    O4 - HKLM\..\RunOnce: [sdkdt.exe] C:\WINDOWS\sdkdt.exe
    O4 - HKLM\..\RunOnce: [atlah.exe] C:\WINDOWS\system32\atlah.exe
    O4 - HKLM\..\RunOnce: [ievl32.exe] C:\WINDOWS\ievl32.exe
    O4 - HKLM\..\RunOnce: [atlfu.exe] C:\WINDOWS\atlfu.exe
    O4 - HKLM\..\RunOnce: [apixf.exe] C:\WINDOWS\system32\apixf.exe
    O4 - HKLM\..\RunOnce: [iegj.exe] C:\WINDOWS\iegj.exe
    O4 - HKLM\..\RunOnce: [d3ny32.exe] C:\WINDOWS\d3ny32.exe
    O4 - HKLM\..\RunOnce: [ipxt32.exe] C:\WINDOWS\ipxt32.exe
    O4 - HKLM\..\RunOnce: [ntes32.exe] C:\WINDOWS\system32\ntes32.exe
    O4 - HKLM\..\RunOnce: [netjf.exe] C:\WINDOWS\system32\netjf.exe
    O4 - HKLM\..\RunOnce: [sdkxl.exe] C:\WINDOWS\sdkxl.exe
    O4 - HKLM\..\RunOnce: [apier32.exe] C:\WINDOWS\system32\apier32.exe
    O4 - HKLM\..\RunOnce: [atlsd.exe] C:\WINDOWS\atlsd.exe
    O4 - HKLM\..\RunOnce: [ntha.exe] C:\WINDOWS\system32\ntha.exe
    O4 - HKLM\..\RunOnce: [mfcgn32.exe] C:\WINDOWS\mfcgn32.exe
    O4 - HKLM\..\RunOnce: [neter.exe] C:\WINDOWS\neter.exe
    O4 - HKLM\..\RunOnce: [sdkut.exe] C:\WINDOWS\sdkut.exe
    O4 - HKLM\..\RunOnce: [crtb.exe] C:\WINDOWS\system32\crtb.exe
    O4 - HKLM\..\RunOnce: [appwd.exe] C:\WINDOWS\appwd.exe
    O4 - HKLM\..\RunOnce: [ievo.exe] C:\WINDOWS\system32\ievo.exe
    O4 - HKLM\..\RunOnce: [ntcq.exe] C:\WINDOWS\system32\ntcq.exe
    O4 - HKLM\..\RunOnce: [winfl.exe] C:\WINDOWS\system32\winfl.exe
    O4 - HKLM\..\RunOnce: [atlyh.exe] C:\WINDOWS\system32\atlyh.exe
    O4 - HKLM\..\RunOnce: [netnk.exe] C:\WINDOWS\system32\netnk.exe
    O4 - HKLM\..\RunOnce: [apiwt32.exe] C:\WINDOWS\apiwt32.exe
    O4 - HKLM\..\RunOnce: [ipps32.exe] C:\WINDOWS\ipps32.exe
    O4 - HKLM\..\RunOnce: [ntbm.exe] C:\WINDOWS\system32\ntbm.exe
    O4 - HKLM\..\RunOnce: [ntea32.exe] C:\WINDOWS\ntea32.exe
    O4 - HKLM\..\RunOnce: [sysya.exe] C:\WINDOWS\system32\sysya.exe
    O4 - HKLM\..\RunOnce: [iefb32.exe] C:\WINDOWS\system32\iefb32.exe
    O4 - HKLM\..\RunOnce: [ntiu.exe] C:\WINDOWS\system32\ntiu.exe


    Boot into SAFE MODE by tapping the f8 key during boot up.
    How to see Hidden files

    Delete the following files:

    Reboot in normal mode

    Please download TheKillbox from here:

    Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:


    Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The filenameand path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

    Reboot in normal mode and post a fresh log

    EDIT: A new step
    Go to Start>Run and type regedit.

    Press enter.

    Navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3 (This may be different but will always start with __NS_Service)

    If __NS_Service_3 exists , right click on it and choose delete from the menu.

    Now navigate to:

    If LEGACY___NS_Service_3
    exists then right click on it and choose delete from the menu.

    Reboot and post a last log
    I apologize for the bumps. I just wanted to make sure that they knew there was an additional step.

  9. #9
    Senior Member
    Join Date
    Feb 2004
    Quote Originally Posted by jinxy
    I'm very susspicious of this item:O4 - HKLM\..\RunServices: [Video Process] sysconf.exe

    I'm thinking Agobot worm........????
    Agobot, Gaobot.... the same I believe..... whatever the name... this is it. Good catch!

    March, you need to run an online AV after and only after you do what Groovicus suggested. Here are a few you can choose from:

    Also, you are probably going to need to clean your hosts file. Here's a great link with tons of info on this:

  10. #10
    Junior Member
    Join Date
    Mar 2004
    Hi there,
    Thank you guys so much. The problem is fixed following the instruction of groovicus. But I did not delete the LEGACY _NT_Service entries in the registry and I don't get it why I need KILLBox. I found it just delete the files.
    The virus is very tricky.Every time it runs, it adds a BHO entry and several RunOnce entries. And the program's name related to the BHO is changed every time. These files do not exist. I don't know how it works.
    My experience is deleting that BHO entry and all the RunOnce entries.And also delete the several suspicious start items in the Run entries.
    I attached the fresh HijackThis.log after the system is clean up.

    Running processes:
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Video Process] sysconf.exe
    O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Edit with XML Spy (HKCU)
    O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKCU)
    O16 - DPF: Yahoo! Chat -
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts