Guide to Removing and Preventing Spyware/Adware/Hijacking/Viruses

Page 22 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
C

Cfour

Golden Member
Jul 6, 2000
1,486
0
0
www.sternie.com
new log. also something I forgot to post last time was that after ad-aware runs my "My Documents" folder pops up. Strange.

Logfile of HijackThis v1.98.2
Scan saved at 2:48:06 PM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Aim\aim.exe
C:\WINDOWS\system32\kavkyk.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\qtkgaoenwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [C:\WINDOWS\qtkgaoenwk.exe] C:\WINDOWS\qtkgaoenwk.exe
O4 - HKCU\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_SF5.tmp"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1102886399890

 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
fix these entries in safemode

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [C:\WINDOWS\qtkgaoenwk.exe] C:\WINDOWS\qtkgaoenwk.exe
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Hello Sultan,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
    F3 - REG:win.ini: run=??? ??? ??? ? ? ?????
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
    O2 - BHO: (no name) - {0A1118CD-8E51-F884-5943-FBCACDD1CBE0} - C:\WINDOWS\System32\xcnohx.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O4 - HKLM\..\Run: [torst] C:\WINDOWS\torst.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [qLI] C:\documents and settings\umar\local settings\temp\qLI.exe
    O4 - HKLM\..\Run: [BCPC] "C:\Program Files\Bcpc\bcpc.exe"
    O4 - HKLM\..\Run: [b307615ea5cf] C:\WINDOWS\System32\browseui.exe
    O4 - HKLM\..\Run: [44X#L5N5PCTN2Z] C:\WINDOWS\System32\Cyf0o.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [qs2g3mi] msate.exe
    O4 - HKCU\..\Run: [bBtmRgGFh] forenum.exe
    O4 - HKCU\..\Run: [HOTFOON2] C:\Documents and Settings\Umar\Desktop\hotfoon4.exe /h
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\Run: [Aopm] C:\Documents and Settings\Umar\Application Data\ertu.exe
    O4 - HKCU\..\Run: [Clvjukjv] C:\WINDOWS\System32\??chost.exe
    O4 - Startup: Banshee Screamer Alarm.lnk = C:\Program Files\Banshee Screamer Alarm\alarm.exe
 
C

Cfour

Golden Member
Jul 6, 2000
1,486
0
0
www.sternie.com
I really don't know what to do here. I keep removing that stuff from HJT, running ad-aware, spybot: S&D, etc.. .spybot has cool www search entries (multiple) that it can't get rid of, ad-aware has a .dll file it can't get rid of in the system32 folder. Here is anotehr HJT log.. is there anything besides the ie.autosearch stuff hiding in there? I keep removing hte ie.autosearch.etc.. stuff but it keeps coming back. Thanks again for your help.

Logfile of HijackThis v1.98.2
Scan saved at 7:52:22 PM, on 12/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\kavkyk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Aim\aim.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_SF5.tmp"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1102886399890

 

Mem

Lifer
Apr 23, 2000
21,476
13
81
Logfile of HijackThis v1.98.2
Click to expand...


Just to let you know HijackThis 1.99.0 is out (using it right now) ,also CWShredder is up to 2.12.

I`m trying out Free SpyCleaner 9.2,link. which seems like a good program (only my first day of use) and nice backup for my Ad-adware,Spybot,HiJackThis,SpywareBlaster programs.

Update on SpyCleaner 9.2,not a bad program but you have to pay and upgrade to the "Gold version" that then allows updates and more options,to be fair free version of SpyCleaner has a lot of features, but for the very important updates, it unfortunately does not have.
 
R

Robor

Elite Member
Oct 9, 1999
16,979
0
76
Quick question... I'm cleaning up a major case of Trojan and Malware infestation on a computer of my Dad's friend. I set him up with an older rig with WinXP SP2, Spybot S&D (set to auto update, scan, and fix on boot), and Spywareblaster. It's less than a month later and he's got the worst case I've ever seen. I'll post the HJThis log later. It's very "interesting" as he was obviously browsing some places he shouldn't have been and answering "Yes" to whatever popped up.

Anyway, on to my question. Even after going through the entire process of removing the trojans and malware programs I'm still left with 2 problems:

1. On startup task manager shows multiple instances of "iexplore.exe" (Internet Explorer) despite the fact that it isn't visibly running.

2. His Windows Firewall will not stay running. I can turn it on and restart but after running a while I get the security warning saying the firewall is turned off.

I'm not sure if I'm dealing with an undetected virus/trojan/malware program or a trashed OS.

Any ideas? I've done tons of searching and spent more time than it would've taken to reload from scratch. At this point I just want to understand what's going on.

Thanks!

Rob

One last thing... Shadenfroh for Elite!!!!!!


Here's that guy's original HJThis log...

Logfile of HijackThis v1.99.0
Scan saved at 10:59:23 AM, on 12/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [VkfSrv32] C:\WINDOWS\vkfsrv.exe
O4 - HKLM\..\Run: [HedSrv32] C:\WINDOWS\hedsrv.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvutg32.exe
O4 - HKLM\..\Run: [DMBF6F] C:\WINDOWS\ncysbv.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [nct] C:\WINDOWS\nct.exe
O4 - HKLM\..\Run: [Software] C:\WINDOWS\system32\Software\software.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Admin\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.finefind.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1100834462904
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dial...nternazionale_ver4.CAB
O18 - Filter: text/html - {FEECF0A6-CC09-4D66-9569-ED141F69402D} - C:\WINDOWS\system32\lofiab.dll
O18 - Filter: text/plain - {FEECF0A6-CC09-4D66-9569-ED141F69402D} - C:\WINDOWS\system32\lofiab.dll
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Hello Robor,

Before you do anything
1. Download About:buster and update it.
2. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
3. Disable system restore, malware can come back through it.
4. Reboot into safe mode.
5. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
  • R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Admin\LOCALS~1\Temp\sp.html
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
  • O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
  • O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
  • O4 - HKLM\..\Run: [VkfSrv32] C:\WINDOWS\vkfsrv.exe
  • O4 - HKLM\..\Run: [HedSrv32] C:\WINDOWS\hedsrv.exe
  • O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvutg32.exe
  • O4 - HKLM\..\Run: [DMBF6F] C:\WINDOWS\ncysbv.exe
  • O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
  • O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
  • O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
  • O4 - HKLM\..\Run: [nct] C:\WINDOWS\nct.exe
  • O4 - HKLM\..\Run: [Software] C:\WINDOWS\system32\Software\software.exe
  • O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
  • O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
  • O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Admin\LOCALS~1\Temp\djtopr1150.exe"
  • O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
  • O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
  • O15 - Trusted Zone: *.awmdabest.com
  • O15 - Trusted Zone: *.blazefind.com
  • O15 - Trusted Zone: *.c4tdownload.com
  • O15 - Trusted Zone: *.clickspring.net
  • O15 - Trusted Zone: *.crazywinnings.com
  • O15 - Trusted Zone: *.finefind.net
  • O15 - Trusted Zone: *.flingstone.com
  • O15 - Trusted Zone: *.iframe.biz
  • O15 - Trusted Zone: *.iframedollars.biz
  • O15 - Trusted Zone: *.megapornix.com
  • O15 - Trusted Zone: *.mt-download.com
  • O15 - Trusted Zone: *.my-internet.info
  • O15 - Trusted Zone: *.newiframe.biz
  • O15 - Trusted Zone: *.overpro.com
  • O15 - Trusted Zone: *.pizdato.biz
  • O15 - Trusted Zone: *.searchbarcash.com
  • O15 - Trusted Zone: *.searchmiracle.com
  • O15 - Trusted Zone: *.skoobidoo.com
  • O15 - Trusted Zone: *.slotch.com
  • O15 - Trusted Zone: *.slotchbar.com
  • O15 - Trusted Zone: *.sp2admin.biz
  • O15 - Trusted Zone: *.sp2fucked.biz
  • O15 - Trusted Zone: *.topconverting.com
  • O15 - Trusted Zone: *.vse-moe.biz
  • O15 - Trusted Zone: *.windupdates.com
  • O15 - Trusted Zone: *.xxxtoolbar.com
  • O15 - Trusted Zone: *.ysbweb.com
  • O15 - Trusted Zone: *.blazefind.com (HKLM)
  • O15 - Trusted Zone: *.clickspring.net (HKLM)
  • O15 - Trusted Zone: *.crazywinnings.com (HKLM)
  • O15 - Trusted Zone: *.flingstone.com (HKLM)
  • O15 - Trusted Zone: *.iframedollars.biz (HKLM)
  • O15 - Trusted Zone: *.mt-download.com (HKLM)
  • O15 - Trusted Zone: *.my-internet.info (HKLM)
  • O15 - Trusted Zone: *.searchbarcash.com (HKLM)
  • O15 - Trusted Zone: *.searchmiracle.com (HKLM)
  • O15 - Trusted Zone: *.skoobidoo.com (HKLM)
  • O15 - Trusted Zone: *.slotch.com (HKLM)
  • O15 - Trusted Zone: *.slotchbar.com (HKLM)
  • O15 - Trusted Zone: *.topconverting.com (HKLM)
  • O15 - Trusted Zone: *.windupdates.com (HKLM)
  • O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
  • O15 - Trusted Zone: *.ysbweb.com (HKLM)
  • O15 - Trusted IP range: 67.19.185.246
  • O15 - Trusted IP range: 67.19.185.246 (HKLM)
  • O16 - DPF: v3cab - http://searchmiracle.com/cab/2.cab
  • O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dial...nternazionale_ver4.CAB
  • O18 - Filter: text/html - {FEECF0A6-CC09-4D66-9569-ED141F69402D} - C:\WINDOWS\system32\lofiab.dll
  • O18 - Filter: text/plain - {FEECF0A6-CC09-4D66-9569-ED141F69402D} - C:\WINDOWS\system32\lofiab.dll
  • O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
  • O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

Additional Steps

1. Run About:Buster
2. Clear your Temporary Files
3. Remove the following VIA instructions provided:
4.Restart into normal windows



Notes

  • 1. Set your father up with a limited user account.
    2. Uninstall AVG, AVG is horrible against trojans, switch to the freeware AntiVir
    3. Switch from windows firewall to the freeware Sygate Personal Firewall
 
R

Robor

Elite Member
Oct 9, 1999
16,979
0
76
Thanks Schadenfroh...

Actually I've gone through those steps and have everything clean except for those 2 issues. I'll post his current HJThis log. As you can see I've gone to several (Panda, McAfee, and Trend Micro) online virus scanners and checked for problems. All 3 online scanners say he's clean. I uninstalled AVG yesterday and put Symantec Corporate edition on it and set it to check for expanded threats. It found a bunch that Spybot & AdAware missed BTW. I also installed a SpywareGuard.

You can also see the annoying problem with iexplore.exe launching itself. Right now IE isn't running but there's 10 instances in task manager. Windows firewall was shut down as well. Once this system is clean I will remove the IE Icons and set Firefox as the default browser.

What I should do is get a list of pr0n sites and set them all to localhost in his host file...


Logfile of HijackThis v1.99.0
Scan saved at 2:39:04 PM, on 12/19/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE Not a problem - this is me remoted into the system
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Installs\Hijack This\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1103423208359
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/mol...2,0,0,4415/mcfscan.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 
R

Robor

Elite Member
Oct 9, 1999
16,979
0
76
Originally posted by: Schadenfroh
log looks clean. dont know what is causing the IE issue
Click to expand...
That's what I thought as well but thanks for looking. My friend suggested just wiping everything listed in HJThis and rebooting. Can't hurt I guess. Before I started doing online scans I had his HJThis log down to just references to Symantec Antivirus and I can just reinstall that. If that doesn't work I'm going to throw in the towel and reload. Pretty sad considering I've got several hours invested in this system. I hate losing...


 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
it is not a good idea to fix everything in the HJT log if you want your applications to run correctly (like symantec)
 
T

tjr2mental

Member
Jan 19, 2001
179
0
0
ok, so far I have run Adaware, the my nortons antivirus, followed up by CWSHredder. For some reason, I still have all kinds of stuff happening on my pc that should not be. Pop ups like mad, things of that nature.

Here is my hijack this list...

Logfile of HijackThis v1.99.0
Scan saved at 2:54:12 PM, on 12/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\Xhrmy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\oicincww.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Documents and Settings\Mental\Application Data\tloh.exe
C:\WINDOWS\System32\wscign32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\winpack.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Mental\LOCALS~1\Temp\Rar$EX00.812\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.co...ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {592A64B0-4DDE-48F9-8F0D-C8991B058A52} - C:\WINDOWS\System32\etoob.dll (file missing)
O2 - BHO: SDWin32 Class - {74CD39D0-C48F-450B-A329-4D49CA74B56D} - C:\WINDOWS\System32\wywlj.dll (file missing)
O2 - BHO: (no name) - {912E7968-B1FB-CE7B-D98A-E3ABAD750299} - C:\WINDOWS\System32\qectxqsu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [qwuhijyuzcar] C:\WINDOWS\System32\oicincww.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [dpnmodem] C:\WINDOWS\System32\dpnmodem.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [Kmav] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Soto] C:\Documents and Settings\Mental\Application Data\tloh.exe
O4 - HKCU\..\Run: [dwotRVe7g] wscign32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://socrates.gateway.gm.co...mail.gm.com/iNotes.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14d782aaaaa1f3344506/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://www.worldwinner.com/gam...48/haunted/haunted.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/downloa...uite/yautocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.21/ttinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Any help getting my stuff fixed would be awsome.

What do I do next?
 
K

KoolDrew

Lifer
Jun 30, 2004
10,226
7
81
Logfile of HijackThis v1.99.0
Scan saved at 12:06:41 AM, on 12/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\KS\Local Settings\Temp\hijackthis\HijackThis.exe
C:\WINDOWS\System32\perfctrs.exe
C:\WINDOWS\System32\winpack.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [perfctrs] C:\WINDOWS\System32\perfctrs.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.easports.com/downlo...s/co...py/iesnoopy.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/284d856c974da2...ip/RdxIE601.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/as...les/...ll/MFImgVwr.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/downl...esse...pDownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33C6F9FD-C226-4D0D-9C33-B9B625CE41C5}: NameServer = 204.127.160.4 12.102.240.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{33C6F9FD-C226-4D0D-9C33-B9B625CE41C5}: NameServer = 204.127.160.4 12.102.240.2
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Hello tjr2mental,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

Additional Steps
1. Clear your Temporary Files
2. Remove the following VIA instructions provided:
3.Restart into normal windows
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Hello KoolDrew,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
  • O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
  • O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
  • O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  • O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
  • O4 - HKCU\..\Run: [perfctrs] C:\WINDOWS\System32\perfctrs.exe
  • O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
  • O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
  • O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/284d856c974da2...ip/RdxIE601.cab

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:
[*]Wildtangent via add/remove programs
3.Restart into normal windows
 
B

bsieber

Junior Member
Dec 21, 2004
2
0
0
Hello All,

There is a way to REMOVE VX2 for good. It is fairly easy to do and will require a few downloads of some utility tools. You must have Lavasoft's AdAware Personal SE (freeware) installed. Most of you probably so if you are attempting to remove this nasty BHO. If you don't have AdAware Personal SE, you can obtain this from:

http://www.lavasoft.com/

Next, go the the link below (from the Lavasoft user forum) and follow this EXPLICITILY! It will take a few hours and is not that difficult (I did it and I am NOT a major computer geek). You can do it too! I have no popups, my HiJackThis logs are clean, as are my CWShredder, ETrust PestPatrol Scan, Spybot, AdAware log, and HOSTS file (I'm not taking any more chances after this one! I've installed a few other things prevention softwares too! Good Luck! This WILL BE A SURE FIX IF YOU FOLLOW DIRECTIONS EXACTLY!

http://www.lavasoftsupport.com...ex.php?showtopic=54511
 
C

CaptainSpectacular

Senior member
May 9, 2001
375
0
0
Has anyone seen malware/virii try to disable NAV? I have two computers, both of which have NAV corp edition, but don't seem to be doing anything based on the real time scan stats reporting no files scanned. One computer is v8.x and the other is 9.x. The 8.x machine actually has an "!" over the NAV tray icon, while the other computer looks fine. Both machines will occasionally, but rarely, pop up a small window in the tray reporting that NAV is disabled. Reinstalling has been no help. So far haven't been able to find anythign with the usual adware/spyware/malware clean up tools suggested here. Of note, neither boxes will update their virus definitions. They both appear to do so fine, but the date reported under "last update" never changes. Both boxes also appear to do a manual scan just fine and come out clean.

Thoughts?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: CaptainSpectacular
Has anyone seen malware/virii try to disable NAV? I have two computers, both of which have NAV corp edition, but don't seem to be doing anything based on the real time scan stats reporting no files scanned. One computer is v8.x and the other is 9.x. The 8.x machine actually has an "!" over the NAV tray icon, while the other computer looks fine. Both machines will occasionally, but rarely, pop up a small window in the tray reporting that NAV is disabled. Reinstalling has been no help. So far haven't been able to find anythign with the usual adware/spyware/malware clean up tools suggested here. Of note, neither boxes will update their virus definitions. They both appear to do so fine, but the date reported under "last update" never changes. Both boxes also appear to do a manual scan just fine and come out clean.

Thoughts?
Click to expand...
You could try use Norton's Intelligent Updater to update the defs. They update it daily. There's more to antivirus software than just definitions, but it might be a start. Or take the drive out, put it in a different computer as a secondary drive, and scan it there, using several different fully-up-to-date antivirus products. Make sure to enable ALL detection options: heuristics, compressed-file scanning, everything.

I would also run Microsoft Baseline Security Analyzer on them and see what dirt it can find on the system's Windows/IE/WMP/MSXML/MDAC patching status, passwords and so on. Taking away the easy targets with proper system lockdown can save your bacon against threats that your preventive software doesn't recognize yet, or at least slow it down.

More resources:

McAfee Stinger goes after just a few very common threats, but it's small enough to fit on floppy.

McAfee beta command-line scanner can be run with the following command line to scan for and help identify stuff: scan.exe /all /analyze /adl /html C:\report.html /manalyze /mime and the results will be put in an HTML file called C:\report.html. EDIT: I guess I should add that you can also use these switches to take action with: /clean or /del or /move <directory to move to>.

Panda online scanner

TrendMicro online scanner

Norton online scanner and portscan

Enable Data Execution Prevention for all software in WinXP, not just the default stuff: illustration of how

and of course there is the suggestion everyone loves to :roll: at: use a Limited/Restricted-User account whenever you can.
 
C

CaptainSpectacular

Senior member
May 9, 2001
375
0
0
well i've gone ahead and uninstalled NAV and gone with kaspersky anti-virus personal trial version and it picked up a couple viruses that NAV never found, so we'll see if that helps any. of course, i never really had any symptoms other than NAV seemingly not working (albeit only on close inspection) and now that's gone, so have i really made an improvement? not really sure. Kaspersky seems nice, but i don't like the interface nearly as much as NAV corp edition. Not to mention that NAV corp is free for me from school and has virus updates without subscription. Maybe i'll try going back to that and see if it starts working again....

the MS security analyzer looks like a cool tool, but didn't help in this particular case. good to know about for sure though.
 
N

niall

Member
Mar 12, 2004
153
0
0
Hi Schadenfroh! Long time I've been around...

My brother's computer has had its IE home page hijacked by richfind.com. After checking here (natch) for information and help in removing it, I have done the following, all without success:
- as per the guide in the OP, updated my brother's Norton AV, Spybot and Ad-Aware to the latest def files, rebooted in safe mode and ran them with CWShredder
- ran the winsock updater
- downloaded and ran Hijackthis, checked the guide, identified all suspect lines and all lines containing richfind, and had it fix them, then closed the computer, counted to ten, powered it back on.

And it's STILL there. The bastard.

I ran HiJackThis once again (it was much smaller), and here's the log. I now need professional outside help!

He runs Win98SE (like me) in French (unlike me) on a Compaq Presario 7469 (shudder... not my idea, and he didn't consult me, but I managed to successfully upgrade his memory!)...


_________________________________________________

Logfile of HijackThis v1.99.0
Scan saved at 14:33:36, on 28/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\ASSISTANTINTERNET\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPCLIENT.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMON32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [cpqns] c:\compaq\cpqinet\cpqnpcss.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ASSIST~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMon32.exe"
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Fichiers communs\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL

 
T

tarheelmm

Golden Member
Apr 17, 2002
1,207
0
0
Can I get some help on this one? I know I have the mxtarget.dll but cant see it in the reg. I am running a web server so I do know most of the keys. TIA

Logfile of HijackThis v1.99.0
Scan saved at 7:41:06 PM, on 12/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\pbapps\aventail\connect\as32svc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\AGRSMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trillian\trillian.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\cmurray\LOCALS~1\Temp2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-miami:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &amp;Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [Win32 Usb Driver] usb32.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\RunServices: [Win32 Usb Driver] usb32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\IBM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &amp;Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\pbapps\aventail\connect\asdns.dll
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\npwrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\npwrqxrx.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://emeeting.prudential.com...client/STJNILoader.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com...ners/aolim/install.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ilumin.webex.com/clien...test/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ilumin.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F5EECD4-8F61-419D-9177-35AF9A657A79}: NameServer = 10.250.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{73E357F3-F6BD-4315-955F-B93C6676C5B0}: Domain = ocncty01.md.comcast.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ilumin.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.ilumin.com
O23 - Service: Assentor Address Processor - Unknown - C:\Program Files\assentor\run\release\bin\addressprocessor.exe
O23 - Service: Assentor Archiver - iLumin - C:\Program Files\assentor\run\release\bin\Archiver.exe
O23 - Service: Aventail Connect - Aventail Corporation - C:\pbapps\aventail\connect\as32svc.exe
O23 - Service: Assentor BulkApprove - Unknown - C:\Program Files\assentor\run\release\bin\BulkApprove.exe
O23 - Service: Assentor Controller - SRA International - C:\Program Files\assentor\run\release\bin\assentorcontroller.exe
O23 - Service: Assentor DataRoutSend - Unknown - C:\Program Files\assentor\run\release\bin\dataroutsend.exe
O23 - Service: AssentorMIME - Ilumin Corp. - C:\Program Files\assentor\run\release\bin\AssentorMIME.exe
O23 - Service: Assentor QStarMgr - iLumin - C:\Program Files\Assentor\run\release\bin\AssentorQStarMgr.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Assentor Bloomberg2 Processor - Unknown - C:\Program Files\assentor\run\release\bin\bb2processor.exe
O23 - Service: Assentor Bloomberg Processor - Unknown - C:\Program Files\assentor\run\release\bin\bbprocessor.exe
O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Assentor Collator - Unknown - C:\Program Files\assentor\run\release\bin\collator.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Assentor Database Loader - Unknown - C:\Program Files\assentor\run\release\bin\dbloader.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DiscoFile - Unknown - C:\Program Files\Discovery\run\release\bin\DiscoFile.exe
O23 - Service: DiscoPDF - Unknown - C:\Program Files\Discovery\run\release\bin\DiscoPDF.exe
O23 - Service: DiscoPrint - Unknown - C:\Program Files\Discovery\run\release\bin\DiscoPrint.exe
O23 - Service: DiscoPST - Unknown - C:\Program Files\Discovery\run\release\bin\DiscoPST.exe
O23 - Service: DiscoSave - Unknown - C:\Program Files\Discovery\run\release\bin\DiscoSave.exe
O23 - Service: DiscoSearch - Unknown - C:\Program Files\Discovery\run\release\bin\DiscoSearch.exe
O23 - Service: Discovery Indexer - Unknown - C:\Program Files\Discovery\run\release\bin\DiscoveryIndexer.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Assentor DocumentRegistrationServer - Unknown - C:\Program Files\assentor\run\release\bin\DocumentRegistrationServer.exe
O23 - Service: DTPPSvc - Unknown - C:\Program Files\assentor\run\release\bin\DTPPSvc.exe
O23 - Service: Assentor Envelope Journaling - Unknown - C:\Program Files\assentor\run\release\bin\EnvelopeJournaling.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: IluminSDS - Ilumin Corp. - C:\Program Files\assentor\run\release\bin\iluminSDS.exe
O23 - Service: Assentor IM Link - Unknown - C:\Program Files\assentor\run\release\bin\IMProcessor.exe
O23 - Service: Assentor IM Link 2 - Unknown - C:\Program Files\assentor\run\release\bin\IMProcessor.exe
O23 - Service: Assentor IM Link 3 - Unknown - C:\Program Files\assentor\run\release\bin\IMProcessor.exe
O23 - Service: Assentor IM Link 4 - Unknown - C:\Program Files\assentor\run\release\bin\IMProcessor.exe
O23 - Service: Assentor InternetBloomberg Processor - Unknown - C:\Program Files\assentor\run\release\bin\IBprocessor.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MAILsweeper - Unknown - C:\MSW\Program\MSW.EXE
O23 - Service: Assentor Mail Engine 1 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 2 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 3 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 4 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 5 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 6 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 7 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 8 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 9 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 10 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 11 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 12 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 13 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 14 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 15 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 16 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 17 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 18 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 19 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Mail Engine 20 - Unknown - C:\Program Files\assentor\run\release\bin\mengine.exe
O23 - Service: Assentor Migrator - iLumin - C:\Program Files\Assentor\run\release\bin\Migrator.exe
O23 - Service: MSWRewrite - Ilumin Corp. - C:\Program Files\assentor\run\release\bin\MSWRewrite.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Assentor PurgeServer - Unknown - C:\Program Files\assentor\run\release\bin\PurgeServer.exe
O23 - Service: Assentor Quarantine Manager - Unknown - C:\Program Files\assentor\run\release\bin\quarantinemanager.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
disable system restore and fix the following in safemode, niall

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
 
D

deadmanwalkin

Junior Member
Dec 30, 2004
2
0
0
Hi, this is Scott (deadmanwalkin).. and I feel like that now after the headache this Search200 is giving me. Im not very computer savey (when it comes to dealing with the inner workings and files) so please bear with me if I continue to ask questions. Search200 has hijacked my IE for a while now.. and I've been able to work around it.. but as of today.. it popped on my IE again (probably never really left) and has also installed icon on my desktop that I cannot remove. I've downloaded "Hijack This" and here is what the log says. Any help will be greatly appreciated... and what you guys/gals are doing here is awesome. Thanks!

Hijack This Log
Logfile of HijackThis v1.99.0
Scan saved at 09:32, on 12/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\AltoSoftware\AltoBlockAll\netdetect.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Aladdin Systems\StuffIt\stuffit.exe
C:\Documents and Settings\Scott\My Documents\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bkuglgkuntrged.net/...KIbmXhMLypqNOVHI0_.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.co.../ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.auubwpakkpbfh.uk/ww...AGpm1G9l/Dj/32awE.html"); (C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\gsegd3c8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_04.src"); (C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\gsegd3c8.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {28FF5A11-D062-927D-C05A-68BF6E88413D} - C:\DOCUME~1\Scott\APPLIC~1\GRIDMA~1\MULTI COPY.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {733CAFB7-4DBC-9625-9663-7359AA5DD9F1} - C:\DOCUME~1\Scott\APPLIC~1\GRIDMA~1\MULTI COPY.exe
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FCADC1D4-B4D6-488A-9812-CDBE1E6D37EB} - C:\WINDOWS\System32\ba_iehlpr.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Alto Block All NetDetect Agent] "C:\Program Files\AltoSoftware\AltoBlockAll\netdetect.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [log platform ante ping] C:\Documents and Settings\All Users\Application Data\Sign five log platform\COPY FLAG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Site rule enc audio] C:\Documents and Settings\All Users\Application Data\anti bend site rule\phoneplan.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Viewping] C:\DOCUME~1\Scott\APPLIC~1\MAPIER~1\GreyPeak.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &amp;AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/downloa...installs/yinst0401.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.16/ttinst.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_dow...o_Installer/dwnldr.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony...n/download/sonyctl.CAB
O23 - Service: Alto Block All Service - AltoSoftware - C:\Program Files\AltoSoftware\AltoBlockAll\AltoBlockAll.exe
O23 - Service: Alto NetDetect Service - Unknown - C:\Program Files\AltoSoftware\AltoBlockAll\netdetect.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
disable system restore and fix the following in safemode, niall
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [Win32 Usb Driver] usb32.exe
O4 - HKLM\..\RunServices: [Win32 Usb Driver] usb32.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com...ners/aolim/install.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ilumin.webex.com/clien...test/webex/ieatgpc.cab
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom
sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |