Tech Support Forum - View Single Post - Help analize my HJT log pls, spyware attacks me

MicroBell · 02-26-2005, 04:05 PM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Name - {E476FC5E-2AD3-4D8E-892D-1879050C8E4C} - C:\WINDOWS\System32\msuxd.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [kTplo66] C:\WINDOWS\sxhqt.exe
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab

Fix these entrys below as well if they are not related to your ISP or company network.. (I'm guessing Not as the latter IP (195.225.176.37) is in Amsterdam)

O17 - HKLM\System\CCS\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{32381E06-7106-40DC-BC8B-E51F11F31723}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

C:\WINDOWS\System32\msuxd.dll
C:\WINDOWS\System32\iecustom32.dll
C:\WINDOWS\sxhqt.exe
syslog32.exe
sysobj.exe <--locate and delete these 2.

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not

02-26-2005, 04:05 PM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O2 - BHO: Name - {E476FC5E-2AD3-4D8E-892D-1879050C8E4C} - C:\WINDOWS\System32\msuxd.dll O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe O4 - HKLM\..\Run: [kTplo66] C:\WINDOWS\sxhqt.exe O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab Fix these entrys below as well if they are not related to your ISP or company network.. (I'm guessing Not as the latter IP (195.225.176.37) is in Amsterdam) O17 - HKLM\System\CCS\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37 O17 - HKLM\System\CCS\Services\Tcpip\..\{32381E06-7106-40DC-BC8B-E51F11F31723}: NameServer = 69.50.176.196,195.225.176.37 O17 - HKLM\System\CS1\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37 O17 - HKLM\System\CS2\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37 Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) C:\WINDOWS\System32\msuxd.dll C:\WINDOWS\System32\iecustom32.dll C:\WINDOWS\sxhqt.exe syslog32.exe sysobj.exe <--locate and delete these 2. Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder