Need some expert on hijack this

F

Fahey

Limp Gawd
Joined
Dec 23, 2005
Messages
352
Alright Sometime about 2 weeks or so ago I would type in a website and for some reason I would get like a search.
For example
I type
pbnation.com
It will do a search
and show google cooking in 30min
I download Hijackthis to see if theres anything here that is bad.

Logfile of HijackThis v1.99.1
Scan saved at 4:53:54 PM, on 5/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Alex Martinez\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dmpna.exe] C:\WINDOWS\system32\dmpna.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: SATARAID5.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143187033468
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7D8A35-2831-4237-B76E-A4995DB80A15}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B86E83A-CDB1-4D40-ACB1-7E156DDCBF1C}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6A0BC5-2C9B-4CA3-93A3-FD3D7B53888D}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C7D8A35-2831-4237-B76E-A4995DB80A15}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{4C7D8A35-2831-4237-B76E-A4995DB80A15}: NameServer = 85.255.115.43,85.255.112.185
O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
The only two things I see that are questionable would be
O4 - HKLM\..\Run: [dmpna.exe] C:\WINDOWS\system32\dmpna.exe and
O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing)

Googling dmpna.exe comes up with nothing, so you may want to investigate what it is. I would check it's created date and if it's around when you started having these issues remove it. The winuns32.dll search comes back with some mentions of a virus, so you should look into that as well.

You may also want to check your DNS settings to make sure they are pointing at your ISP and didn't get changed, and check your hosts file. I hope this is enough to get you started.
 
I have another I found that the computer has 2 users on it.
The administrater and Alex
I see my Alex user but not the administrater can I delete the adminstrater
 
You don't want to delete the administrator account, you might need it for system recovery one day.

Run Adaware and Spybot?

I've had a couple lately that everything has missed. Weird shit out there lately.
 
I scanned my computer with AVG Antivirus dmlcy.exe had a reading error.
C:\Windows\system32\dmlcy.exe
 
Might want to run a scan with a better AV...run an online at kapersky and trendmicro.

Download and run CCleaner too, and the trial for Ewido.
 
Fahey said:
Alright Sometime about 2 weeks or so ago I would type in a website and for some reason I would get like a search.

.....

O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7D8A35-2831-4237-B76E-A4995DB80A15}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B86E83A-CDB1-4D40-ACB1-7E156DDCBF1C}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6A0BC5-2C9B-4CA3-93A3-FD3D7B53888D}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C7D8A35-2831-4237-B76E-A4995DB80A15}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{4C7D8A35-2831-4237-B76E-A4995DB80A15}: NameServer = 85.255.115.43,85.255.112.185
Click to expand...

Where do you live? Rough location would be fine - US vs... say Amsterdam.

Being that you say you are getting your web requests redirected and you have four (4) name server entries .... for an IP range in Amsterdam....
For IPs that point to default Apache web pages...
http://85.255.112.185/
http://85.255.115.43/

.... no that doesn't look suspicious at all.
 
You must log in or register to reply here.
Back
Top