Page 1 of 3 123 LastLast
Results 1 to 10 of 30
  1. #1
    Member
    Join Date
    Apr 2006
    Posts
    27
    Points
    0

    Default HijackThis log file - letgothome browser hijack & Errors

    I've been trying to get rid of the Errorsafe browser hijack and followed the instructions. Loads of useful stuff on there, thanks guys.

    I did have an incident of Errorsafe last night, so I did another run of Spybot S&D and Adware. Not sure if I've got rid of it.

    Interesting - my hijack log file (below) shows up the LetGoHome browser hijack. I think it's being kept at bay by Windows defender but it's still lurking in there. The the Help2Go Detective did not spot LetGoHome! Think it needs an update becuase LetGohome is a real pain.


    --------HIJACK THIS LOGFILE--------------------

    Code:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:48:08, on 23/04/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\System32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Sorenson Media\Sorenson Squeeze 4\Squeeze.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=72
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    file:///C:/Documents%20and%20Settings/Robin/My%20Docume nts/HOMEPAGE/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\Documents and Settings\Robin\My Documents\HOMEPAGE\
    N2 - Netscape 6: user_pref("browser.startup.homepage",
    "file:///C:/Documents%20and%20Settings/Robin/My%20Documents/HOMEPAGE/index.html"); (C:\Documents
    and Settings\Robin\Application Data\Mozilla\Profiles\default\7i326qy7.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine",
    "engine://D%3A%5CProgram%20Files%5Csearchplugins%5CSBWe b_01.src"); (C:\Documents and
    Settings\Robin\Application Data\Mozilla\Profiles\default\7i326qy7.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe"boot
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat5.0\Distillr\AcroTray.exe
    O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband BasicHelp\bin\matcli.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
    Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {4B3E9C6A-AF3E-49B1-A365-88C14EE5A05D} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B3E9C6A-AF3E-49B1-A365-88C14EE5A05D} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
    http://security.symantec.com/sscv6/SharedContent/vc/bin /AvSniff.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) -
    https://moneymanager.egg.com/Pinsafe/accounttracking.ca b
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
    http://software-dl.real.com/058141d59941f5116020/netzip /RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont rols/en/x86/client/wuweb_site.cab?1097190912831
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common /bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst. cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A4612DDD-71A4-4B91-8 B0D-BAAEB22BBE30}: NameServer = 194.72.9.38 194.74.65.68
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
    "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: i7gt6dnwxxo38.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
    Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

  2. #2
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    Hi:

    I just spent about 1 hour trying to get this log to fit the page and trying to figure out just what the problem is.

    I finally figured out one of your problems- No Running Anti Virus or Firewall

    Sorry no help with HJT type problems with out at least a running A/V appearing in the log.

    Go here and load this excellent free one (I use it)

    http://free.grisoft.com/freeweb.php/doc/2/

    Run a A/V scan

    Will this fix your problem ?, short answer is no.

    Go to your Note Pad and make sure that under "format" that "word wrap" is check.

    Run HJT program again and post another log. Please do not use the "code" setting to post it.

    BG

  3. #3
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    Looks like you have/had a smitfraud varient...

    O9 - Extra button: Microsoft AntiSpyware helper - {4B3E9C6A-AF3E-49B1-A365-88C14EE5A05D} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B3E9C6A-AF3E-49B1-A365-88C14EE5A05D} - (no file) (HKCU)

    Also an l2m vx2 cws infection...

    O20 - AppInit_DLLs: i7gt6dnwxxo38.dll

    Follow Basementgeek's directions and then we'll get to work on your log

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  4. #4
    Member
    Join Date
    Apr 2006
    Posts
    27
    Points
    0

    Default

    Thanks guys - I'll set to work on your recommendations.

    BasementGeek - no firewall, no antivirus - um, so this means that the pile of anti-spyware programs I have are not enough? I have AdAware, A-Squared, CWS Shredder, Windows defender.
    I also have Windows firewall - is this no good?

    (sorry of this question seems really thick but I might as well ask it ) :?

  5. #5
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    anti-spyware programs and anti-virus target different malware... you need a specific anti-virus installed... AVG from grisoft is free..

    AS for windows firewall ... it's better than nothing, but it only works one-way, it will protect you from incoming attacks, but will stop nothing leaving your computer... A free firewall like Zonealarm wiil protect both ways...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  6. #6
    Member
    Join Date
    Apr 2006
    Posts
    27
    Points
    0

    Default

    OK, I've followed your recommendations and I now have:

    AVG antivirius
    Zonelabs firewall
    I also got Avast! antivirus to be on the safe side.

    Avast did a reboot and scan and found WIN32:CTX in c:\windows\system32\activescan\pskavs.dll
    but nothing else.

    Anyway here's the latest Hijackthis scan which still features that old favourite letgohome.com browser hijack. It's not managed to hijack my browsers yet - I think Windows anti-spyware/defneder and Spybot keep it at bay, but it's still a slight concern that something is lurking in there....

    -------------------
    HIJACK THIS LOG
    -------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 16:59:00, on 29/04/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\System32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\k9v1\K9.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=72
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Robin/My%20Documents/HOMEPAGE/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\Documents and Settings\Robin\My Documents\HOMEPAGE\
    N2 - Netscape 6: user_pref("browser.startup.homepage", "file:///C:/Documents%20and%20Settings/Robin/My%20Documents/HOMEPAGE/index.html"); (C:\Documents and Settings\Robin\Application Data\Mozilla\Profiles\default\7i326qy7.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Robin\Application Data\Mozilla\Profiles\default\7i326qy7.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {4B3E9C6A-AF3E-49B1-A365-88C14EE5A05D} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B3E9C6A-AF3E-49B1-A365-88C14EE5A05D} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe...nttracking.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/058141d5...p/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097190912831
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A4612DDD-71A4-4B91-8B0D-BAAEB22BBE30}: NameServer = 194.72.9.38 194.74.65.68
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: i7gt6dnwxxo38.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

  7. #7
    Member 1972vet's Avatar
    Join Date
    Mar 2006
    Posts
    275
    Points
    35

    Default

    Download SmitfraudFix (by S!Ri) to your Desktop.
    http://siri.urz.free.fr/Fix/SmitfraudFix.zip
    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
    ______________________________

    Please download the trial version of Ewido anti-malware 3.5 from here:
    http://www.ewido.net/en/download/
    • Install Ewido anti-malware.
    • When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
    • When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
    • The program will prompt you to update. Click the Ok button.
    • The program will now go to the main screen.
    You will need to update Ewido to the latest definition files.
    • On the left-hand side of the main screen click the Update Button.
    • Click on Start.
    The update will start and a progress bar will show the updates being installed.
    Once finished updating, close Ewido.
    ______________________________

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press Enter
    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm

    IMPORTANT: Do NOT run any other options until you are asked to do so!

    Download F-Look2Me.zip and save it to your desktop.
    1. Unzip f-look2me.zip
    2. Run the tool by double-clicking on f-look2me.exe.
    3. Reboot the machine into safe mode.

    Once in safe mode, open your Ewido application and continue with the instructions below:
    Click on "Scanner" and choose "Settings".
    Under the bottom section "What to Scan?" make sure "Scan every file" is selected.
    Select "OK" and you will return to scanning options.

    On the main screen click on "Complete System Scan" to start the scan.
    While the scan is in progress, you will be prompted to clean the first infected file it finds. Put a check next to "Perform action on all infections" in the lower left corner.
    Then choose "Clean" and click "OK".

    When the scan has completed, Ewido will create a report.txt file.
    Click the "Save Report" button on the bottom of the screen and save the log to your desktop.
    Exit Ewido when done.


    Please run HijackThis again and put a check in the box next to these entreis that may still exist:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=72
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Robin/My%20Docume nts/HOMEPAGE/index.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\Documents and Settings\Robin\My Documents\HOMEPAGE\
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O9 - Extra button: Microsoft AntiSpyware helper - {4B3E9C6A-AF3E-49B1-A365-88C14EE5A05D} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B3E9C6A-AF3E-49B1-A365-88C14EE5A05D} - (no file) (HKCU
    O20 - AppInit_DLLs: i7gt6dnwxxo38.dll


    Using Windows Explorer locate and delete the following files indicated in Bold text:
    c:\windows\system32\i7gt6dnwxxo38.dll

    Reboot the computer and post back a new HijackThis log, the log from the SmitfraudFix scan, and the Ewido log.

    Good Luck!
    Disabled Veteran
    U.S.C.G.

    CastleCops Graduate 1st Responder

    Member:
    A.S.A.P.

  8. #8
    Member Oddjob's Avatar
    Join Date
    May 2004
    Location
    London, U.K.
    Posts
    1,979
    Points
    248

    Default

    Quote Originally Posted by rmcmorran
    OK, I've followed your recommendations and I now have:

    AVG antivirius
    Zonelabs firewall
    I also got Avast! antivirus to be on the safe side.
    Never have more than ONE antivirus in operation at any one time. Multiple A/Vs could easily clash and cause possible conflicts resulting in no A/V protection at all.

    Make sure only one A/V is running.

    OJ
    PLEASE DONATE. Help keep our site alive without ads.

    Help keep your computer protected. Read this > http://www.help2go.com/article152.html

  9. #9
    Member
    Join Date
    Apr 2006
    Posts
    27
    Points
    0

    Default

    Quote Originally Posted by Oddjob
    Never have more than ONE antivirus in operation at any one time. Multiple A/Vs could easily clash and cause possible conflicts resulting in no A/V protection at all.

    Make sure only one A/V is running.

    OJ
    Thanks for the advice addjob - though as a newcomer, this does seem to me to rather contradict the advice on pages like this
    http://www.help2go.com/Tutorials/Pro...Hijackers.html

    Thanks though - I've ditched AVG and stuck with Avast. Also Spybot was troublesome so it's gone too (will post separately about that).

  10. #10
    Member
    Join Date
    Apr 2006
    Posts
    27
    Points
    0

    Default

    Anyway thanks 1972vet for all the advice. Phew! What a kerfuffle!

    I've followed all your dirctions and I think I've got rid of the nasty old letgohome.com hijacker. It wasn't actually succeeding in hijacking my browser but Spybot was picking up its attempted activity.

    So here are all my logfiles....

    ----------------------------------------
    SMITFRAUD REPORT
    ----------------------------------------
    SmitFraudFix v2.40

    Scan done at 20:19:44.24, 06/05/2006
    Run from C:\Documents and Settings\Robin\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Robin\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Robin\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"=""
    "SubscribedURL"=""
    "FriendlyName"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

Page 1 of 3 123 LastLast