1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Can't get rid of sspmydoom.cih ....

Discussion in 'Virus & Other Malware Removal' started by De Lorimier, Feb 15, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. De Lorimier

    De Lorimier Thread Starter

    Joined:
    Feb 14, 2005
    Messages:
    9
    I know that there has been a lot of posts about this subject but, since every hijackthis log is different, I would be pleased if some one could help me to handle it...

    here's my log

    and thank you

    Logfile of HijackThis v1.99.0
    Scan saved at 22:15:21, on 2005-02-15
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Logfile of HijackThis v1.99.0
    Scan saved at 22:32:05, on 2005-02-15
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\oodag.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\appmc32.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\winwa32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Utilisateur\Bureau\Programmes\Ares Lite Edition\Ares.exe
    C:\Documents and Settings\Utilisateur\Bureau\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\oswtt.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\oswtt.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\oswtt.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\oswtt.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\oswtt.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\oswtt.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\oswtt.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {372EF314-6508-92AB-732E-258B08992A73} - C:\WINDOWS\d3ws.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winwa32.exe] C:\WINDOWS\system32\winwa32.exe
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
    O4 - HKLM\..\RunOnce: [appmc32.exe] C:\WINDOWS\appmc32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [areslite] "C:\Documents and Settings\Utilisateur\Bureau\Programmes\Ares Lite Edition\AresLite.exe" -h
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\Utilisateur\Bureau\Programmes\Ares Lite Edition\Ares.exe" -h
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=www.google.ca
    O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
    O23 - Service: DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: DSDM DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
    O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Carte à puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
    O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\nettq.exe (file missing)
     
  2. De Lorimier

    De Lorimier Thread Starter

    Joined:
    Feb 14, 2005
    Messages:
    9
    Well I've scanned with adware and spybots and it doesn't seem to work ...

    Logfile of HijackThis v1.99.0
    Scan saved at 16:27:39, on 2005-02-16
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\oodag.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\appmc32.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\winwa32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Utilisateur\Bureau\Programmes\Ares Lite Edition\Ares.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Utilisateur\Bureau\hijackthis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    O2 - BHO: (no name) - {372EF314-6508-92AB-732E-258B08992A73} - C:\WINDOWS\d3ws.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winwa32.exe] C:\WINDOWS\system32\winwa32.exe
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
    O4 - HKLM\..\RunOnce: [appmc32.exe] C:\WINDOWS\appmc32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [areslite] "C:\Documents and Settings\Utilisateur\Bureau\Programmes\Ares Lite Edition\AresLite.exe" -h
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\Utilisateur\Bureau\Programmes\Ares Lite Edition\Ares.exe" -h
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=www.google.ca
    O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
    O23 - Service: DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: DSDM DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
    O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Carte à puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
    O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\nettq.exe (file missing)
     
  3. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    A new version of Hijack This has been released so get rid of the old one and
    download from this site http://www.thespykiller.co.uk/downloads.htm

    Than

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described


    CWshredder from http://www.subratam.org/?page=removal
    Spybot - Search & Destroy from http://security.kolla.de
    Download Adaware SE http://www.lavasoftusa.com/support/download/
    then
    Run CWSHREDDER,

    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
    and make sure you have all of Microsoft security updates

    then reboot &

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &


    Run ADAWARE

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)




    Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds (when it finds things, please quarantine them rather than delete just in case as it is a beta and occasional False positives happen)

    First press file and check for updates and then run it

    Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination




    Run Hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.


    O2 - BHO: (no name) - {372EF314-6508-92AB-732E-258B08992A73} - C:\WINDOWS\d3ws.dll

    O4 - HKLM\..\Run: [winwa32.exe] C:\WINDOWS\system32\winwa32.exe
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
    O4 - HKLM\..\RunOnce: [appmc32.exe] C:\WINDOWS\appmc32.exe

    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\nettq.exe (file missing)

    Reboot in safe mode


    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"



    C:\WINDOWS\system32\winwa32.exe
    C:\WINDOWS\System32\tibs5.exe
    C:\WINDOWS\appmc32.exe


    Delete your temporary files:


    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the recycle bin.

    reboot and post a new hijackthis log
     
  4. De Lorimier

    De Lorimier Thread Starter

    Joined:
    Feb 14, 2005
    Messages:
    9
    Well first, thank you for your reply.

    I followed your instruction but i've got a problem with spybot s&d. When I click on "fix selected problems" the software freeze ... Here is the log ...

    CoolWWWSearch.Aff.Winshow: Bad Favorite (File, nothing done)
    C:\Documents and Settings\Utilisateur\Favoris\Search the web.url


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-11-29 Includes\Cookies.sbi
    2005-02-16 Includes\Dialer.sbi
    2005-02-16 Includes\Hijackers.sbi
    2005-01-11 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2005-02-16 Includes\Malware.sbi
    2004-11-29 Includes\Revision.sbi
    2005-02-09 Includes\Security.sbi
    2005-02-16 Includes\Spybots.sbi
    2005-02-16 Includes\Tracks.uti
    2005-02-16 Includes\Trojans.sbi
     
  5. De Lorimier

    De Lorimier Thread Starter

    Joined:
    Feb 14, 2005
    Messages:
    9
    I did it

    here's my log :

    Logfile of HijackThis v1.99.1
    Scan saved at 18:37:01, on 2005-02-16
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\oodag.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\netyp32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\WINDOWS\sdkam32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\DOCUME~1\UTILIS~1\LOCALS~1\Temp\3.tmp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Documents and Settings\Utilisateur\Bureau\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {4507B4AA-2E46-3E95-2F9A-913A1B2A5DF7} - C:\WINDOWS\atlaa32.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [sdkam32.exe] C:\WINDOWS\sdkam32.exe
    O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\UTILIS~1\LOCALS~1\Temp\3.tmp.exe 1 28129
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
    O4 - HKLM\..\Run: [3.tmp.exe] C:\DOCUME~1\UTILIS~1\LOCALS~1\Temp\3.tmp.exe 1 28129
    O4 - HKLM\..\RunOnce: [netyp32.exe] C:\WINDOWS\netyp32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=www.google.ca
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.05p.com (HKLM)
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.blazefind.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.scoobidoo.com (HKLM)
    O15 - Trusted Zone: *.searchbarcash.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.slotch.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
    O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FICHIE~1\Stardock\mcpstub.dll (file missing)
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
    O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINDOWS\appmc32.exe" /s (file missing)
     
  6. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Download CWShredder http://www.intermute.com/spysubtrac...r_download.html
    Close all browser windows,
    Open cwshredder.exe then click "Fix" and let it run.

    download http://www.mvps.org/winhelp2002/DelDomains.inf

    Print this and boot to safe mode

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute then reboot your PC and post a fresh Hijack This log.

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.


    Fix these with HJT

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uhzlh.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {4507B4AA-2E46-3E95-2F9A-913A1B2A5DF7} - C:\WINDOWS\atlaa32.dll

    O4 - HKLM\..\Run: [sdkam32.exe] C:\WINDOWS\sdkam32.exe
    O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\UTILIS~1\LOCALS~1\Temp\3.tmp.exe 1 28129
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
    O4 - HKLM\..\Run: [3.tmp.exe] C:\DOCUME~1\UTILIS~1\LOCALS~1\Temp\3.tmp.exe 1 28129
    O4 - HKLM\..\RunOnce: [netyp32.exe] C:\WINDOWS\netyp32.exe

    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.05p.com (HKLM)
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.blazefind.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.scoobidoo.com (HKLM)
    O15 - Trusted Zone: *.searchbarcash.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.slotch.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

    O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINDOWS\appmc32.exe" /s (file missing)

    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files


    C:\WINDOWS\sdkam32.exe


    C:\WINDOWS\System32\tibs5.exe


    C:\WINDOWS\netyp32.ex


    Delete your temp folder

    START – RUN – key in %temp% - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log
     
  7. De Lorimier

    De Lorimier Thread Starter

    Joined:
    Feb 14, 2005
    Messages:
    9
    Thank you very much ! I think it is fixed, and here's my new log :

    Logfile of HijackThis v1.99.1
    Scan saved at 19:19:01, on 2005-02-16
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\oodag.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Documents and Settings\All Users\Bureau\Maintenances\HijackThis.exe

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=www.google.ca
    O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FICHIE~1\Stardock\mcpstub.dll (file missing)
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
    O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINDOWS\appmc32.exe" /s (file missing)
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINDOWS\appmc32.exe" /s (file missing)

    Close all applications and browser windows before you click "fix checked".

    Restart in safe mode

    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

    Delete this file: C:\WINDOWS\appmc32.exe

    Reboot.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/331137

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice