Hi Jack This Log

RetroAndy · #1 21st September 2004, 11:46 AM

Can anyone tell me what i need to fix to get rid of vx2/f please from my hijack this log.

ogfile of HijackThis v1.98.2
Scan saved at 08:51:13, on 21/09/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINNT\system32\ospwsfem.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ANDYW\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [goggryak] C:\WINNT\system32\ospwsfem.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03. EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...006_cracks.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Caesars-Ceramics.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Caesars-Ceramics.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Caesars-Ceramics.local

Cheers peeps

Andy

johns_ar · #2 21st September 2004, 12:03 PM

these 2 i reckon

u start page gone walkies like?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

id bin itunes as well lol

RetroAndy · #3 21st September 2004, 12:43 PM

Nah man my home page is sound i just keep getting random pop ups at the pc. I know its got the vx2/f spyware on it but i cant get rid of it.

Andy

Judderz · #4 21st September 2004, 12:48 PM

O4 - HKLM\..\Run: [conscorr] is this:

C:\WINNT\conscorr.exeTrojanDownloader.Win32.Stubby .c

http://pestpatrol.com/pestinfo/t/tro...2_stubby_c.asp

Info on VXF/2

http://www.pestpatrol.com/PestInfo/V/VX2.asp

johns_ar · #5 21st September 2004, 01:00 PM

isnt hijack this just for when your start page has been hijacked?

tried spybot s & d

Judderz · #6 21st September 2004, 01:05 PM

It's better to get both Spybot S&D and Ad-Aware as one detects stuff the other doesn't and vice versa.

Spybot: http://www.download.com/Spybot-Searc...ml?tag=lst-0-2

Ad-Aware: http://www.download.com/Ad-Aware-SE-...ml?tag=lst-0-2

RetroAndy · #7 21st September 2004, 01:33 PM

Quote:

Originally Posted by johns_ar

isnt hijack this just for when your start page has been hijacked?

tried spybot s & d

Yeah i have spybot. It detects the problem but then after a few openings of internet explorer it comes back. Been searching the net and most anti virus or spyware forums ask you to download hi jack this and then post your log which will tell them what i need to fix to get rid.

Andy

tilt · #8 21st September 2004, 01:38 PM

Try to fix it in the safe mode with HijackThis.

Judderz · #9 21st September 2004, 01:45 PM

This one looks like the main culprit

O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll

Google this: multimpp.dll . it tells you more

RetroAndy · #10 22nd September 2004, 12:21 PM

Quote:

Originally Posted by Judderz

This one looks like the main culprit

O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll

Google this: multimpp.dll . it tells you more

Update

I have ran hijack this and fixied the above problem. I also ran cw shredder and it found a problem and got rid but i am still getting the pop ups.

Any more ideas lads

Andy

Judderz · #11 22nd September 2004, 01:15 PM

More googling done, this one looks suss, can't find any info on it whatsoever:
O4 - HKLM\..\Run: [goggryak] C:\WINNT\system32\ospwsfem.exe

The next one you can get rid of coz it has no name even tho it says its part of S&D
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

And this one, C:\WINNT\SOUNDMAN.EXE ....do you use Realtek audio software at all? Here's a link to tell you more about this one.

http://www.tech-forums.net/computer/topic/20717.html

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: